asterisk users - May 2008 - Newbie Asterisk: Install Asterisk as non-root

I was following the instruction on
http://www.voip-info.org/wiki-Asterisk+non-root to re-install my
Asterisk as non-root when I had the following questions/issues:


1) " Use your system's preferred method of adding a new user. Examples:
Red Hat: adduser -c "Asterisk PBX" -d /var/lib/asterisk -u 5060
asterisk"
###Why did we have to choose uid as 5060?  
###In fact, do you need to specify the uid at all?


2) "Edit your Asterisk config file (/etc/asterisk/asterisk.conf): 
astrundir => /var/run/asterisk 
Recompile and reinstall Asterisk."
### Seems a bit strange to modify this before you recompile.
### As it turns out, the reinstall did not change the astrundir variable
### You have to manually modify it if this modification is actually
required.


3) "Also, make note that if you're running udev on your system
(linux-2.6), the /dev directory is dynamically populated with device
nodes, meaning that any permissions you set on /dev/zap will be lost on
your next reboot, and you may get a nasty message such as "Asterisk
ended with exit status 1" 
when trying to start asterisk. Read the file
/path/to/zaptel-src-1.2.x/README.udev for instructions on how to change
the user/group assigned to /dev/zap. "
### There is actually no README.udev file in zaptel source.
### Do I need to worry about this if "uname -r" returns 2.6.18-8.el5
### What actually is udev?


4) "Asterisk needs read permission for these directories and their
contents: 
/etc/asterisk.
chown --recursive root:asterisk /etc/asterisk"
### root is not in group asterisk
### All the while, the instruction has been saying to create a user
asterisk
### under group asterisk.
### Does it mean to put root into group asterisk as well???
### Or should it be "chown --recursive asterisk:asterisk
/etc/asterisk"
?


5) Another article says that running as non-root will prevent ToS being
used.
What is ToS?  Do I need to be concerned?


Any thoughts?

Lee, John (Sydney) schrieb:
> I was following the instruction on
> http://www.voip-info.org/wiki-Asterisk+non-root to re-install my
> Asterisk as non-root when I had the following questions/issues:
> 
> 
> 1) " Use your system's preferred method of adding a new user.
Examples:
> Red Hat: adduser -c "Asterisk PBX" -d /var/lib/asterisk -u 5060
> asterisk"
> ###Why did we have to choose uid as 5060?  
> ###In fact, do you need to specify the uid at all?
If you don't care: no.
> 
> 
> 2) "Edit your Asterisk config file (/etc/asterisk/asterisk.conf): 
> astrundir => /var/run/asterisk 
> Recompile and reinstall Asterisk."
> ### Seems a bit strange to modify this before you recompile.
> ### As it turns out, the reinstall did not change the astrundir variable
> ### You have to manually modify it if this modification is actually
> required.
Why should /etc/asterisk/asterisk.conf have any influence on
the compilation?
> 
> 
> 3) "Also, make note that if you're running udev on your system
> (linux-2.6), the /dev directory is dynamically populated with device
> nodes, meaning that any permissions you set on /dev/zap will be lost on
> your next reboot, and you may get a nasty message such as "Asterisk
> ended with exit status 1" 
> when trying to start asterisk. Read the file
> /path/to/zaptel-src-1.2.x/README.udev for instructions on how to change
> the user/group assigned to /dev/zap. "
> ### There is actually no README.udev file in zaptel source.
> ### Do I need to worry about this if "uname -r" returns
2.6.18-8.el5
> ### What actually is udev?
http://en.wikipedia.org/wiki/Udev
http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html
> 
> 
> 4) "Asterisk needs read permission for these directories and their
> contents: 
> /etc/asterisk.
> chown --recursive root:asterisk /etc/asterisk"
> ### root is not in group asterisk
> ### All the while, the instruction has been saying to create a user
> asterisk
> ### under group asterisk.
> ### Does it mean to put root into group asterisk as well???
> ### Or should it be "chown --recursive asterisk:asterisk
/etc/asterisk"
> ?
Probably.
> 
> 
> 5) Another article says that running as non-root will prevent ToS being
> used.
> What is ToS?  Do I need to be concerned?
http://en.wikipedia.org/wiki/Type_of_Service
http://en.wikipedia.org/wiki/DiffServ_Code_Point
> 
> 
> Any thoughts?
When I last thought about it Asterisk was not really ready to be
run as non-root. Maybe it is now.


