On Sat, Sep 27, 2008 at 10:10:23AM +1000, Russell Coker wrote:
> Package: asterisk
> Version: 1:1.4.21.2~dfsg-1+b1
> Severity: normal
>
> Granting a daemon access to the root home directory is a security
> problem.
>
> Also having random files created in the /root directory is an annoyance.
> The correct place for .asterisk_history is under /var/lib/asterisk.
Just to clarify: this happens if you run 'asterisk' directly as root.
This saves a history of the commands in the asterisk command-line
interface. History initialization is only done after the asterisk
process has potentially setuid.
The default of the package (which is what happens when you use the
init.d script) is to run asterisk as the user 'asterisk'. Hence the
asterisk daemon does not open /root/.asterisk_history in our setup.
Running the asterisk daemon as root is a security risk for other,
unrelated, reasons.
--
Tzafrir Cohen
icq#16849755 jabber:[EMAIL PROTECTED]
+972-50-7952406 mailto:[EMAIL PROTECTED]
http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
