I have an AGI script, that sends a mail for each call listing its details.
It works fine, but now I want to encrypt those mails with gpg to secure the private data.
The problem is, that the asterisk user has no keyring, so it doesn’t work.
My first idea was to create a keyring for the asterisk user but that user has no home directory
and no login shell, but /bin/false instaed.
Is it secure to change those defaults?
Is it possible and safe to run AGI scripts as another user?
What is the proper and secure way to do that?
Thank you for taking the time!
What is the threat profile? If you don’t know that, you can’t be sure that you even need to run asterisk non-root (which can cause difficulties in itself).
Removing security measures will reduce security, but only if the threats are ones affected by the change.
gpg seems to allow the specification of an explicit keyring location.
Thanks for your reply.
As I understand your answer it is at least no big harm to security to enable login for
the asterisk user.
I solved it as follows:
I changed the login shell in /etc/passwd to /bin/bash and set a known password with ‘sudo passwd asterisk’.
Then I logged in as user astrerisk, imported and signed the necessary keys to the keyring of that user.
Afterwards I deactivated the login again by setting the login shell to /bin/false.
I made a false statement in my initial post, sorry:
The asterisk user actually has a home directory, which is /var/lib/asterisk.
That is the default of the Ubuntu package, I guess.
The gpg keyring was created in that directory.
Now it works.
After all I had to activate login only for a short time, so I think security is alright.
Sorry for my noob question, and thanks again for the hint.