Gr??e,
Philipp Kempgen
-- 
Asterisk-Tag.org 2008, 26.-27. Mai   ->  http://www.asterisk-tag.org
amooma GmbH - Bachstr. 126 - 56566 Neuwied  ->  http://www.amooma.de
Gesch?ftsf?hrer: Stefan Wintermeyer, Handelsregister: Neuwied B14998

Lee, John (Sydney) wrote:
> I was following the instruction on
> http://www.voip-info.org/wiki-Asterisk+non-root to re-install my
> Asterisk as non-root when I had the following questions/issues:
> 
> 1) " Use your system's preferred method of adding a new user.
Examples:
> Red Hat: adduser -c "Asterisk PBX" -d /var/lib/asterisk -u 5060
> asterisk"
> ###Why did we have to choose uid as 5060?  
> ###In fact, do you need to specify the uid at all?
Nope - the UID doesn't matter, but it is general practice to keep system 
  (application) UIDs below 100 or 1000 and "normal" users above. So
I'd
use a number below 100 or 1000 depending on your linux distro's standard.
> 
> 2) "Edit your Asterisk config file (/etc/asterisk/asterisk.conf): 
> astrundir => /var/run/asterisk 
> Recompile and reinstall Asterisk."
> ### Seems a bit strange to modify this before you recompile.
> ### As it turns out, the reinstall did not change the astrundir variable
> ### You have to manually modify it if this modification is actually
> required.
> 
That won't affect compilation whatsoever.
> 
> 3) "Also, make note that if you're running udev on your system
> (linux-2.6), the /dev directory is dynamically populated with device
> nodes, meaning that any permissions you set on /dev/zap will be lost on
> your next reboot, and you may get a nasty message such as "Asterisk
> ended with exit status 1" 
> when trying to start asterisk. Read the file
> /path/to/zaptel-src-1.2.x/README.udev for instructions on how to change
> the user/group assigned to /dev/zap. "
> ### There is actually no README.udev file in zaptel source.
> ### Do I need to worry about this if "uname -r" returns
2.6.18-8.el5
> ### What actually is udev?
> 
udev help linux to dynamically create/remove the interfaces to various 
hardware devices and so forth. After installing the zaptel module you'll 
see a udev rules file "zaptel.rules" in your etc/udev configuration 
area. It doesn't take a genius to work out if or how you need to change 
anything in that file...
> 4) "Asterisk needs read permission for these directories and their
> contents: 
> /etc/asterisk.
> chown --recursive root:asterisk /etc/asterisk"
> ### root is not in group asterisk
> ### All the while, the instruction has been saying to create a user
> asterisk
> ### under group asterisk.
> ### Does it mean to put root into group asterisk as well???
> ### Or should it be "chown --recursive asterisk:asterisk
/etc/asterisk"
> ?
There is reason behind this. It is possibly more secure to make the 
"owner" root and just allow group access by asterisk. Setting the
files
as above permits read/write only by the user root and read only by 
members of the group asterisk.
> 
> 5) Another article says that running as non-root will prevent ToS being
> used.
> What is ToS?  Do I need to be concerned?
http://en.wikipedia.org/wiki/Type_of_Service. Why you can't use this as 
non-root I do not understand...
> Any thoughts?
> 
I wrote up my solution for building and running asterisk as non-root 
here: 
http://www.theopensourcerer.com/2007/10/30/untangle-asterisk-pbx-and-file-server-all-in-one-part-7/

I have read somewhere that voicemail.conf needs to be writeable by 
Asterisk so users can change their vmailbox passwords. I haven't 
confirmed this but I set voicemail.conf to be writeable by group 
asterisk just in case.

Hope this helps.

