Page 325 - Asterisk™: The Future of Telephony
P. 325

changes to system startup commands. It would appear that what we need to do is log
               in  as  root,  navigate  to  the  /home/asterisk/asterisk-1.4.5  folder,  and  run  the
               make config command again (now with the authority to really make it happen). Problem
               solved, right?

               Yes, but not quite. If you run the service asterisk start command, you will find that
               it complains that it cannot find asterisk. Know why? Because the init script figures the
               asterisk executable got installed in /usr/sbin, where it would be if we had installed
               asterisk  as  root.  So,  we  need  to  tell  the  init  script  where  to  find  asterisk  and  the
               safe_asterisk script, like this:
                   # ln -s /home/asterisk/asterisk-bin/sbin/asterisk /usr/sbin/asterisk
                   # ln -s /home/asterisk/asterisk-bin/sbin/safe_asterisk /usr/sbin/safe_asterisk
               Since the init script utilizes the safe_asterisk script, and by default wants to start Asterisk
               as the root user, we have to modify the safe_asterisk script telling it to run Asterisk as
               our non-root user. So open up the safe_asterisk script with your favorite text editor and
               look for the ASTARGS variable (around line 78). Then add -U asterisk between the quotes
               like so:

                   #
                   # Don't fork when running "safely"
                   #
                   ASTARGS="-U asterisk"
               Go ahead and start Asterisk by running service asterisk start and verify Asterisk is
               running as the asterisk user using the ps command:

                   # service asterisk start
                   # ps aux | grep asterisk
                   503      30659  0.0  1.8  26036  8692 pts/2    Sl   15:07   0:00
                   /home/asterisk/asterisk-bin/sbin/asterisk -U asterisk -vvvg -c
               The 503 is actually our asterisk user, which we verify by looking at the /etc/passwd file:
                   # cat /etc/passwd
                   asterisk:x:503:503:Asterisk PBX:/home/asterisk:/bin/bash
               Reboot the system to ensure that everything comes up as required. Keep in mind that
               a lot of things that you do with Asterisk might assume that you are running as root, so
               keep an eye out for errors that relate to a lack of permission. Your Asterisk process may
               think it is the superuser, but we have clipped its wings somewhat.
               Why go through the trouble? The advantage of this is simply that if any security vul-
                                 ‖
               nerability in Asterisk  allows someone to access the box through the Asterisk account,



               ‖ If you walk up to any system that’s running Asterisk, hook a keyboard and screen up to it, and press Alt-F9;
                 you will be connected to the Asterisk CLI. Press ! and hit Return, and you will have a shell. If Asterisk is
                 running as root, you now own that system.

                                                             Running Asterisk As a Non-root User | 297
   320   321   322   323   324   325   326   327   328   329   330