Thanks James for your detailed response. I don't think I will be opening this
can of worms.
Mike
On 27/07/2012, at 6:26 AM, James Babiak wrote:
> Hey Mike,
>
> As you mentioned, Asterisk requires write access to many files/directories
> (ie: /var/*/asterisk, etc.) which are currently owned by root:root with
> 755/775/664/644 permissions. So you would have to do many other tweaks other
> than simply running asterisk as another user. Plus, if Asterisk launches
> other applications, that could cause some issues. I imagine you could make
> many of these changes yourself if using unionfs, and get it to work, but it
> would be a lot of customization, which could break other things.
>
> While it's always a good security practice to run any service with the least
> system-level authority as possible, I don't know if it makes much of a
> difference here. Obviously if you were running Asterisk on a server which was
> handling multiple services and functions, this logic would certainly apply.
> But Astlinux is designed primarily to function as an Asterisk PBX. While it
> can do many other wonderful things, even if Asterisk alone was compromised,
> and it was running under a limited user account, an intruder would be able to
> have a great level of control over the system's core function. Granted you
> could make the config files read only from the asterisk user, which could
> help prevent unauthorized modifications, and take other similar precautions
> to lock it down, but it seems like a lot of work for a minimal amount of
> benefit in this case. I guess the question that it comes down to is, assuming
> Asterisk was compromised, what else on the box is of any interest to an
> intruder other than Asterisk itself.
>
> It's much easier to simply use ACLs and other built in safe guards to limit
> access and connectivity to the box from unauthorized locations or servers.
> You could also use other tools (like Zabbix) to track system changes and send
> alerts of possible security breaches. I've been running it this way for years
> (as root) and have not had any issues with security.
>
> -James
>
> On Thu, Jul 26, 2012 at 12:26 AM, Michael Knill
> <[email protected]> wrote:
> To the group
>
> Best practice states that Asterisk should not run as root but this is default
> in Astlinux.
> Does changing the Asterisk user break anything? Does anyone bother?
> If so, is it just a matter of changing runuser & group in Asterisk.conf and
> changing relevant file permissions?
>
> Thanks
> Mike
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> [email protected].
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
