Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
On Sat, May 17, 2008 at 9:21 AM, Tzafrir Cohen [EMAIL PROTECTED] wrote: On Fri, May 16, 2008 at 06:32:30PM -0500, James Sneeringer wrote: The safe_asterisk script monitors the actual asterisk process, and if it dies for some reason, Not for some reason. For instyance, if asterisk decides to die the script should not restart it. And if it got a SIGTERM? (e.g.: from init on shutdown?) True, I oversimplified a bit. I should have said it restarts Asterisk if it dies abnormally (e.g. with a return code of anything other than zero). Init shouldn't have to kill it if the startup script can also shut it down cleanly (which in my case on Ubuntu means stopping safe_asterisk first). Also note that asterisk.conf options override command-line options (and not the other way around, as you might have learned to expect from most other applications). Some asterisk.conf options, such as runuser and rungroup, don't appear to work at all. I can get Asterisk to run non-root using -U and -G on the command line, but attempting to do it in asterisk.conf instead doesn't work for me. The command line is good enough for me, so I haven't taken the time to figure out why it doesn't work. Question: what does it take to move the voicemail file from /etc/asterisk/voicemail.conf to /etc/asterisk/writble/voicemail.conf ? Patch voicemail.conf and leave a compatibility symlink for the others? Yes, you would have to patch those two applications. The filename itself is hardcoded into app_voicemail.c and app_directory.c. It picks up the path from astetcdir in asterisk.conf, or uses /etc/asterisk if that option is not defined. A simple symlink isn't good enough because when Asterisk rewrites the config file (after a user changes their passcode), it unlinks the old one without checking whether it's a symlink it needs to dereference. I haven't looked too deeply into the code, so I don't know if it's as simple as changing the VOICEMAIL_CONFIG to subdir/voicemail.conf. -James ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
James Sneeringer wrote: snip / Also note that asterisk.conf options override command-line options (and not the other way around, as you might have learned to expect from most other applications). Some asterisk.conf options, such as runuser and rungroup, don't appear to work at all. I can get Asterisk to run non-root using -U and -G on the command line, but attempting to do it in asterisk.conf instead doesn't work for me. The command line is good enough for me, so I haven't taken the time to figure out why it doesn't work. My uneducated guess would be that for Asterisk to parse the asterisk.conf file it has to be running... Therefore it must already be running as the user which it was told to run as. Alan -- The way out is open! http://www.theopensourcerer.com ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
You should probably clean it up and put it up on the wiki. I don't think anyone has put up a step-by-step like you did before. There might be much easier additions/modifications done to it, and it will be available to everybody. Done. No problem - glad to be of service to the open-source community. http://www.voip-info.org/wiki/view/Asterisk+non-root ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
You should probably clean it up and put it up on the wiki. I don't think anyone has put up a step-by-step like you did before. There might be much easier additions/modifications done to it, and it will be available to everybody. Done. No problem - glad to be of service to the open-source community. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
On Fri, May 16, 2008 at 06:32:30PM -0500, James Sneeringer wrote: On Fri, May 16, 2008 at 3:04 AM, Lee, John (Sydney) [EMAIL PROTECTED] wrote: First of all, thanks Philipp, Alan, Tzafrir and James for your valuable comments. I have listed below the exact list of commands to run for reinstalling asterisk 1.4.* as non-root on a Redhat / Fedora distro. Hope others can benefit. I have the following comments/questions though: 1) #What is safe_asterisk used for actually? I did not touch it in my modification because I don't know when is it triggered? The safe_asterisk script monitors the actual asterisk process, and if it dies for some reason, Not for some reason. For instyance, if asterisk decides to die the script should not restart it. And if it got a SIGTERM? (e.g.: from init on shutdown?) it restarts it and optionally notifies you. It's just a precaution. MySQL is often run under a script called mysqld_safe for the same reason. 