#1004080 asterisk: Configuration files owned by asterisk user

Package:
asterisk
Source:
asterisk
Description:
Open Source Private Branch Exchange (PBX)
Submitter:
Drexl Johannes
Date:
2022-01-24 16:12:03 UTC
Severity:
normal
Tags:
#1004080#5
Date:
2022-01-20 14:41:40 UTC
From:
To:
I'm not entirely sure this poses a threat, but as I understand general
security directives state not to give the executing user of a service
write access to its config files and binaries. Yet after installing the
package the whole config directory as well as all included files are
owned by asterisk user and group as well as in mode 0640 (which I
suppose is a good decision for some files at least, talking about not being
world-readable).

So, to improve security this probably has to be changed to root:asterisk
with mode 0640 (where necessary), or am I getting stuff wrong here?
#1004080#10
Date:
2022-01-20 15:17:21 UTC
From:
To:
Hi Drexl,

Quoting Drexl Johannes (2022-01-20 15:41:40)

That sounds sensible to me - superficially, I am unaware if some subtle
detail in Asterisk require special handling here.

An obvious next step might be to try make the suggested change and see
if it still seems to work the same.  Did you try that already, Drexl?
If not, can I ask you to try it?

Kind regards,

 - Jonas
#1004080#15
Date:
2022-01-24 15:44:19 UTC
From:
To:
Am Donnerstag, dem 20.01.2022 um 16:17 +0100 schrieb Jonas Smedegaard:

Hi Jonas,

will do internally when I'm finding the time for it, but in a first
glance it seems only two files need being private (app_mysql.conf and I
think the extensions.conf), and probably none being written.
Like said, will do. Thanks a lot in the meantime.

Kind regards,
Jo
#1004080#20
Date:
2022-01-24 16:09:47 UTC
From:
To:
Quoting Johannes Drexl (2022-01-24 16:44:19)

Sounds excellent - there is no hurry from my side :-)


 - Jonas