Bug#500294: Should not put .asterisk_history in the root home directory
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Sat Sep 27 09:21:22 UTC 2008
On Sat, Sep 27, 2008 at 10:10:23AM +1000, Russell Coker wrote:
> Package: asterisk
> Version: 1:1.4.21.2~dfsg-1+b1
> Severity: normal
>
> Granting a daemon access to the root home directory is a security
> problem.
>
> Also having random files created in the /root directory is an annoyance.
> The correct place for .asterisk_history is under /var/lib/asterisk.
Just to clarify: this happens if you run 'asterisk' directly as root.
This saves a history of the commands in the asterisk command-line
interface. History initialization is only done after the asterisk
process has potentially setuid.
The default of the package (which is what happens when you use the
init.d script) is to run asterisk as the user 'asterisk'. Hence the
asterisk daemon does not open /root/.asterisk_history in our setup.
Running the asterisk daemon as root is a security risk for other,
unrelated, reasons.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the Pkg-voip-maintainers
mailing list