2) #I do not actually know whether we really need to modify /etc/asterisk/asterisk.conf? Is this file read by asterisk at all? Seems like an important file name - asterisk.conf? It is read by asterisk, but whether you need to change any of the defaults really depends on your environment. Most of the options in it have equivalent command-line options, so you might want to use asterisk.conf instead of modifying the startup script (which could be overwritten the next time you upgrade). Also note that asterisk.conf options override command-line options (and not the other way around, as you might have learned to expect from most other applications). 4) There is an additional chmod to run for letting voicemail.conf to be written by group asterisk. What I found was that /etc/asterisk also needs to be writable by the asterisk user, because asterisk will unlink and recreate the file, so it needs to be able to write to the directory, not just the file. You can protect yourself a little bit by setting the sticky bit on /etc/asterisk, so even if asterisk goes nuts, it can't whack files it doesn't actually have write permissions on. chmod g+w /etc/asterisk/voicemail.conf chmod g+w,+t /etc/asterisk Question: what does it take to move the voicemail file from /etc/asterisk/voicemail.conf to /etc/asterisk/writble/voicemail.conf ? Patch voicemail.conf and leave a compatibility symlink for the others? -- Tzafrir Cohen icq#16849755 jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
Lee, You should probably clean it up and put it up on the wiki. I don't think anyone has put up a step-by-step like you did before. There might be much easier additions/modifications done to it, and it will be available to everybody. Thanks for this, btw. Mark. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, John (Sydney) Sent: May 16, 2008 4:04 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root First of all, thanks Philipp, Alan, Tzafrir and James for your valuable comments. I have listed below the exact list of commands to run for reinstalling asterisk 1.4.* as non-root on a Redhat / Fedora distro. Hope others can benefit. I have the following comments/questions though: 1) #What is safe_asterisk used for actually? I did not touch it in my modification because I don't know when is it triggered? 2) #I do not actually know whether we really need to modify /etc/asterisk/asterisk.conf? Is this file read by asterisk at all? Seems like an important file name - asterisk.conf? 3) It is safer to define a user called asterisk in group asterisk unless you want to make more changes to 2 files i.e. zaptel.rules and /etc/init.d/asterisk 4) There is an additional chmod to run for letting voicemail.conf to be written by group asterisk. # /etc/init.d/asterisk stop Shutting down asterisk:[ OK ] # /usr/sbin/groupadd asterisk # /usr/sbin/useradd -d /var/lib/asterisk -g asterisk asterisk useradd: warning: the home directory already exists. Not copying any file from skel directory into it. # cp Makefile Makefile.org *** *** Change the following line from: *** *** ASTVARRUNDIR=$(localstatedir)/run *** *** to *** *** ASTVARRUNDIR=$(localstatedir)/run/asterisk *** # vi Makefile [...] ifeq ($(OSARCH),SunOS) ASTETCDIR=/var/etc/asterisk ASTLIBDIR=/opt/asterisk/lib ASTVARLIBDIR=/var/opt/asterisk ASTSPOOLDIR=/var/spool/asterisk ASTLOGDIR=/var/log/asterisk ASTHEADERDIR=/opt/asterisk/include ASTBINDIR=/opt/asterisk/bin ASTSBINDIR=/opt/asterisk/sbin ASTVARRUNDIR=/var/run/asterisk ASTMANDIR=/opt/asterisk/man else ASTETCDIR=$(sysconfdir)/asterisk ASTLIBDIR=$(libdir)/asterisk ASTHEADERDIR=$(includedir)/asterisk ASTBINDIR=$(bindir) ASTSBINDIR=$(sbindir) ASTSPOOLDIR=$(localstatedir)/spool/asterisk ASTLOGDIR=$(localstatedir)/log/asterisk ASTVARRUNDIR=$(localstatedir)/run/asterisk ASTMANDIR=$(mandir) [...] cd /usr/src/asterisk-1.4 make clean ./configure make make install *** *** Don't panic! *** /var/run/asterisk should just be an empty directory but should just exist. *** # chown --recursive asterisk:asterisk /var/lib/asterisk # chown --recursive asterisk:asterisk /var/log/asterisk # chown --recursive asterisk:asterisk /var/run/asterisk # chown --recursive asterisk:asterisk /var/spool/asterisk # chown --recursive asterisk:asterisk /usr/lib/asterisk # chown --recursive asterisk:asterisk /dev/zap # chmod --recursive u=rwX,g=rX,o= /var/lib/asterisk # chmod --recursive u=rwX,g=rX,o= /var/log/asterisk # chmod --recursive u=rwX,g=rX,o= /var/run/asterisk # chmod --recursive u=rwX,g=rX,o= /var/spool/asterisk # chmod --recursive u=rwX,g=rX,o= /usr/lib/asterisk # chmod --recursive