Recommended ownership and permissions for /etc/asterisk?

Asterisk Asterisk Support
1

Hi everyone,

I’m currently setting up Asterisk 22 on Ubuntu 24 and have a question regarding file ownership and permissions for /etc/asterisk.

From what I can see, the official documentation does not explicitly mention changing the ownership of this directory. However, I’ve come across discussions suggesting that Asterisk needs access to /etc/asterisk, which raised some questions for me.

I’d like to better understand the correct approach from a security perspective, especially following the principle of least privilege.

  • What is the recommended ownership and permission setup for /etc/asterisk?

  • Does Asterisk require write access to this directory, or is read-only access sufficient in most cases?

  • Would a setup like:

    • chown -R root:asterisk /etc/asterisk & chmod -R 750 /etc/asterisk
    • be more appropriate than assigning full ownership to the asterisk user like “sudo chown -R asterisk:asterisk /etc/asterisk”?

My goal is to configure the system with the minimum required privileges while ensuring Asterisk functions properly.

I’d really appreciate any guidance or best practices from from more experienced users.

Thanks in advance!

2

It depends. There are AMI functions that can write config files to that directory. They’re rarely used (and not by Asterisk itself) but if you do use them, the user asterisk runs as would need write access.

It also depends on who the user maintaining the configuration is obviously. :slight_smile:

.

That would be fine except you don’t want to make every file in /etc/asterisk executable. I’d do…

chown -R root:asterisk 
chmod 750 /etc/asterisk
chmod -R 640 /etc/asterisk/*
1 Like
3

If your new to Asterisk the book Asterisk: The Definitive Guide, 5th Edition is a good read, though it was released in 2019 and covers Asterisk version 16 alot of it is still relevant to later versions of Asterisk. Chapter 3 has details about changing file permissions on a new Asterisk install.

The book helped me out alot :slight_smile:

1 Like
4

Debian sets Asterisk’s config files mode to 640 with ownership to asterisk:asterisk.

1 Like
5

Hi there

I don’t like the idea of a daemon changing it’s own config files, so I always change it to root:asterisk.
Since Debian sets this to asterisk;asterisk at every update, I change it back to root:asterisk after every update.
Of course, this doesn’t work if your setup requires Asterisk to change it’s own config files. Mine doesn’t need this and it does make things safer.

Regards,
Rob

1 Like
6

The short answer: `root:asterisk` ownership with `640` on files and `750` on the directory. Asterisk only needs to read config files, not write them.

```

chown root:asterisk /etc/asterisk

chmod 750 /etc/asterisk

find /etc/asterisk -type f -exec chmod 640 {} \;

```

gjoseph nailed it — don’t make conf files executable, there’s no reason for it. `750` on the directory gives the asterisk group `r-x` (list and enter), `640` on files gives `r–` (read only).

The one exception: if you use `voicemail.conf` with `externpassnotify` or password changes through the phone, Asterisk needs write access to `voicemail.conf` specifically. In that case `660` on just that file.

For the other directories Asterisk actually writes to:

```

/var/lib/asterisk/ asterisk:asterisk 750 (astdb, sounds, keys)

/var/spool/asterisk/ asterisk:asterisk 750 (call files, voicemail, recordings)

/var/log/asterisk/ asterisk:asterisk 750 (CDR, debug logs)

/var/run/asterisk/ asterisk:asterisk 750 (PID file, control socket)

```

Asterisk needs to own these because it writes to them constantly — astdb updates, recording files, call file processing, logs.

Make sure `asterisk.conf` has:

```

[options]

runuser = asterisk

rungroup = asterisk

```

Asterisk doesn’t need root. It binds to ports above 1024 (5060, 5061, 8088, etc.) so there’s no reason to run as root unless you need to bind to a privileged port. Running as root means any vulnerability in SIP parsing or AGI gives full system access.

One gotcha on Debian/Ubuntu: package updates sometimes reset ownership back to `asterisk:asterisk` on `/etc/asterisk`. Worth checking after `apt upgrade`.