Running Asterisk As a Non-root User

By default, Asterisk runs as the root user, and while we don’t have any hard data, our own experiences lead us to conclude that the vast majority of Asterisk systems are run in this default state. From a security perspective, this represents an unacceptable risk―strangely, one which most of us seem willing to take.

Running Asterisk as non-root is not terribly hard to achieve, but it requires a few extra steps, and debugging it can be frustrating if you do not understand how Linux permissions work. However, from a security perspective it is well worth the effort.

We’re going to run Asterisk as the user asterisk, so we need to create that user on our system first. The following commands will be run as root. We’ll tell you when to switch and use the asterisk user that we’re about to create:

# adduser -c "Asterisk PBX" asterisk
# passwd asterisk

Now that you’ve created the asterisk user, let’s switch to that user, with which we’ll perform the rest of the commands. Once we su to the asterisk user,[141] we can download a copy of Asterisk via SVN, FTP or WGET, and then compile and install. We’re going to grab a copy of Asterisk from the SVN repository in the following example.

Note

1.4.5 is the current release version at the time of this writing, but it won’t be by the time you read this, so check the Asterisk web site for the latest version. In other words, don’t just type 1.4.5 whenever you see us refer to it. Find out what is current and use that instead.

# su - asterisk
$ svn co http://svn.digium.com/svn/asterisk/tags/1.4.5 asterisk-1.4.5
$ cd asterisk-1.4.5
$ ./configure --prefix=$HOME/asterisk-bin --sysconfdir=$HOME/asterisk-bin 
  --localstatedir=$HOME/asterisk-bin
$ make menuselect
$ make install

When running the ./configure script with the --prefix flag, we’re telling the system to install the binary components into our $HOME[142] directory under the subdirectory called asterisk-bin. The --sysconfdir flag tells the system where to place the configuration files, and --localstatedir tells the system where to install additional files, such as sounds. The key here is that since we are downloading, compiling, and installing as the user asterisk, everything that only gets created will be assigned to that user, and have the permissions granted to that user.

We can now install the sample files as well into the $HOME/asterisk-bin/asterisk directory:

$ make samples

Test starting up Asterisk with the following command:

$ ./asterisk-bin/sbin/asterisk -cvvv

Normally, Asterisk needs to be run as a service. During installation, the make config command will install the init scripts. Unfortunately, this will not work when you are logged in as the user asterisk, because only the root user has the authority to make changes to system startup commands. It would appear that what we need to do is log in as root, navigate to the /home/asterisk/asterisk-1.4.5 folder, and run the make config command again (now with the authority to really make it happen). Problem solved, right?

Yes, but not quite. If you run the service asterisk start command, you will find that it complains that it cannot find asterisk. Know why? Because the init script figures the asterisk executable got installed in /usr/sbin, where it would be if we had installed asterisk as root. So, we need to tell the init script where to find asterisk and the safe_asterisk script, like this:

# ln -s /home/asterisk/asterisk-bin/sbin/asterisk /usr/sbin/asterisk
# ln -s /home/asterisk/asterisk-bin/sbin/safe_asterisk /usr/sbin/safe_asterisk

Since the init script utilizes the safe_asterisk script, and by default wants to start Asterisk as the root user, we have to modify the safe_asterisk script telling it to run Asterisk as our non-root user. So open up the safe_asterisk script with your favorite text editor and look for the ASTARGS variable (around line 78). Then add -U asterisk between the quotes like so:

#
# Don't fork when running "safely"
#
ASTARGS="-U asterisk"

Go ahead and start Asterisk by running service asterisk start and verify Asterisk is running as the asterisk user using the ps command:

# service asterisk start
# ps aux | grep asterisk

503      30659  0.0  1.8  26036  8692 pts/2    Sl   15:07   0:00 
/home/asterisk/asterisk-bin/sbin/asterisk -U asterisk -vvvg -c

The 503 is actually our asterisk user, which we verify by looking at the /etc/passwd file:

# cat /etc/passwd

asterisk:x:503:503:Asterisk PBX:/home/asterisk:/bin/bash

Reboot the system to ensure that everything comes up as required. Keep in mind that a lot of things that you do with Asterisk might assume that you are running as root, so keep an eye out for errors that relate to a lack of permission. Your Asterisk process may think it is the superuser, but we have clipped its wings somewhat.

Why go through the trouble? The advantage of this is simply that if any security vulnerability in Asterisk[143] allows someone to access the box through the Asterisk account, he will be limited to system activities allowed by that account. When Asterisk is run as root, a security compromise gives the intruder full control of your system.



[141] su historically means super-user, but nowadays it could also mean switch-user or substitute-user. The - in the command tells su to use the environment for that user (for example to use the PATH for that user)

[142] $HOME is a system variable that defines the path to the home directory for the current user, i.e., /home/asterisk.

[143] If you walk up to any system that’s running Asterisk, hook a keyboard and screen up to it, and press Alt-F9; you will be connected to the Asterisk CLI. Press ! and hit Return, and you will have a shell. If Asterisk is running as root, you now own that system.