u=rwX,g=rX,o= /dev/zap # chown --recursive root:asterisk /etc/asterisk # chmod --recursive u=rwX,g=rX,o= /etc/asterisk # cp /etc/asterisk/asterisk.conf /etc/asterisk/asterisk.conf.org # vi /etc/asterisk/asterisk.conf *** *** Change the following line from: *** *** astrundir = /var/run *** *** to *** *** astrundir = /var/run/asterisk *** # cp /etc/init.d/asterisk /etc/init.d/asterisk.org # vi /etc/init.d/asterisk *** *** Uncomment the following line from: *** *** #AST_USER=asterisk *** #AST_GROUP=asterisk *** *** to *** *** AST_USER=asterisk *** AST_GROUP=asterisk *** *** *** Asterisk needs to write to voicemail.conf for password change. *** # chmod g+w /etc/asterisk/voicemail.conf *** *** Restart Asterisk by either of below: *** # /etc/init.d/asterisk restart # asterisk -U asterisk -G asterisk
Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
First of all, thanks Philipp, Alan, Tzafrir and James for your valuable comments. I have listed below the exact list of commands to run for reinstalling asterisk 1.4.* as non-root on a Redhat / Fedora distro. Hope others can benefit. I have the following comments/questions though: 1) #What is safe_asterisk used for actually? I did not touch it in my modification because I don't know when is it triggered? 2) #I do not actually know whether we really need to modify /etc/asterisk/asterisk.conf? Is this file read by asterisk at all? Seems like an important file name - asterisk.conf? 3) It is safer to define a user called asterisk in group asterisk unless you want to make more changes to 2 files i.e. zaptel.rules and /etc/init.d/asterisk 4) There is an additional chmod to run for letting voicemail.conf to be written by group asterisk. # /etc/init.d/asterisk stop Shutting down asterisk:[ OK ] # /usr/sbin/groupadd asterisk # /usr/sbin/useradd -d /var/lib/asterisk -g asterisk asterisk useradd: warning: the home directory already exists. Not copying any file from skel directory into it. # cp Makefile Makefile.org *** *** Change the following line from: *** *** ASTVARRUNDIR=$(localstatedir)/run *** *** to *** *** ASTVARRUNDIR=$(localstatedir)/run/asterisk *** # vi Makefile [...] ifeq ($(OSARCH),SunOS) ASTETCDIR=/var/etc/asterisk ASTLIBDIR=/opt/asterisk/lib ASTVARLIBDIR=/var/opt/asterisk ASTSPOOLDIR=/var/spool/asterisk ASTLOGDIR=/var/log/asterisk ASTHEADERDIR=/opt/asterisk/include ASTBINDIR=/opt/asterisk/bin ASTSBINDIR=/opt/asterisk/sbin ASTVARRUNDIR=/var/run/asterisk ASTMANDIR=/opt/asterisk/man else ASTETCDIR=$(sysconfdir)/asterisk ASTLIBDIR=$(libdir)/asterisk ASTHEADERDIR=$(includedir)/asterisk ASTBINDIR=$(bindir) ASTSBINDIR=$(sbindir) ASTSPOOLDIR=$(localstatedir)/spool/asterisk ASTLOGDIR=$(localstatedir)/log/asterisk ASTVARRUNDIR=$(localstatedir)/run/asterisk ASTMANDIR=$(mandir) [...] cd /usr/src/asterisk-1.4 make clean ./configure make make install *** *** Don't panic! *** /var/run/asterisk should just be an empty directory but should just exist. *** # chown --recursive asterisk:asterisk /var/lib/asterisk # chown --recursive asterisk:asterisk /var/log/asterisk # chown --recursive asterisk:asterisk /var/run/asterisk # chown --recursive asterisk:asterisk /var/spool/asterisk # chown --recursive asterisk:asterisk /usr/lib/asterisk # chown --recursive asterisk:asterisk /dev/zap # chmod --recursive u=rwX,g=rX,o= /var/lib/asterisk # chmod --recursive u=rwX,g=rX,o= /var/log/asterisk # chmod --recursive u=rwX,g=rX,o= /var/run/asterisk # chmod --recursive u=rwX,g=rX,o= /var/spool/asterisk # chmod --recursive u=rwX,g=rX,o= /usr/lib/asterisk # chmod --recursive u=rwX,g=rX,o= /dev/zap # chown --recursive root:asterisk /etc/asterisk # chmod --recursive u=rwX,g=rX,o= /etc/asterisk # cp /etc/asterisk/asterisk.conf /etc/asterisk/asterisk.conf.org # vi /etc/asterisk/asterisk.conf *** *** Change the following line from: *** *** astrundir = /var/run *** *** to *** *** astrundir = /var/run/asterisk *** # cp /etc/init.d/asterisk /etc/init.d/asterisk.org # vi /etc/init.d/asterisk *** *** Uncomment the following line from: *** *** #AST_USER=asterisk *** #AST_GROUP=asterisk *** *** to *** *** AST_USER=asterisk *** AST_GROUP=asterisk *** *** *** Asterisk needs to write to voicemail.conf for password change. *** # chmod g+w /etc/asterisk/voicemail.conf *** *** Restart Asterisk by either of below: *** # /etc/init.d/asterisk restart # asterisk -U asterisk -G asterisk ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
