Lee, John (Sydney)
2008-May-15 08:17 UTC
[asterisk-users] Newbie Asterisk: Install Asterisk as non-root
I was following the instruction on http://www.voip-info.org/wiki-Asterisk+non-root to re-install my Asterisk as non-root when I had the following questions/issues: 1) " Use your system's preferred method of adding a new user. Examples: Red Hat: adduser -c "Asterisk PBX" -d /var/lib/asterisk -u 5060 asterisk" ###Why did we have to choose uid as 5060? ###In fact, do you need to specify the uid at all? 2) "Edit your Asterisk config file (/etc/asterisk/asterisk.conf): astrundir => /var/run/asterisk Recompile and reinstall Asterisk." ### Seems a bit strange to modify this before you recompile. ### As it turns out, the reinstall did not change the astrundir variable ### You have to manually modify it if this modification is actually required. 3) "Also, make note that if you're running udev on your system (linux-2.6), the /dev directory is dynamically populated with device nodes, meaning that any permissions you set on /dev/zap will be lost on your next reboot, and you may get a nasty message such as "Asterisk ended with exit status 1" when trying to start asterisk. Read the file /path/to/zaptel-src-1.2.x/README.udev for instructions on how to change the user/group assigned to /dev/zap. " ### There is actually no README.udev file in zaptel source. ### Do I need to worry about this if "uname -r" returns 2.6.18-8.el5 ### What actually is udev? 4) "Asterisk needs read permission for these directories and their contents: /etc/asterisk. chown --recursive root:asterisk /etc/asterisk" ### root is not in group asterisk ### All the while, the instruction has been saying to create a user asterisk ### under group asterisk. ### Does it mean to put root into group asterisk as well??? ### Or should it be "chown --recursive asterisk:asterisk /etc/asterisk" ? 5) Another article says that running as non-root will prevent ToS being used. What is ToS? Do I need to be concerned? Any thoughts?
Philipp Kempgen
2008-May-15 09:01 UTC
[asterisk-users] Newbie Asterisk: Install Asterisk as non-root
Lee, John (Sydney) schrieb:> I was following the instruction on > http://www.voip-info.org/wiki-Asterisk+non-root to re-install my > Asterisk as non-root when I had the following questions/issues: > > > 1) " Use your system's preferred method of adding a new user. Examples: > Red Hat: adduser -c "Asterisk PBX" -d /var/lib/asterisk -u 5060 > asterisk" > ###Why did we have to choose uid as 5060? > ###In fact, do you need to specify the uid at all?If you don't care: no.> > > 2) "Edit your Asterisk config file (/etc/asterisk/asterisk.conf): > astrundir => /var/run/asterisk > Recompile and reinstall Asterisk." > ### Seems a bit strange to modify this before you recompile. > ### As it turns out, the reinstall did not change the astrundir variable > ### You have to manually modify it if this modification is actually > required.Why should /etc/asterisk/asterisk.conf have any influence on the compilation?> > > 3) "Also, make note that if you're running udev on your system > (linux-2.6), the /dev directory is dynamically populated with device > nodes, meaning that any permissions you set on /dev/zap will be lost on > your next reboot, and you may get a nasty message such as "Asterisk > ended with exit status 1" > when trying to start asterisk. Read the file > /path/to/zaptel-src-1.2.x/README.udev for instructions on how to change > the user/group assigned to /dev/zap. " > ### There is actually no README.udev file in zaptel source. > ### Do I need to worry about this if "uname -r" returns 2.6.18-8.el5 > ### What actually is udev?http://en.wikipedia.org/wiki/Udev http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html> > > 4) "Asterisk needs read permission for these directories and their > contents: > /etc/asterisk. > chown --recursive root:asterisk /etc/asterisk" > ### root is not in group asterisk > ### All the while, the instruction has been saying to create a user > asterisk > ### under group asterisk. > ### Does it mean to put root into group asterisk as well??? > ### Or should it be "chown --recursive asterisk:asterisk /etc/asterisk" > ?Probably.> > > 5) Another article says that running as non-root will prevent ToS being > used. > What is ToS? Do I need to be concerned?http://en.wikipedia.org/wiki/Type_of_Service http://en.wikipedia.org/wiki/DiffServ_Code_Point> > > Any thoughts?When I last thought about it Asterisk was not really ready to be run as non-root. Maybe it is now. Gr??e, Philipp Kempgen -- Asterisk-Tag.org 2008, 26.-27. Mai -> http://www.asterisk-tag.org amooma GmbH - Bachstr. 126 - 56566 Neuwied -> http://www.amooma.de Gesch?ftsf?hrer: Stefan Wintermeyer, Handelsregister: Neuwied B14998
