Bug#1004080: asterisk: Configuration files owned by asterisk user

Drexl Johannes johannes.drexl at nfon.com
Thu Jan 20 14:41:40 GMT 2022 

Package: asterisk
Version: 1:16.16.1~dfsg-1+deb11u1
Severity: normal
Tags: security
X-Debbugs-Cc: johannes.drexl at nfon.com, Debian Security Team <team at security.debian.org>

I'm not entirely sure this poses a threat, but as I understand general
security directives state not to give the executing user of a service 
write access to its config files and binaries. Yet after installing the
package the whole config directory as well as all included files are
owned by asterisk user and group as well as in mode 0640 (which I
suppose is a good decision for some files at least, talking about not being
world-readable). 

So, to improve security this probably has to be changed to root:asterisk
with mode 0640 (where necessary), or am I getting stuff wrong here?


-- System Information:
Debian Release: 11.2
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-10-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages asterisk depends on:
ii  adduser                  3.118
ii  asterisk-config          1:16.16.1~dfsg-1+deb11u1
ii  asterisk-core-sounds-en  1.6.1-1
ii  asterisk-modules         1:16.16.1~dfsg-1+deb11u1
ii  libc6                    2.31-13+deb11u2
ii  libcap2                  1:2.44-1
ii  libcrypt1                1:4.4.18-4
ii  libedit2                 3.1-20191231-2+b1
ii  libjansson4              2.13.1-1.1
ii  libpopt0                 1.18-2
ii  libsqlite3-0             3.34.1-3
ii  libssl1.1                1.1.1k-1+deb11u1
ii  libsystemd0              247.3-6
ii  liburiparser1            0.9.4+dfsg-1
ii  libuuid1                 2.36.1-8
ii  libxml2                  2.9.10+dfsg-6.7
ii  libxslt1.1               1.1.34-4
ii  lsb-base                 11.1.0

Versions of packages asterisk recommends:
ii  asterisk-moh-opsound-gsm                         2.03-1.1
ii  asterisk-voicemail [asterisk-voicemail-storage]  1:16.16.1~dfsg-1+deb11u1
ii  sox                                              14.4.2+git20190427-2

Versions of packages asterisk suggests:
pn  asterisk-dahdi   <none>
pn  asterisk-dev     <none>
pn  asterisk-doc     <none>
pn  asterisk-ooh323  <none>
pn  asterisk-opus    <none>
pn  asterisk-vpb     <none>

-- no debconf information

More information about the Pkg-voip-maintainers mailing list