Al

-- 
The way out is open!
http://www.theopensourcerer.com

On Thu, May 15, 2008 at 06:17:12PM +1000, Lee, John (Sydney)
wrote:
> 
> I was following the instruction on
> http://www.voip-info.org/wiki-Asterisk+non-root to re-install my
> Asterisk as non-root when I had the following questions/issues:
For those wondering what the fuss is all about, look at:

He was actually refering to:

http://www.voip-info.org/wiki/page_history.php?page_id=745&preview=40
> 
> 
> 1) " Use your system's preferred method of adding a new user.
Examples:
> Red Hat: adduser -c "Asterisk PBX" -d /var/lib/asterisk -u 5060
> asterisk"
> ###Why did we have to choose uid as 5060?  
> ###In fact, do you need to specify the uid at all?
Right. No need.
> 
> 
> 2) "Edit your Asterisk config file (/etc/asterisk/asterisk.conf): 
> astrundir => /var/run/asterisk 
> Recompile and reinstall Asterisk."
> ### Seems a bit strange to modify this before you recompile.
> ### As it turns out, the reinstall did not change the astrundir variable
> ### You have to manually modify it if this modification is actually
> required.
This was not written clearly. I put there a separate case for
Asterisk
>= 1.4 . Did it require a rebuild on 1.2 ?
TODO: update on the vanishing /var/run/asterisk at boot on a certain
distribution .
> 
> 3) "Also, make note that if you're running udev on your system
> (linux-2.6), the /dev directory is dynamically populated with device
> nodes, meaning that any permissions you set on /dev/zap will be lost on
> your next reboot, and you may get a nasty message such as "Asterisk
> ended with exit status 1" 
> when trying to start asterisk. Read the file
> /path/to/zaptel-src-1.2.x/README.udev for instructions on how to change
> the user/group assigned to /dev/zap. "
> ### There is actually no README.udev file in zaptel source.
> ### Do I need to worry about this if "uname -r" returns
2.6.18-8.el5
> ### What actually is udev?
I see that this is not docuemnted anywhere, actually . Zaptel now (as of
around 1.4.8, I believe) creates udev rules that set the userame of the
device to Asterisk.

Some distributions (Gentoo and Debian) replace that with a rule that
sets the group to "dialout" (hence the need to add Asterisk to the
group
'dialout').
> 
> 
> 4) "Asterisk needs read permission for these directories and their
> contents: 
> /etc/asterisk.
> chown --recursive root:asterisk /etc/asterisk"
> ### root is not in group asterisk
root can read/write everything anyway, regardless of ownership.
> ### All the while, the instruction has been saying to create a user
> asterisk
> ### under group asterisk.
> ### Does it mean to put root into group asterisk as well???
> ### Or should it be "chown --recursive asterisk:asterisk
/etc/asterisk"
> ?
You can. But it will simply be pointless.
> 
> 
> 5) Another article says that running as non-root will prevent ToS being
> used.
> What is ToS?  Do I need to be concerned?
Anybody wants to write something about this?

I recall a change in that area in recent Asterisk 1.4-s .


Does Asterisk actually break with SELinux enabled? Why?

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

On Thu, May 15, 2008 at 5:30 AM, Tzafrir Cohen <tzafrir.cohen at
xorcom.com> wrote:
> On Thu, May 15, 2008 at 06:17:12PM +1000, Lee, John (Sydney) wrote:
>>
>> 5) Another article says that running as non-root will prevent ToS being
>> used. What is ToS?  Do I need to be concerned?
>
> Anybody wants to write something about this?
> I recall a change in that area in recent Asterisk 1.4-s .
ToS is supported when running non-root on Linux by using kernel
capabilities. On Ubuntu, the libcap-dev package is required for this.
It provides libcap.{a,so} and sys/capability.h, which the Asterisk
configure script will check for before you compile. You can check to
see whether your binary is linked against libcap using the ldd
command:

$ ldd /usr/sbin/asterisk
        linux-gate.so.1 =>  (0xffffe000)
        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7fd9000)
        libcap.so.1 => /lib/libcap.so.1 (0xb7fd5000)
        libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7fc2000)
        libncurses.so.5 => /lib/libncurses.so.5 (0xb7f81000)
        libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7f5f000)
        libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7f4c000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e1d000)
        /lib/ld-linux.so.2 (0xb7fe5000)

-James