On Fri, May 16, 2008 at 3:04 AM, Lee, John (Sydney) [EMAIL PROTECTED] wrote: First of all, thanks Philipp, Alan, Tzafrir and James for your valuable comments. I have listed below the exact list of commands to run for reinstalling asterisk 1.4.* as non-root on a Redhat / Fedora distro. Hope others can benefit. I have the following comments/questions though: 1) #What is safe_asterisk used for actually? I did not touch it in my modification because I don't know when is it triggered? The safe_asterisk script monitors the actual asterisk process, and if it dies for some reason, it restarts it and optionally notifies you. It's just a precaution. MySQL is often run under a script called mysqld_safe for the same reason. 2) #I do not actually know whether we really need to modify /etc/asterisk/asterisk.conf? Is this file read by asterisk at all? Seems like an important file name - asterisk.conf? It is read by asterisk, but whether you need to change any of the defaults really depends on your environment. Most of the options in it have equivalent command-line options, so you might want to use asterisk.conf instead of modifying the startup script (which could be overwritten the next time you upgrade). 4) There is an additional chmod to run for letting voicemail.conf to be written by group asterisk. What I found was that /etc/asterisk also needs to be writable by the asterisk user, because asterisk will unlink and recreate the file, so it needs to be able to write to the directory, not just the file. You can protect yourself a little bit by setting the sticky bit on /etc/asterisk, so even if asterisk goes nuts, it can't whack files it doesn't actually have write permissions on. chmod g+w /etc/asterisk/voicemail.conf chmod g+w,+t /etc/asterisk -James ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Newbie Asterisk: Install Asterisk as non-root
I was following the instruction on http://www.voip-info.org/wiki-Asterisk+non-root to re-install my Asterisk as non-root when I had the following questions/issues: 1) Use your system's preferred method of adding a new user. Examples: Red Hat: adduser -c Asterisk PBX -d /var/lib/asterisk -u 5060 asterisk ###Why did we have to choose uid as 5060? ###In fact, do you need to specify the uid at all? 2) Edit your Asterisk config file (/etc/asterisk/asterisk.conf): astrundir = /var/run/asterisk Recompile and reinstall Asterisk. ### Seems a bit strange to modify this before you recompile. ### As it turns out, the reinstall did not change the astrundir variable ### You have to manually modify it if this modification is actually required. 3) Also, make note that if you're running udev on your system (linux-2.6), the /dev directory is dynamically populated with device nodes, meaning that any permissions you set on /dev/zap will be lost on your next reboot, and you may get a nasty message such as Asterisk ended with exit status 1 when trying to start asterisk. Read the file /path/to/zaptel-src-1.2.x/README.udev for instructions on how to change the user/group assigned to /dev/zap. ### There is actually no README.udev file in zaptel source. ### Do I need to worry about this if uname -r returns 2.6.18-8.el5 ### What actually is udev? 4) Asterisk needs read permission for these directories and their contents: /etc/asterisk. chown --recursive root:asterisk /etc/asterisk ### root is not in group asterisk ### All the while, the instruction has been saying to create a user asterisk ### under group asterisk. ### Does it mean to put root into group asterisk as well??? ### Or should it be chown --recursive asterisk:asterisk /etc/asterisk ? 5) Another article says that running as non-root will prevent ToS being used. What is ToS? Do I need to be concerned? Any thoughts? ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
On Thu, May 15, 2008 at 06:17:12PM +1000, Lee, John (Sydney) wrote: I was following the instruction on http://www.voip-info.org/wiki-Asterisk+non-root to re-install my Asterisk as non-root when I had the following questions/issues: For those wondering what the fuss is all about, look at: He was actually refering to: http://www.voip-info.org/wiki/page_history.php?page_id=745preview=40 1) Use your system's preferred method of adding a new user. Examples: Red Hat: adduser -c Asterisk PBX -d /var/lib/asterisk -u 5060 asterisk ###Why did we have to choose uid as 5060? ###In fact, do you need to specify the uid at all? Right. No need. 2) Edit your Asterisk config file (/etc/asterisk/asterisk.conf): astrundir = /var/run/asterisk Recompile and reinstall Asterisk. ### Seems a bit strange to modify this before you recompile. ### As it turns out, the reinstall did not change the astrundir variable ### You have to manually modify it if this modification is actually required. This was not written clearly. I put there a separate case for Asterisk = 1.4 . Did it require a rebuild on 1.2 ? TODO: update on the vanishing /var/run/asterisk at boot on a certain distribution . 