Cannot register with TLS when running asterisk non-root user

tcptls.c · July 28, 2023, 11:35pm

Hello, when I run asterisk with this command “asterisk -U asterisk -G asterisk” it works when I register on UDP but when I try to register on TLS it does not work (Service Unavalaible error). When I run asterisk with root user, everything works fine. Can anyone help? No log are shown in asterisk CLI or sngrep. I am using Asterisk 16.30

tcptls.c · July 28, 2023, 11:40pm

P.S.
I am using chan_sip not pjsip.

danish786 · July 29, 2023, 6:00am

Then register as root user

tcptls.c · July 29, 2023, 11:53am

Using root to run asterisk is not recommended for security

david551 · July 29, 2023, 12:21pm

If you are worried about security, don’t run a minor version that has known vulnerabilities, or a major version that will cease to have security fixes in less than three months from now.

Also don’t run a channel driver that is, effectively, unsupported.

Are you starting Asterisk as root and using U and G to drop privileges? If so, that could cause problems.

Are the logs showing a failure?

Does either the user or group have appropriate read and/or execute permissions on the relevant files and directories?

I’m not sure how many attacks actually rely on being able to do things as root, given that one would typically dedicate a machine (possibly virtual) to Asterisk; most attacks are toll fraud ones. Have you made sure that the Asterisk .conf files are NOT owned by asterisk, nor are the directories containing them, which is what you/d likely need to do to secure it against persistence in an code injection attack (e.g. buffer overrun).

I think most suggestions of running non-root are based on a shallow, minimum privilege mantra, without actually fully considering attack methods.

tcptls.c · July 29, 2023, 12:37pm

Hi, thank you for your answer. What do you mean by “Have you made sure that the Asterisk .conf files are NOT owned by asterisk, nor are the directories containing them, which is what you/d likely need to do to secure it against persistence in an code injection attack (e.g. buffer overrun).”

Could please explain more?

TheMark · July 29, 2023, 12:45pm

the security is that asterisk only dont have write access to the files/directory
so if breached they cant change any config files, to make the hole bigger

like the security consept behind K8S, where the container only have 1 application installed
no editor, compiler, packet manager, or other aplications
you got in but the house is empty

TheMark · July 29, 2023, 1:01pm

added missind dont

system · August 28, 2023, 1:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.