Running Asterisk as non-root user will prevent CLI commands that execute Linux scripts from being executed without the necessary privileges. This will improve the security of the control panel. You can also add access, e.g. to SSH only for a specific user who will be able to manage the exchange, but nothing will mess up the system.
Table of Contents
1) Add user and group
What we would like to start with is to add a non-root user. In our example, we will use the user ‘asterisk’. To add a user and group do:
useradd asterisk
groupadd asterisk
If you plan to log in separately for this user, also add a password:
passwd asterisk
groupadd: group 'asterisk' already exists
2) Change of permissions
The next step will be to change permissions for individual files and directories.
If your Asterisk is installed in some non-standard directory or you need to find files or directories that may require changing the permissions, you can do it:
find / -name 'asterisk'
Time to change permissions:
chown -R asterisk:asterisk /var/{lib,log,run,spool}/asterisk
chown -R asterisk:asterisk /etc/asterisk
chown asterisk:asterisk /usr/sbin/asterisk
# for 32-bit system
chown -R asterisk:asterisk /usr/lib/asterisk
# for 64-bit system
chown -R asterisk:asterisk /usr/lib64/asterisk
The ‘ls -l‘ command should show that our new user is the owner of the directory.
IMPORTANT Remember that if you create new files as a different user, Asterisk may not be able to access them, may throw errors or the functionality of Asterisk may be limited.
Finally, we have to tell our PBX system that it should act as a different user. We can do this in the asterisk.conf file. It is usually located in the /etc/asterisk/ directory.
Inside, we find the ‘runuser‘ and ‘rungroup‘ variables. The file generated by make basic-pbx contains these commented out variables. Just uncomment them.
The changes should be automatically visible after entering CLI console, even without reloading.
asterisk -r
sed.
sed -i "s/^;runuser = asterisk.*$/runuser = asterisk ; The user to run as./" /etc/asterisk/asterisk.conf
sed -i "s/^;rungroup = asterisk.*$/rungroup = asterisk ; The group to run as./" /etc/asterisk/asterisk.conf
And that’s all! From now on, our Asterisk will be launched as ‘asterisk’, i.e. according to the assumption: user other than ‘root’.
/etc/udev/rules.d/92-dongle.rules (CentOS):
KERNEL=="ttyUSB*", MODE="0666", OWNER="asterisk", GROUP="asterisk"
In effect, each new ttyUSB device will have a new user and group.
Do you really know what is happening on your PBX? Try our proprietary VOIPERO software.
The system arleady has launched and now is completely FREE. Setup takes only a few minutes.
Get to know what VOIPERO system is able to do in terms of reporting & live monitoring of VoIP systems created on Asterisk.
