Summary:ASTERISK-09700: runasuser/runasgroup used even for -r means reconnecting users must be root
Reporter:Stuart Henderson (stuarth)Labels:
Date Opened:2007-06-18 05:26:58Date Closed:2007-10-17 10:18:55
Versions:Frequency of
Environment:Attachments:( 0) 20070904__bug9999.diff.txt
( 1) can_drop_privs.diff
Description:When runasuser/runasgroup are configured in asterisk.conf, they are used whenever Asterisk is started, including when reconnecting to a running instance. This means that it's not possible to just use filesystem permissions on asterisk.ctl to restrict access, since without being root the setuid/setgid calls will fail.

Wrapping the setuid block in main/asterisk.c with "if(!ast_opt_remote) { ... }" would makes things easier.


Workaround is to just use -U/-G on the command line when starting as a daemon, but using the facility to set this in asterisk.conf makes it less likely to be forgotten.
Comments:By: Tzafrir Cohen (tzafrir) 2007-08-31 16:01:02

The socket is indeed created by root. However, you can set the owner, group and/or permissoins of that file in the [files] section of asterisk.conf . See http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt .

Alternatively, chown / chmod manually the socket to test that you can connect as any user.

By: Stuart Henderson (stuarth) 2007-08-31 16:12:55

No, you misunderstand. The socket is already created with the relevant permissions; the problem is that when runasuser is set, asterisk always tries to setuid(). When you are a non-root user, this always fails.

If you have set runasuser in asterisk.conf, you cannot use -r to reconnect to a running instance of Asterisk, even if you have permissions to access the socket, unless you are root (i.e. are able to setuid(_runasuser_)).

By: Tilghman Lesher (tilghman) 2007-08-31 17:10:29

This should fix it.  Please test and report back.

By: Tzafrir Cohen (tzafrir) 2007-08-31 17:29:47

Took a slightly different approach here: the test here is the same test applied as in the case of is_child_of_nonroot. Thus I renamed is_child_of_nonroot to can_drop_privs (reversing its logic to avoid neegations).

can_drop_privs will now be set by default, and reset in the following cases:
* A remote console. No use dropping priviliges.
* If we have already dropped privileges, and now we re-exec (through a restart command).

By: Stuart Henderson (stuarth) 2007-08-31 17:36:39

Corydon76: yes, that works.

tzafrir: I like this approach, though you have set can_drop_privs=1 in lines 2563 and 2671 where you mean =0.

By: Tilghman Lesher (tilghman) 2007-09-04 11:41:01

Okay, let's change this up a bit more.

By: Tzafrir Cohen (tzafrir) 2007-09-04 13:20:18

The tests for the user and from the group option behave differently.

By: Digium Subversion (svnbot) 2007-10-17 10:04:32

Repository: asterisk
Revision: 86066

U   branches/1.4/main/asterisk.c

r86066 | tilghman | 2007-10-17 10:23:51 -0500 (Wed, 17 Oct 2007) | 3 lines

When runuser/rungroup is specified, a remote console could only be attained by root
(Closes issue ASTERISK-9700)


By: Digium Subversion (svnbot) 2007-10-17 10:18:55

Repository: asterisk
Revision: 86079

_U  trunk/
U   trunk/main/asterisk.c

r86079 | tilghman | 2007-10-17 10:18:54 -0500 (Wed, 17 Oct 2007) | 11 lines

Merged revisions 86066 via svnmerge from

r86066 | tilghman | 2007-10-17 10:23:51 -0500 (Wed, 17 Oct 2007) | 3 lines

When runuser/rungroup is specified, a remote console could only be attained by root
(Closes issue ASTERISK-9700)