Alan Lord
2008-May-15 10:12 UTC
[asterisk-users] Newbie Asterisk: Install Asterisk as non-root
Lee, John (Sydney) wrote:> I was following the instruction on > http://www.voip-info.org/wiki-Asterisk+non-root to re-install my > Asterisk as non-root when I had the following questions/issues: > > 1) " Use your system's preferred method of adding a new user. Examples: > Red Hat: adduser -c "Asterisk PBX" -d /var/lib/asterisk -u 5060 > asterisk" > ###Why did we have to choose uid as 5060? > ###In fact, do you need to specify the uid at all?Nope - the UID doesn't matter, but it is general practice to keep system (application) UIDs below 100 or 1000 and "normal" users above. So I'd use a number below 100 or 1000 depending on your linux distro's standard.> > 2) "Edit your Asterisk config file (/etc/asterisk/asterisk.conf): > astrundir => /var/run/asterisk > Recompile and reinstall Asterisk." > ### Seems a bit strange to modify this before you recompile. > ### As it turns out, the reinstall did not change the astrundir variable > ### You have to manually modify it if this modification is actually > required. >That won't affect compilation whatsoever.> > 3) "Also, make note that if you're running udev on your system > (linux-2.6), the /dev directory is dynamically populated with device > nodes, meaning that any permissions you set on /dev/zap will be lost on > your next reboot, and you may get a nasty message such as "Asterisk > ended with exit status 1" > when trying to start asterisk. Read the file > /path/to/zaptel-src-1.2.x/README.udev for instructions on how to change > the user/group assigned to /dev/zap. " > ### There is actually no README.udev file in zaptel source. > ### Do I need to worry about this if "uname -r" returns 2.6.18-8.el5 > ### What actually is udev? >udev help linux to dynamically create/remove the interfaces to various hardware devices and so forth. After installing the zaptel module you'll see a udev rules file "zaptel.rules" in your etc/udev configuration area. It doesn't take a genius to work out if or how you need to change anything in that file...> 4) "Asterisk needs read permission for these directories and their > contents: > /etc/asterisk. > chown --recursive root:asterisk /etc/asterisk" > ### root is not in group asterisk > ### All the while, the instruction has been saying to create a user > asterisk > ### under group asterisk. > ### Does it mean to put root into group asterisk as well??? > ### Or should it be "chown --recursive asterisk:asterisk /etc/asterisk" > ?There is reason behind this. It is possibly more secure to make the "owner" root and just allow group access by asterisk. Setting the files as above permits read/write only by the user root and read only by members of the group asterisk.> > 5) Another article says that running as non-root will prevent ToS being > used. > What is ToS? Do I need to be concerned?http://en.wikipedia.org/wiki/Type_of_Service. Why you can't use this as non-root I do not understand...> Any thoughts? >I wrote up my solution for building and running asterisk as non-root here: http://www.theopensourcerer.com/2007/10/30/untangle-asterisk-pbx-and-file-server-all-in-one-part-7/ I have read somewhere that voicemail.conf needs to be writeable by Asterisk so users can change their vmailbox passwords. I haven't confirmed this but I set voicemail.conf to be writeable by group asterisk just in case. Hope this helps. Al -- The way out is open! http://www.theopensourcerer.com
Tzafrir Cohen
2008-May-15 10:30 UTC
[asterisk-users] Newbie Asterisk: Install Asterisk as non-root
