Bug#500294: Should not put .asterisk_history in the root home directory
Ondřej Surý
ondrej at sury.org
Sat Sep 27 11:43:47 UTC 2008
2008/9/27 Tzafrir Cohen <tzafrir.cohen at xorcom.com>:
> On Sat, Sep 27, 2008 at 10:10:23AM +1000, Russell Coker wrote:
>> Package: asterisk
>> Version: 1:1.4.21.2~dfsg-1+b1
>> Severity: normal
>>
>> Granting a daemon access to the root home directory is a security
>> problem.
>>
>> Also having random files created in the /root directory is an annoyance.
>> The correct place for .asterisk_history is under /var/lib/asterisk.
>
> Just to clarify: this happens if you run 'asterisk' directly as root.
> This saves a history of the commands in the asterisk command-line
> interface. History initialization is only done after the asterisk
> process has potentially setuid.
>
> The default of the package (which is what happens when you use the
> init.d script) is to run asterisk as the user 'asterisk'. Hence the
> asterisk daemon does not open /root/.asterisk_history in our setup.
Sadly this not entirely true. It's the stop action of init.d script
which creates .asterisk_history.
# ls -ld /root/.asterisk_history && rm -f /root/.asterisk_history &&
/etc/init.d/asterisk stop && ls -ld /root/.asterisk_history && rm -f
/root/.asterisk_history && /etc/init.d/asterisk start && ls -ld
/root/.asterisk_history
-rw------- 1 root root 13 2008-09-27 13:42 /root/.asterisk_history
Stopping Asterisk PBX: asterisk.
-rw------- 1 root root 13 2008-09-27 13:43 /root/.asterisk_history
Starting Asterisk PBX: asterisk.
ls: /root/.asterisk_history: No such file or directory
Ondrej.
--
Ondřej Surý <ondrej at sury.org>
More information about the Pkg-voip-maintainers
mailing list