Noob question, but a good one. (It's actually Linux related!)

Jima jima at
Fri Apr 5 20:41:52 MDT 2013

  OK, how about:

- Apache user owns non-active copy of Asterisk config tree

- Upon config commit, apache user does rsync-over-ssh to 
asterisk at localhost, using an SSH key that's restricted on the server 
side to only run the other half of the rsync command (I'm doing this for 
some things, and can provide you with the exact authorized_keys line 
prefix if needed)

- Apache user tells asterisk to reload, either via restrictive sudo 
access or via another command-restricted SSH key

  That way the apache user doesn't have any special permissions, except 
to push the config tree and reload Asterisk.  (Additionally, you could 
limit the files pushed via config, and add sanity checks on the 
configuration before reloading.)  Furthermore, this model does actually 
support splitting out Apache and Asterisk to separate servers 

  Any thoughts? :-)


On 2013-04-05 19:47, S. Dale Morrey wrote:
> Yeah that's not going to happen.  This is a public, customer facing
> asterisk box for a use case that exists for the sole purpose of bypassing
> the incumbent telco's exchange to provide discount calling.  I'm
> essentially helping them to roll their own telco.
> Here in Ecuador you can have a connection of either, WiMax, Microwave (at
> least I'm told that's a microwave antenna on some of the houses), Cable,
> DSL, Satellite, 3G and coming soon local fiber.  There are a plethora of
> ISPs and options so internet access is dirt cheap.  This also means we
> can't lock the boxen down to any specific IP address or range.  We also
> can't place the box behind a NAT or a subnet.
> This particular webinterface is for folks to pay their phone bill on.
> Everyone needs to be able to connect to this box no matter where they're
> from.  So we implemented TLS & ZRTP to secure the connection and then
> fail2ban to blacklist IP's after n failed login attempts (currently n is 5,
> but that could change).
> Ideally I would have liked to have had a different design where there is an
> asterisk box, a billing box, a webserver and a DB server all on seperate
> boxes.
> I was unable to make this configuration or anything like it work with
> A2Billing despite 4 solid 18 hour days trying.
> In fact it seems A2Billing insists on sitting on the asterisk box itself,
> although I was able to push the DB onto it's own box and it seems happy
> with that.
> For that many hours I probably could have written my own stack, but part of
> the point was to enable the locals to run it once I'm gone.
> Nevertheless, I now have a webserver sitting on top of a SIP server.  As
> far as I can tell I am stuck with this configuration, and I need to lock
> this down as much as possible, while still providing relevant access to
> admins, resellers and individual customers.
> Thus the original question about who should be in who's group.  Thanks for
> the help guys!
> On Fri, Apr 5, 2013 at 8:17 PM, Steve Alligood <steve at>wrote:
>> Not a problem if you lock down apache to specific IPs :)
>> In fact, there are enough sip vulnerabilities from time to time that I put
>> the phones themselves on either a private network (or controlled public
>> netowork) or give them dyndns set ups and have a script auto update the
>> iptables rules to those DNA names.
>> -Steve
>> On Apr 5, 2013, at 7:02 PM, "S. Dale Morrey" <sdalemorrey at>
>> wrote:
>>> You know, that's a very good question that I've never explored.  Can
>> anyone
>>> chime in on that for me?  Also is there a security problem with letting
>>> Apache own the config files for Asterisk?
>>> On Fri, Apr 5, 2013 at 7:29 PM, Jima <jima at> wrote:
>>>> On 2013-04-05 18:06, S. Dale Morrey wrote:
>>>>> Hey Pluggers,
>>>>> I've got a quick best practices question for you.
>>>>> I have asterisk installed and running as the asterisk user and apache
>>>>> installed and running as the apache user.
>>>>> I've got a new web interface that needs to execute some scripts to
>> modify
>>>>> asterisk dialplans, tell asterisk to reload itself, etc.
>>>>> Would it be best to add asterisk to the apache group, apache to the
>>>>> asterisk group, both of the above or something else?
>>>>   Is there a reason Asterisk needs to be able to write to the tree?  As
>>>> long as it can read the configuration files, you don't really need to
>>>> muck around with group ownership.  Personally, I'd just grant the apache
>>>> user the ability to reload Asterisk via sudo, and let it own the
>> configs.
>>>>       Jima
>> /*
>> PLUG:, #utah on
>> Unsubscribe:
>> Don't fear the penguin.
>> */
> /*
> PLUG:, #utah on
> Unsubscribe:
> Don't fear the penguin.
> */

More information about the PLUG mailing list