By default, Asterisk runs as the root user, and while we don’t have any hard data, our own experiences lead us to conclude that the vast majority of Asterisk systems are run in this default state. From a security perspective, this represents an unacceptable risk―strangely, one which most of us seem willing to take.
Running Asterisk as non-root is not terribly hard to achieve, but it requires a few extra steps, and debugging it can be frustrating if you do not understand how Linux permissions work. However, from a security perspective it is well worth the effort.
We’re going to run Asterisk as the user asterisk, so we need to create that user on our system first. The following commands will be run as root. We’ll tell you when to switch and use the asterisk user that we’re about to create:
#adduser -c "Asterisk PBX" asterisk
#passwd asterisk
Now
that you’ve created the asterisk user, let’s switch
to that user, with which we’ll perform the rest of the commands. Once we
su
to the asterisk user,[141] we can download a copy of Asterisk via SVN, FTP or WGET, and
then compile and install. We’re going to grab a copy of Asterisk from the
SVN repository in the following example.
1.4.5 is the current release version at the time of this writing, but it won’t be by the time you read this, so check the Asterisk web site for the latest version. In other words, don’t just type 1.4.5 whenever you see us refer to it. Find out what is current and use that instead.
#su - asterisk
$svn co http://svn.digium.com/svn/asterisk/tags/1.4.5 asterisk-1.4.5
$cd asterisk-1.4.5
$./configure --prefix=$HOME/asterisk-bin --sysconfdir=$HOME/asterisk-bin
--localstatedir=$HOME/asterisk-bin
$make menuselect
$make install
When
running the ./configure
script with the --prefix
flag, we’re telling the system to
install the binary components into our $HOME
[142] directory under the subdirectory called asterisk-bin
. The
--sysconfdir
flag tells the system where to place the
configuration files, and --localstatedir
tells the
system where to install additional files, such as sounds. The key here is
that since we are downloading, compiling, and installing as the user
asterisk, everything that only gets created will be
assigned to that user, and have the permissions granted to that
user.
We can now install the sample files as well into the $HOME/asterisk-bin/asterisk
directory:
$ make samples
Test starting up Asterisk with the following command:
$ ./asterisk-bin/sbin/asterisk -cvvv
Normally, Asterisk needs to be run as a service. During
installation, the make config
command will install the
init scripts. Unfortunately, this will not work when you are logged in as
the user asterisk, because only the
root user has the authority to make changes to system
startup commands. It would appear that what we need to do is log in as
root, navigate to the /home/asterisk/asterisk-1.4.5
folder, and run
the make config
command again (now
with the authority to really make it happen). Problem solved,
right?
Yes, but not quite. If you run the service asterisk
start
command, you will find that it complains that it cannot
find asterisk
. Know why? Because the
init script figures the asterisk
executable got installed in /usr/sbin
, where it would be if we had
installed asterisk
as
root. So, we need to tell the init script where to
find asterisk
and the safe_asterisk
script, like this:
#ln -s /home/asterisk/asterisk-bin/sbin/asterisk /usr/sbin/asterisk
#ln -s /home/asterisk/asterisk-bin/sbin/safe_asterisk /usr/sbin/safe_asterisk
Since the init script utilizes the
safe_asterisk script, and by default wants to start
Asterisk as the root user, we have to modify the safe_asterisk
script telling it to run Asterisk
as our non-root user. So open up the safe_asterisk
script with your favorite text
editor and look for the ASTARGS
variable (around line 78). Then add -U
asterisk
between the quotes like so:
# # Don't fork when running "safely" # ASTARGS="-U asterisk"
Go ahead and start Asterisk by running service asterisk
start
and verify Asterisk is running as the asterisk
user using the ps
command:
#service asterisk start
#ps aux | grep asterisk
503 30659 0.0 1.8 26036 8692 pts/2 Sl 15:07 0:00 /home/asterisk/asterisk-bin/sbin/asterisk -U asterisk -vvvg -c
The
503 is actually our asterisk user, which we verify by
looking at the /etc/passwd
file:
# cat /etc/passwd
asterisk:x:503:503:Asterisk PBX:/home/asterisk:/bin/bash
Reboot the system to ensure that everything comes up as required. Keep in mind that a lot of things that you do with Asterisk might assume that you are running as root, so keep an eye out for errors that relate to a lack of permission. Your Asterisk process may think it is the superuser, but we have clipped its wings somewhat.
Why go through the trouble? The advantage of this is simply that if any security vulnerability in Asterisk[143] allows someone to access the box through the Asterisk account, he will be limited to system activities allowed by that account. When Asterisk is run as root, a security compromise gives the intruder full control of your system.
[141] su
historically means super-user, but
nowadays it could also mean switch-user or substitute-user. The
-
in the command tells su
to use
the environment for that user (for example to use the
PATH
for that user)
[142] $HOME
is a system variable
that defines the path to the home directory for the current user,
i.e., /home/asterisk
.
[143] If you walk up to any system that’s running Asterisk, hook a keyboard and screen up to it, and press Alt-F9; you will be connected to the Asterisk CLI. Press ! and hit Return, and you will have a shell. If Asterisk is running as root, you now own that system.