home
Making Asterisk Run as A Different User (i.e. not as root)
securing the asterisk daemon to run as a different user without root privileges
Creating The New User
To begin, create a new group and a new user that will run the asterisk process. To do this in a Red Hat or RHEL based distribution (such as Centos 5) we use the groupadd and adduser commands in the terminal window. You must issue these commands as root.
Note that on other distributions you may have to use a different command for adding users such as useradd
groupadd -g 75 asterisk
adduser -c "Asterisk Telephone Server" -d /var/lib/asterisk -g asterisk -u 75 asterisk
What this does is it creates a new group named asterisk and a new user "asterisk" that is part of it and sets this user's home directory to /var/lib/asterisk. The -c gives a description for this user, and the -g and -u switches set the group ID and user ID. If 75 is already used on your system you may change them to something else.
Note: You might receive a warning that the /var/lib/asterisk directory already exists but you can ignore the warning for this exercise.
Modifying the Asterisk Makefile
Having created the new asterisk user is the first step in having Asterisk run in this account.
The next step is to modify the Asterisk makefile which is located in the directroy where you downloaded the asterisk source files. Usually this is /usr/src/asterisk/, but if you have used a different location you need to look for this file there.
Using your favourite editor, edit the Makefile.
cd /usr/src/asterisk
nano Makefile
Look for the ASTVARRUNDIR constant and change it like this
ASTVARRUNDIR=$(INSTALL_PREFIX)/var/run/asterisk
This option changes the directory Asterisk will run in. The new directory must be writable by the user running Asterisk.
Recompiling Asterisk
Next we need to change the driectory to where the Asterisk source files are located and recompile Asterisk to take advantage of the changes we just made.
cd /usr/src/asterisk
make clean
make install
Verify Installation
If all went well the terminal screen will print a few lines that say the installation went well and will give further instructions for installing additional stuff and configuring asterisk.
You can verify that the changes to the Makefile were succesfull by checking to make sure that setup created the new /var/run/asterisk folder for Asterisk to run in.
cd /var/run
ls -lha
If this folder is not there it means that something in the installation did not go as planned and you need to revisit the steps above and then recompile.
Side Effects
One of the side effects of this kind of setup is that asterisk won't be able to set ToS bits for VoIP packets anymore. That's because setting the ToS requires elevated privileges.
There are patches out there that will fix this issue and give asterisk the bility to set ToS, and the fix was added to the SVN trunk at revision 48430 (see the svn log). But for some reason it wasn't carried into the tag releases. I'm running the 1.4.9 tagg release.
An alternative to patching your asterisk code is to set up the ToS rules in your firewall.
Changing Folder Permissions
In order for the new user to be able to run the Asterisk process, we need to do a little bit of tweaking.
The Asterisk process needs to be able to write to the following folders:
- var/log/asterisk
- var/lib/asterisk
- var/spool/asterisk
- var/run/asterisk
- usr/lib/asterisk
- dev/zap - if the zaptel module is used
In order to give the user asterisk privileges to these folders we need to change each folder's owner usign chown and then give the apporpriate privileges to the user asterisk usingchmod.
chown -R asterisk:asterisk /var/lib/asterisk
chown -R asterisk:asterisk /var/log/asterisk
chown -R asterisk:asterisk /var/spool/asterisk
chown -R asterisk:asterisk /var/run/asterisk
chown -R asterisk:asterisk /usr/lib/asterisk
chown -R asterisk:asterisk /dev/zap
chmode -R u=rwX,g=rX,o= /var/lib/asterisk
chmode -R u=rwX,g=rX,o= /var/log/asterisk
chmode -R u=rwX,g=rX,o= /var/spool/asterisk
chmode -R u=rwX,g=rX,o= /var/run/asterisk
chmode -R u=rwX,g=rX,o= /usr/lib/asterisk
chmode -R u=rwX,g=rX,o= /dev/zap
Then, if you are not going to want to be able to change configuration from the Asterisk console, you can limit access to the configuration files to Read-Only for the user running the Asterisk process. This is generally a good idea since there are paswwords stored in clear text in some configuration files (such as voicemail.conf).
chown -R root:asterisk /etc/asterisk
chmode -R u=rwX,g=rX,o= /etc/asterisk
chmode -R u=rw,g=r,o= /etc/asterisk/*
Configuring The Startup Script
So far everything should be ready for the new user account to run the Asterisk process.
There are two ways to do this but only one is supported and encouraged by the developers. This is to use the -U and -G switched when starting the server. This way Asterisk will start as root and then drop root privileges as it loads the rest of the modules. This is especially important when running asterisk in real time mode.
asterisk -U asterisk -G asterisk
If that works you are ready to make the final changes and have asterisk run in the newly created account at boot time. To do this, change the init script in /etc/rc.d/init.d/asterisk. In this file you will find two constants: AST_USER and AST_GROUP. They should be commented by default (using the "#" symbol). Uncomment them, and set their value to the user name and group name you just created for asterisk.
If you are having problems starting the asterisk daemon you may want to trace its startup to see if there are any direcotries or files it is trying to access that you haven't set the appropriate permissions for. To do this, run from the terminal:
strace -eopen asterisk -U asterisk
When this is all done, the Asterisk process will only have as much power as you grant to the "asterisk" user.
copyright (c) Miky Dinescu 2007
