Bug#500294: Should not put .asterisk_history in the root home directory

[Russell Coker]

reopen 500294
thanks

On Saturday 27 September 2008 16:30, Mark Purcell <msp at debian.org> wrote:
> On Saturday 27 September 2008 10:10:23 Russell Coker wrote:
> > Granting a daemon access to the root home directory is a security
> > problem.
>
> Thanks for your report.
>
> The asterisk daemon isn't granted access to the root home directory.

If the SE Linux policy is to permit access to that file, then asterisk_t
 needs unconfined_home_dir_t:dir search access as well as
 unconfined_home_t:file rw_file_perms access.

> In fact when run correctly it runs as user asterisk and has no write access
> to the root directory.

Yet the daemon start script creates that file.  rm it, restart the daemon,
 and observe.

gw:~# rm -f /root/.asterisk_history
gw:~# /etc/init.d/asterisk restart
Stopping Asterisk PBX: asterisk.
Starting Asterisk PBX: asterisk.
gw:~# ls -l /root/.asterisk_history
-rw------- 1 root root 13 2008-09-27 17:13 /root/.asterisk_history
gw:~#

> However if an admin starts asterisk as root and not via init.d/asterisk
> then there is potential that it will write files to the root directory.
> However Debian doesn't recommend this.
>
> If you start asterisk as root then you should run with the -U flag.

Whatever is necessary to make asterisk not create that file is apparently not
being done by the asterisk package in Lenny.

> Upstream run asterisk as root, Debian has run asterisk as user asterisk for
> years..
>
> > Also having random files created in the /root directory is an annoyance.
> > The correct place for .asterisk_history is under /var/lib/asterisk.
>
> We did actually discuss this with an earlier bug report of yours from 2004:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=279052

I had forgotten about that one.

The issue still isn't fixed, which of the two bugs would you prefer to keep
open?