Asterisk security: running Asterisk as non-root user

Asterisk security: running Asterisk as non-root user

Running Asterisk as non-root user will prevent CLI commands that execute Linux scripts from being executed without the necessary privileges. This will improve the security of the control panel. You can also add access, e.g. to SSH only for a specific user who will be able to manage the exchange, but nothing will mess up the system.

Table of Contents

All of the code below can be executed by using our pre-created script.

1) Add user and group

What we would like to start with is to add a non-root user.  In our example, we will use the user ‘asterisk’. To add a user and group do:

					useradd asterisk
groupadd asterisk

If you plan to log in separately for this user, also add a password:

					passwd asterisk

In most cases, creating a user such as ‘asterisk’ will create a group with the same name. When creating a group, you may receive a warning that the group already exists.

					 groupadd: group 'asterisk' already exists

2) Change of permissions

The next step will be to change permissions for individual files and directories.

If your Asterisk is installed in some non-standard directory or you need to find files or directories that may require changing the permissions, you can do it:

					find / -name 'asterisk'

Time to change permissions:

					chown -R asterisk:asterisk /var/{lib,log,run,spool}/asterisk
chown -R asterisk:asterisk /etc/asterisk
chown asterisk:asterisk /usr/sbin/asterisk

# for 32-bit system
chown -R asterisk:asterisk /usr/lib/asterisk

# for 64-bit system
chown -R asterisk:asterisk /usr/lib64/asterisk

The ‘ls -l‘ command should show that our new user is the owner of the directory.

IMPORTANT Remember that if you create new files as a different user, Asterisk may not be able to access them, may throw errors or the functionality of Asterisk may be limited.

Finally, we have to tell our PBX system that it should act as a different user. We can do this in the asterisk.conf file. It is usually located in the /etc/asterisk/ directory.

Inside, we find the ‘runuser‘ and ‘rungroup‘ variables. The file generated by make basic-pbx contains these commented out variables. Just uncomment them.

The changes should be automatically visible after entering CLI console, even without reloading.

					asterisk -r
You can also replace the default code with sed.
					sed -i "s/^;runuser = asterisk.*$/runuser = asterisk     ; The user to run as./" /etc/asterisk/asterisk.conf
sed -i "s/^;rungroup = asterisk.*$/rungroup = asterisk    ; The group to run as./" /etc/asterisk/asterisk.conf

And that’s all! From now on, our Asterisk will be launched as ‘asterisk’, i.e. according to the assumption: user other than ‘root’.

Please note that when changing users, you may need to change other services or devices. For example, to connect a USB modem as a user and group ‘asterisk’, add the following line in /etc/udev/rules.d/92-dongle.rules (CentOS):
					KERNEL=="ttyUSB*", MODE="0666", OWNER="asterisk", GROUP="asterisk"

In effect, each new ttyUSB device will have a new user and group.

Do you really know what is happening on your PBX? Try our proprietary VOIPERO software.


The system arleady has launched and now is completely FREE. Setup takes only a few minutes.


Get to know what VOIPERO system is able to do in terms of reporting & live monitoring of VoIP systems created on Asterisk.

Share this post

Do you have questions or you need an offer?

Contact us!

Most popular

Related Posts

We Have Launched

Monitoring & Reporting of Your VoIP Server