3) Also, make note that if you're running udev on your system (linux-2.6), the /dev directory is dynamically populated with device nodes, meaning that any permissions you set on /dev/zap will be lost on your next reboot, and you may get a nasty message such as Asterisk ended with exit status 1 when trying to start asterisk. Read the file /path/to/zaptel-src-1.2.x/README.udev for instructions on how to change the user/group assigned to /dev/zap. ### There is actually no README.udev file in zaptel source. ### Do I need to worry about this if uname -r returns 2.6.18-8.el5 ### What actually is udev? I see that this is not docuemnted anywhere, actually . Zaptel now (as of around 1.4.8, I believe) creates udev rules that set the userame of the device to Asterisk. Some distributions (Gentoo and Debian) replace that with a rule that sets the group to dialout (hence the need to add Asterisk to the group 'dialout'). 4) Asterisk needs read permission for these directories and their contents: /etc/asterisk. chown --recursive root:asterisk /etc/asterisk ### root is not in group asterisk root can read/write everything anyway, regardless of ownership. ### All the while, the instruction has been saying to create a user asterisk ### under group asterisk. ### Does it mean to put root into group asterisk as well??? ### Or should it be chown --recursive asterisk:asterisk /etc/asterisk ? You can. But it will simply be pointless. 5) Another article says that running as non-root will prevent ToS being used. What is ToS? Do I need to be concerned? Anybody wants to write something about this? I recall a change in that area in recent Asterisk 1.4-s . Does Asterisk actually break with SELinux enabled? Why? -- Tzafrir Cohen icq#16849755 jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
Lee, John (Sydney) schrieb: I was following the instruction on http://www.voip-info.org/wiki-Asterisk+non-root to re-install my Asterisk as non-root when I had the following questions/issues: 1) Use your system's preferred method of adding a new user. Examples: Red Hat: adduser -c Asterisk PBX -d /var/lib/asterisk -u 5060 asterisk ###Why did we have to choose uid as 5060? ###In fact, do you need to specify the uid at all? If you don't care: no. 2) Edit your Asterisk config file (/etc/asterisk/asterisk.conf): astrundir = /var/run/asterisk Recompile and reinstall Asterisk. ### Seems a bit strange to modify this before you recompile. ### As it turns out, the reinstall did not change the astrundir variable ### You have to manually modify it if this modification is actually required. Why should /etc/asterisk/asterisk.conf have any influence on the compilation? 3) Also, make note that if you're running udev on your system (linux-2.6), the /dev directory is dynamically populated with device nodes, meaning that any permissions you set on /dev/zap will be lost on your next reboot, and you may get a nasty message such as Asterisk ended with exit status 1 when trying to start asterisk. Read the file /path/to/zaptel-src-1.2.x/README.udev for instructions on how to change the user/group assigned to /dev/zap. ### There is actually no README.udev file in zaptel source. ### Do I need to worry about this if uname -r returns 2.6.18-8.el5 ### What actually is udev? http://en.wikipedia.org/wiki/Udev http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html 4) Asterisk needs read permission for these directories and their contents: /etc/asterisk. chown --recursive root:asterisk /etc/asterisk ### root is not in group asterisk ### All the while, the instruction has been saying to create a user asterisk ### under group asterisk. ### Does it mean to put root into group asterisk as well??? ### Or should it be chown --recursive asterisk:asterisk /etc/asterisk ? Probably. 5) Another article says that running as non-root will prevent ToS being used. What is ToS? Do I need to be concerned? http://en.wikipedia.org/wiki/Type_of_Service http://en.wikipedia.org/wiki/DiffServ_Code_Point Any thoughts? When I last thought about it Asterisk was not really ready to be run as non-root. Maybe it is now. Grüße, Philipp Kempgen -- Asterisk-Tag.org 2008, 26.-27. Mai - http://www.asterisk-tag.org amooma GmbH - Bachstr. 126 - 56566 Neuwied - http://www.amooma.de Geschäftsführer: Stefan Wintermeyer, Handelsregister: Neuwied B14998 ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
