This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
48
|
Chapter 3: Linux as a PBX
If you use the Red Hat init script, make sure /etc/rc.d/rc.local calls it
instead of calling Asterisk directly as in the first method. Regardless of
which method you choose, make sure you’re loading the right mod-
ules (wcfxo or wcfxs) prior to the line in which Asterisk is launched.
Securing the Asterisk Instance
By default, Asterisk runs as root—the user account with total, unrestricted power.
This is generally considered a bad idea, and it’s the reason Apache, the web server,
doesn’t usually run as root. If Asterisk is compromised by an ill-willed network
prowler, it’s possible that the intruder could gain the power of root. That is, unless
you make Asterisk run as a less godly user.
To do this, create a user called “asterisk” by issuing the Red Hat
adduser command
(other Unixes could use
useradd instead):
# adduser -c "Asterisk PBX" -d /var/lib/asterisk asterisk
Next, you’ll need to alter Asterisk’s make file, located at /usr/src/asterisk/Makefile.
Using Pico or your favorite text editor, find the
ASTVARRUNDIR constant in the file, and
alter its definition to match what follows:
ASTVARRUNDIR=$(INSTALL_PREFIX)/var/run/asterisk
The directory referenced here needs to be writable by the user running Asterisk, and
the directory normally used should be writable only by root. So by changing the set-
ting, you’re allowing Asterisk to use a directory that can be written by its own non-
root user account. Now, recompile Asterisk using this sequence of commands:
# cd /usr/src/asterisk
# make clean ; make install
Once the recompile and install are done, you’ll need to make sure the new user
account has appropriate permission to several Asterisk-related directories, including
the one you referenced in the altered Makefile:
# chown -R asterisk:asterisk /var/lib/asterisk
# chown -R asterisk:asterisk /var/log/asterisk
# chown -R asterisk:asterisk /var/run/asterisk
# chown -R asterisk:asterisk /var/spool/asterisk
# chown -R asterisk:asterisk /dev/zap
# chmod -R u=rwX,g=rX,o= /var/lib/asterisk
# chmod -R u=rwX,g=rX,o= /var/log/asterisk
# chmod -R u=rwX,g=rX,o= /var/run/asterisk
# chmod -R u=rwX,g=rX,o= /var/spool/asterisk
# chmod -R u=rwX,g=rX,o= /dev/zap
# chown –R root:asterisk /etc/asterisk
# chmod -R u=rwX,g=rX,o= /etc/asterisk
You can now launch the Asterisk server from the new user account or from root
using the
su command:
# su asterisk -c /usr/sbin/safe_asterisk
Get Switching to VoIP now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