On Thu, May 15, 2008 at 06:17:12PM +1000, Lee, John (Sydney) wrote:> > I was following the instruction on > http://www.voip-info.org/wiki-Asterisk+non-root to re-install my > Asterisk as non-root when I had the following questions/issues:For those wondering what the fuss is all about, look at: He was actually refering to: http://www.voip-info.org/wiki/page_history.php?page_id=745&preview=40> > > 1) " Use your system's preferred method of adding a new user. Examples: > Red Hat: adduser -c "Asterisk PBX" -d /var/lib/asterisk -u 5060 > asterisk" > ###Why did we have to choose uid as 5060? > ###In fact, do you need to specify the uid at all?Right. No need.> > > 2) "Edit your Asterisk config file (/etc/asterisk/asterisk.conf): > astrundir => /var/run/asterisk > Recompile and reinstall Asterisk." > ### Seems a bit strange to modify this before you recompile. > ### As it turns out, the reinstall did not change the astrundir variable > ### You have to manually modify it if this modification is actually > required.This was not written clearly. I put there a separate case for Asterisk>= 1.4 . Did it require a rebuild on 1.2 ?TODO: update on the vanishing /var/run/asterisk at boot on a certain distribution .> > 3) "Also, make note that if you're running udev on your system > (linux-2.6), the /dev directory is dynamically populated with device > nodes, meaning that any permissions you set on /dev/zap will be lost on > your next reboot, and you may get a nasty message such as "Asterisk > ended with exit status 1" > when trying to start asterisk. Read the file > /path/to/zaptel-src-1.2.x/README.udev for instructions on how to change > the user/group assigned to /dev/zap. " > ### There is actually no README.udev file in zaptel source. > ### Do I need to worry about this if "uname -r" returns 2.6.18-8.el5 > ### What actually is udev?I see that this is not docuemnted anywhere, actually . Zaptel now (as of around 1.4.8, I believe) creates udev rules that set the userame of the device to Asterisk. Some distributions (Gentoo and Debian) replace that with a rule that sets the group to "dialout" (hence the need to add Asterisk to the group 'dialout').> > > 4) "Asterisk needs read permission for these directories and their > contents: > /etc/asterisk. > chown --recursive root:asterisk /etc/asterisk" > ### root is not in group asteriskroot can read/write everything anyway, regardless of ownership.> ### All the while, the instruction has been saying to create a user > asterisk > ### under group asterisk. > ### Does it mean to put root into group asterisk as well??? > ### Or should it be "chown --recursive asterisk:asterisk /etc/asterisk" > ?You can. But it will simply be pointless.> > > 5) Another article says that running as non-root will prevent ToS being > used. > What is ToS? Do I need to be concerned?Anybody wants to write something about this? I recall a change in that area in recent Asterisk 1.4-s . Does Asterisk actually break with SELinux enabled? Why? -- Tzafrir Cohen icq#16849755 jabber:tzafrir.cohen at xorcom.com +972-50-7952406 mailto:tzafrir.cohen at xorcom.com http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
James Sneeringer
2008-May-15 15:57 UTC
[asterisk-users] Newbie Asterisk: Install Asterisk as non-root
On Thu, May 15, 2008 at 5:30 AM, Tzafrir Cohen <tzafrir.cohen at xorcom.com> wrote:> On Thu, May 15, 2008 at 06:17:12PM +1000, Lee, John (Sydney) wrote: >> >> 5) Another article says that running as non-root will prevent ToS being >> used. What is ToS? Do I need to be concerned? > > Anybody wants to write something about this? > I recall a change in that area in recent Asterisk 1.4-s .ToS is supported when running non-root on Linux by using kernel capabilities. On Ubuntu, the libcap-dev package is required for this. It provides libcap.{a,so} and sys/capability.h, which the Asterisk configure script will check for before you compile. You can check to see whether your binary is linked against libcap using the ldd command: $ ldd /usr/sbin/asterisk linux-gate.so.1 => (0xffffe000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7fd9000) libcap.so.1 => /lib/libcap.so.1 (0xb7fd5000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7fc2000) libncurses.so.5 => /lib/libncurses.so.5 (0xb7f81000) libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7f5f000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7f4c000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e1d000) /lib/ld-linux.so.2 (0xb7fe5000) -James