Lee, John (Sydney) wrote: I was following the instruction on http://www.voip-info.org/wiki-Asterisk+non-root to re-install my Asterisk as non-root when I had the following questions/issues: 1) Use your system's preferred method of adding a new user. Examples: Red Hat: adduser -c Asterisk PBX -d /var/lib/asterisk -u 5060 asterisk ###Why did we have to choose uid as 5060? ###In fact, do you need to specify the uid at all? Nope - the UID doesn't matter, but it is general practice to keep system (application) UIDs below 100 or 1000 and normal users above. So I'd use a number below 100 or 1000 depending on your linux distro's standard. 2) Edit your Asterisk config file (/etc/asterisk/asterisk.conf): astrundir = /var/run/asterisk Recompile and reinstall Asterisk. ### Seems a bit strange to modify this before you recompile. ### As it turns out, the reinstall did not change the astrundir variable ### You have to manually modify it if this modification is actually required. That won't affect compilation whatsoever. 3) Also, make note that if you're running udev on your system (linux-2.6), the /dev directory is dynamically populated with device nodes, meaning that any permissions you set on /dev/zap will be lost on your next reboot, and you may get a nasty message such as Asterisk ended with exit status 1 when trying to start asterisk. Read the file /path/to/zaptel-src-1.2.x/README.udev for instructions on how to change the user/group assigned to /dev/zap. ### There is actually no README.udev file in zaptel source. ### Do I need to worry about this if uname -r returns 2.6.18-8.el5 ### What actually is udev? udev help linux to dynamically create/remove the interfaces to various hardware devices and so forth. After installing the zaptel module you'll see a udev rules file zaptel.rules in your etc/udev configuration area. It doesn't take a genius to work out if or how you need to change anything in that file... 4) Asterisk needs read permission for these directories and their contents: /etc/asterisk. chown --recursive root:asterisk /etc/asterisk ### root is not in group asterisk ### All the while, the instruction has been saying to create a user asterisk ### under group asterisk. ### Does it mean to put root into group asterisk as well??? ### Or should it be chown --recursive asterisk:asterisk /etc/asterisk ? There is reason behind this. It is possibly more secure to make the owner root and just allow group access by asterisk. Setting the files as above permits read/write only by the user root and read only by members of the group asterisk. 5) Another article says that running as non-root will prevent ToS being used. What is ToS? Do I need to be concerned? http://en.wikipedia.org/wiki/Type_of_Service. Why you can't use this as non-root I do not understand... Any thoughts? I wrote up my solution for building and running asterisk as non-root here: http://www.theopensourcerer.com/2007/10/30/untangle-asterisk-pbx-and-file-server-all-in-one-part-7/ I have read somewhere that voicemail.conf needs to be writeable by Asterisk so users can change their vmailbox passwords. I haven't confirmed this but I set voicemail.conf to be writeable by group asterisk just in case. Hope this helps. Al -- The way out is open! http://www.theopensourcerer.com ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Newbie Asterisk: Install Asterisk as non-root
On Thu, May 15, 2008 at 5:30 AM, Tzafrir Cohen [EMAIL PROTECTED] wrote:
On Thu, May 15, 2008 at 06:17:12PM +1000, Lee, John (Sydney) wrote:
5) Another article says that running as non-root will prevent ToS being
used. What is ToS? Do I need to be concerned?
Anybody wants to write something about this?
I recall a change in that area in recent Asterisk 1.4-s .
ToS is supported when running non-root on Linux by using kernel
capabilities. On Ubuntu, the libcap-dev package is required for this.
It provides libcap.{a,so} and sys/capability.h, which the Asterisk
configure script will check for before you compile. You can check to
see whether your binary is linked against libcap using the ldd
command:
$ ldd /usr/sbin/asterisk
linux-gate.so.1 = (0xe000)
libdl.so.2 = /lib/tls/i686/cmov/libdl.so.2 (0xb7fd9000)
libcap.so.1 = /lib/libcap.so.1 (0xb7fd5000)
libpthread.so.0 = /lib/tls/i686/cmov/libpthread.so.0 (0xb7fc2000)
libncurses.so.5 = /lib/libncurses.so.5 (0xb7f81000)
libm.so.6 = /lib/tls/i686/cmov/libm.so.6 (0xb7f5f000)
libresolv.so.2 = /lib/tls/i686/cmov/libresolv.so.2 (0xb7f4c000)
libc.so.6 = /lib/tls/i686/cmov/libc.so.6 (0xb7e1d000)
/lib/ld-linux.so.2 (0xb7fe5000)
-James
___
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
