Untangle, Asterisk PBX and File Server; All-in-One. Part 7

There’s no Untangle in this installment – I’m awaiting a new kernel from the developers before I can get any further; it should be here shortly however.

In the previous article of this series I mentioned that I’d explain how to get Asterisk built and running as a non-root user. It wasn’t too hard to be honest but I’ll document it anyway.

The problem: Asterisk by default, when compiled from source, expects to be run as root. For userspace applications, this is NEVER a good idea in my opinion. After all we’re running on a multi user system that can support non-root processes – unlike Windows – so we really should… 😉

The solution for Asterisk-1.4.13 on my LFS based system, is as follows:

Build any hardware add-ons and codecs you need before building Asterisk. I built the Zaptel module for my x100p card and the Speex Open Source VBR codec. The zaptel module needs to find your kernel source tree (usually in /usr/src/linux-2.6.x.x). To build the zaptel source:

./configure --prefix=/usr
make menuselect
(to select/deselect the modules you wish to build)

then as root:

make install

and optionally:

make config This will install the SysV init scripts and some default configuration files. You may need to modify the init scripts depending on your system.

Simply follow a similar process for the Speex codec…

For Asterisk, start off by creating a group and user that will run and own the asterisk process and files (select {G,U}IDs and names that are appropriate for your system).

groupadd -g 75 asterisk
useradd -c "Asterisk PBX" -d /var/lib/asterisk -g asterisk -s /bin/false -u 75 asterisk

Edit the Makefile in the top of the asterisk source tree so that the line:

ASTVARRUNDIR=${localstatedir}/run becomes ASTVARRUNDIR=${localstatedir}/run/asterisk

Then build as normal

./configure --prefix=/usr
make menuselect
(Turn on/off various modules and options. Select sound files/language/format and extra sounds. Type “s” to save and exit)

Then as root:

make install

Asterisk is now installed. But because we will run the process as non-root it needs write permissions for these directories and their contents:

/var/lib/asterisk, /var/log/asterisk, /var/run/asterisk, /var/spool/asterisk, /dev/zap/*.

If you installed the zaptel modules and used the ‘make config’ command, a udev rules file (zaptel.rules) will be written to /etc/udev/rules.d. This enables, by default, udev to create the zaptel device files as user:group asterisk. If you chose another name above you will need to edit this file accordingly.

O.K., lets sort out the ownership and access to the files Asterisk needs. First change the owner:

chown -R asterisk:asterisk /var/{lib/asterisk,log/asterisk,run/asterisk,spool/asterisk}

Now set read/write only by owner, read only by group and no access by other:

chmod 750 /var/{lib/asterisk,log/asterisk,run/asterisk,spool/asterisk}
chmod -R o= /var/{lib/asterisk,log/asterisk,run/asterisk,spool/asterisk}

This switch (chmod -R o=) is pretty cool by the way. It removes all access to all files and directories for the “other” classification, effectively setting them to “0” but does not change or overwrite any of the permissions for owner and/or group access.

The asterisk process itself only needs read permission for the configuration directory (/etc/asterisk) and its contents (almost1):

chown -R root:asterisk /etc/asterisk
chmod 750 /etc/asterisk
chmod 640 /etc/asterisk/*

Some of Asterisk’s ‘.conf’ files contain cleartext passwords and other potentially sensitive information. Setting the files as above permits read/write only by the user root and read only by members of the group asterisk.

That’s it basically. When you start asterisk from the SysV init scripts, pass the following arguments to have it run, safely, as your new user:

asterisk ${DEBUG} ${ZAP_TIMING} -U ${USER} -G ${GROUP}

In my startup script, I’ve set those constants above to be:

# If you want debug messages to the console and the logs switch the
# comments below

# The user and group we created earlier

# Use this if you want to limit the maximum number of simultaneous calls
# to prevent system failure for example
#MAXCALLS="-m 20"

# If you have a Zaptel card/timing source, enable it here

That’s it.

When asterisk starts, it will run as the user and group defined above. In the next installment, I will write a bit about a fantastic new echo canceler which sorts out cheap x100p cards and makes them work properly… It’s really excellent.

1. Except for voicemail.conf. When a user changes their pin asterisk writes these changes to the voicemail.conf file.

Tags: , , ,

One Comment

  • Neha says:

    I’m fiddling about with our asterix phone system, the csv file that logs all the phone records has some garbage values, what do i do to get a clean .csv file? also, i do not need all the variables, if i just edit the cdr_custom.conf file to include the variables i need, do i need to compile the code again for the system to use the updated file?

Leave a Reply

XHTML: You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>