[RESOLVED] Asterisk and its permissions

when asterisk is generating files (voicemail messages to name one kind), it will apply read and write permission only to the user as asterisk is running and not the group aswell.

let me clarify:

I run asterisk like so: “asterisk -U asterisk -G apache” so it will run with user-permissions of user ‘asterisk’ and
group-permissions of group ‘apache’

I do this because I want the voicemails to be accesible via a simple web-interface…

Now, everything goes well, but again, on asterisk self-generated files, it doesn’t work, because files written (in my case) will have something like this:

rw- — --- asterisk apache msg_0001.wav

I can’t access this .wav-file because ‘apache’ does not have any permissions to it.

Can anyone help me to proceed?

  • I don’t see a asterisk setting where I can modify this so also group is given access
  • umask, but how?


I have checked out umask and come to the conclusion that it won’t help me.

Do I need to make adjustments in the asterisk source code?
If so, which .c file would be the best place to start for my problem?

there are tools available like ARI and some simple web voicemial interfaces that can be used to review/manage your voicemail. AAH does such a setup (includes both in its install) - it runs Apache as asterisk which might be part of why it works. If you need to have the permissions changed, I imagine the easiest ‘hack’ would be to run a cron job that wakes up periodically and adds the permissions needed - but I suspect there are other ways.


Thanks for the suggestion,

hower, ARI is not an option for me, especially if it runs apache as asterisk user.

a cronjob would be a workable work-around, but not really usable in the long run (in this case, one can’t play the voicemail until the cronjob fixed the permission).

yup, like I said a workaround. Otherwise, go into app_voicemail.c, dig up where it does the post voicemail follow-up (this is where it checks about emailing the voicemail, paging, etc.) Easy enough to plop in a patch there that did the permission change you are looking for and it should be obvious what the file is, etc.


ah! thanks!

app_voicemail.c ey? :wink:

thanks for pointing me into the right direction! :smiley:


is the user ASTERISK a member of APACHE ?

Asterisk should create these files wuth the user he is running on and the PRIMARY! group he belongs to.


asterisk@home already has a web interface for doing this. i find it hard to believe you need to edit source code to do this… how about setting asterisk to email the messages to a special user which does allow what you want?

First, to answer a few questions:

  • No, I don’t use AAH. I applaud the software, but not my cup of tea
  • asterisk is running as follows: as user Asterisk and as group Apache (asterisk -U asterisk -G apache). And it still only give the .wav file only read and write permissions for the user, not group (the .txt file has read permission for all, so that file poses no problem for me).

I’ve searched the source-code a bit, starting with app_voicemail.c (pointed out to me by p_lindheimer.

However, I end up in app.c where the actual file is recorded (afaict). so, at the end of the function ast_play_and_record() I’m going to append a line similar to this:

chmod(recordfile, 660);

(to my delight, chmod seems to be a C Function as well ;p)

it’s been a while since I looked at the source, but was pretty sure in app_voicemail.c there is a section where it runs through checking options such as if you have asked to email the file, at which point you can see where it is packaging up the file into a mime email. So unless I’m mistaken, I would find that general location and then the appropriate place where you can change the permission. Maybe even add your own option that can be supplied, so that it doesn’t have to do it for everyone. I suggest this since It isn’t clear from your post if the recording code you mentioned in app.c isn’t used for other stuff as well where you might not want to do that (although I suspect there is probably no harm done). But by finding the place in app_voicemail.c, you’ll isolate it to this. (If it’s a differnt file, sorry then my mistake - do a grep on email or something through all the voice.c files and I’m sure you will quickly find it.


I turned on verbose and debug levels on the CLI, and there I could see that app.c does the work.

  • app.c is considerably smaller to skim through than app_voicemail.c :wink:

I didn’t actualy made any changes to the source just yet (will do that tomorrow), but if my further findings turn out to be accurate, that will solve my problem just fine.


well, I managed to make asterisk crash when depositing a voicemail :laughing:

anyhoo, I found a nicer way to do what I need:

the ‘externnotify’ parameter in voicemail.conf can be used to fix the permissions…

There were some patches made in the past, but are not up-to-date (IMHO)

lists.digium.com/pipermail/aster … 11845.html
lists.digium.com/pipermail/aster … 00953.html


Well, I think it CAN be defined as a bug.

When I run asterisk as follows: ‘asterisk -U asterisk -G apache’… it’s normal to expect asterisk will do everything to make all files readable to both user ‘asterisk’ AND group ‘apache’, since it doesn’t do that, I think you can consider it as a bug.

I’m not sure I would agree with that. Voicemails are suppose to be private so other than the user asterisk, if you made them readable by the group you might be exposing access to them. By keeping them readable only by the user, you can gate access through that user.


Your point is 100% valid,

but i do think there’s another valid way that says that it ‘could’ be considered as a bug.

I think I always said it was my opinion (in the form of an appriopriate ‘IMHO’ :wink:)

Also, if you look at the links I put in my previous post, you can see that other people see of it as a bug too.

Anyhoo, the solution is here (IMHO), so it’s up to you to make up your mind. Which you did (which I applaud :laughing: )

I didn’t look at the links so I can’t say at this point if my mind would be changed or not. Mine is also my opinion although I can’t say it is strong one way or another - since also IMHO I don’t think that the Asterisk box should be exposed to anyone else anyhow - meaning you can gate access other ways. (So maybe the posts would change my mind if I read them :smile:

I spent ages on the problem in which voicemail messages had permissions I didn’t like and came across this thread once I started digging around in the voicemail.c code. What I discovered is that ~my_umask contains the umask that the asterisk process was started with (often 0644), and when joined with VOICEMAIL_FILE_MODE (0666) the result is the more restrictive mode (0644).

The solution is to modify /usr/bin/safe_asterisk, specifically the line #UMASK=022, uncomment it and change it to UMASK=000 or UMASK=011. This will result in ~my_umask having the value 0777 or 0766, which when merged with 0666 results in 0666 and thus all voicemail files will have permissions of -rw-rw-rw which is much more useful (particularly if you have some third party web based system for listening to and deleting voicemails).

I hope this helps someone so far down the track.

1 Like