AsteriskNow - Add Additional Linux User Account


#1

Does anyone know how to configure AsteriskNow with another Linux user account? I would like to avoid giving out the root account for system administration. I tried adding a new user and I am getting several permission errors when I SSH into the Linux server. Are there any special groups that the user account must be in to have an account on the server? I need to know that I can support another user account for SSH access.

AsteriskNow Version 13.15.0

Thanks.


#2

This is a Linux question.


#3

Not at all. This is an application security question. I’m requesting information about the security requirements for creating a new user account for the application. Linux doesn’t dictate how applications implement their security requirements. Linux provides the security framework for implementing security. Can the application be run under a different account other than ‘root’ and what security groups are implemented to support the application? Are there any specific groups that a new user account must belong to?

Thanks for your help.


#4

You can compile and install Asterisk to run as a non root user.

I don’t see this well documented in the official Wiki but it’s documented elsewhere online:

https://wiki.asterisk.org/wiki/display/AST/Running+Asterisk

http://www.asteriskdocs.org/en/2nd_Edition/asterisk-book-html-chunk/asterisk-CHP-13-SECT-4.html

https://www.voip-info.org/wiki/view/Asterisk+non-root

Note this is only for compiling and installing Asterisk from source, not for using it with a GUI based management package such as FreePBX.


#5

John,

Thank you for your response. I appreciate the help. I think the links that you shared pertain to installing the base Asterisk solution like you mentioned. I believe some of the security changes mentioned in those articles were already applied in the AsteriskNow virtual appliance solution in some manner.


#6

I confirmed that the AsteriskNow product is already running with the “asterisk” user. I tried creating a new SSH account for the system and I ran into a few issues.

I identified a file called motd.sh file in the /etc/profile.d/ directory that is run upon an interactive shell login during an SSH session, but it doesn’t succeed when the user is a non-root user. Can this script run properly if the user is not a root user. It seems to fail with all kinds of file permission issues if I try to logon with an SSH session as a non-root user. It looks like it’s always trying to run the fwconsole command for any account that I use for SSH.

Output:
Whoops\Exception\ErrorException: chown(): Operation not permitted in file /var/www/html/admin/modules/cxpanel/functions.inc.php on line 45
Stack trace:

  1. Whoops\Exception\ErrorException->() /var/www/html/admin/modules/cxpanel/functions.inc.php:45
  2. Whoops\Run->handleError() :0
  3. chown() /var/www/html/admin/modules/cxpanel/functions.inc.php:45
  4. require_once() /var/www/html/admin/bootstrap.php:382
  5. require_once() /etc/freepbx.conf:9
  6. include_once() /var/lib/asterisk/bin/fwconsole:12
    1B

#7

I understand the chown command can only be used by the owner unless you add the capability CAP_CHOWN. Is there an easier fix? It seems like we’re still being forced to run as the root user even with the “asterisk” user account.


#8

You have definitely confirmed that this is a Linux question.


#9

Not at all. It’s just bad application design. Like I said, Linux doesn’t design and implement the application security features. The motd.sh script in question was not provided by Linux. The application implementation did not take into account that other Linux accounts would be required for providing administration and maintenance. The motd.sh script is currently executed for all SSH sessions whether they are application related or not.

Thanks.


#10

Yup, definetively a Linux Question. First of all take a look where you are. PBX FORUM, so it is a PBX software using a Linux server like the hundred of appliances out there(like KODI for raspbian).[quote=“pseverini, post:9, topic:70982”]
Not at all. It’s just bad application design.
[/quote]

No it’s not, the design of the application is to only have one administrator account for the PBX if you want to use a Linux Server handling all other stuff and programs then build it from scratch, install your linux server and add on top of it your preferred Distro the software that you want and the users that you want to connect with all the features needed.

Installing an out-of-the-box application usually are for users that not need more features, users who will be happy with the system as is. If you are an advanced user with advanced needs then again build your own server. Installing asterisk is not that hard from sources or from repos.


#11

This is definitely not a Linux question. I am familiar with cited application defect from having encountering it on the FreePBX distro.

This is an application issue created by developers that design on the flawed assumption that it is permissible to allow root ssh logins to production servers. Regardless of your position on that topic, which I will be the first to agree is a Linux question and need not be debated on a PBX forum, the reality is that disallowing root login over ssh is a well-established and widespread standard practice.

When an application fails to function correctly in such a standard server configuration, that is an absolutely an application design issue, not a Linux issue.

Since it is only a minor annoyance that reflects poorly on the developers, but doesn’t actually break anything, I just ignore the bad program design and the resulting error message. If you su (or sudo -i) after login, the badly designed MOTD call will function correctly, and display the welcome message the way the developers anticipated.

@pseverini Based on the responses you have received so far, it sounds like you can either fix it yourself and submit a pull request, or just ignore it like I do.


#12

@LinkP Thank you for supporting my issue. I appreciate your help. I spoke with several Linux security experts this past week and they all agreed the current MOTD script implementation is not good practice.

Resolution:

I updated the poorly designed motd.sh script file to allow other Linux user accounts the ability to ssh into the system without the “fwconsole motd” errors which were due to the chown permission errors. This was an easy application fix. I hope the AsteriskNow team will consider updating the current MOTD script in a future release to prevent this issue.

Please note that I understand that this issue originated in the FreePBX application, but the vendor who owns and maintains the AsteriskNow software product is ultimately responsible for handling the application issue.