Red Hat Bugzilla – Bug 833460
asterisk does not start as user defined in AST_USER
Last modified: 2017-03-15 11:01:29 EDT
Created attachment 592967 [details]
patch to use ASTARGS to define -U and -G options
Description of problem:
The included /etc/init.d/asterisk script uses the variable AST_ARGS instead of ASTARGS at two lines.
Version-Release number of selected component (if applicable):
asterisk.x86_64 220.127.116.11-1.el6 @epel
Steps to Reproduce:
1. define AST_USER
2. /etc/init.d/asterisk start
runs as root
run as user defined in AST_USER
possible patch attached
We have the same problem with 18.104.22.168 version.
Please fix it!!!
I have hit this same problem. Please, fix it. It's a security bug, because Asterisk runs as root by default.
Created attachment 751328 [details]
Patch to fix init script
This patch is the same as the previous one, but applied against the EPEL git branch
Still present in asterisk-22.214.171.124-1.el6.
I don't undersand why something so simple isn't fixed after more than a year...
Patch work perfectly, this issue can be a potential security problem.
Note that this patch will likely break existing installs as there will be files inside /var owned by root which asterisk will no longer be able to access:
(In reply to Phil Anderson from comment #6)
> Note that this patch will likely break existing installs as there will be
> files inside /var owned by root which asterisk will no longer be able to
Best fix for this is probably to have the initscript reset the permissions to work for that user as part of the startup process. I could swear an older version of asterisk did exactly this in its initscript, but the current one doesn't seem to.
For purposes of setting permissions, $AST_GROUP should be assumed to be the primary group of $AST_USER if it's not otherwise specified.
As best I can tell, nothing in /var/lib/asterisk should be writable to the asterisk user. The keys directory should be readable *only* to the asterisk user though (root:asterisk 750, files root:asterisk 640)
The following directories should be recursively owned by and writable to the asterisk user:
/etc/asterisk/voicemail.conf needs to be writable by asterisk for users to be able to change their passwords.
I seem to recall that there's a few other files in /etc/asterisk that need to be written to by asterisk, but I don't recall what they are offhand.
It looks like asterisk actually sets the correct permissions on everything already, so the cleanup should only have to set owner and group, and not have to worry about permissions.
FWIW, the logrotate.d script provided by this package assumes that it needs to run as the asterisk user without looking in /etc/sysconfig/asterisk to find out, and the log rotation fails because of this (asterisk never reopens the new log file, and will continue logging to the one that got deleted, which means your future logs all go byebye as soon as they get rotated from the view of the admin, and it will continually use up disk space without a corresponding directory entry to locate it until you restart asterisk or do a logger reload).