kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-05 04:11:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Backport the ability to set the ToS bits on Linux when not running as root.

Browse Source 
Normally, we would not backport features into 1.4, but, I was convinced by the
justification supplied by the supplier of this patch.  He pointed out that this
patch removes a requirement for running as root, thus reducing the potential
impacts of security issues.

(closes issue #11742)
Reported by: paravoid
Patches:
      libcap.diff uploaded by paravoid (license 200)


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@98265 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Russell Bryant
2008-01-11 18:25:30 +00:00
parent 441b809159
commit 45f3890926
7 changed files with 503 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

466
configure vendored
View File

@@ -1,5 +1,5 @@
#! /bin/sh #! /bin/sh
# From configure.ac Revision: 94077 . # From configure.ac Revision: 97734 .
# Guess values for system-dependent variables and create Makefiles. # Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.61 for asterisk 1.4. # Generated by GNU Autoconf 2.61 for asterisk 1.4.
# #
@@ -726,6 +726,10 @@ CURL_LIB
CURL_INCLUDE CURL_INCLUDE
CURL_DIR CURL_DIR
PBX_CURL PBX_CURL
CAP_LIB
CAP_INCLUDE
CAP_DIR
PBX_CAP
CURSES_LIB CURSES_LIB
CURSES_INCLUDE CURSES_INCLUDE
CURSES_DIR CURSES_DIR
@@ -1503,6 +1507,7 @@ Optional Packages:
--with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-gnu-ld assume the C compiler uses GNU ld [default=no]
--with-asound=PATH use Advanced Linux Sound Architecture files in PATH --with-asound=PATH use Advanced Linux Sound Architecture files in PATH
--with-curl=PATH use cURL files in PATH --with-curl=PATH use cURL files in PATH
--with-cap=PATH use POSIX 1.e capabilities files in PATH
--with-curses=PATH use curses files in PATH --with-curses=PATH use curses files in PATH
--with-gnutls=PATH use GNU TLS support (used for iksemel only) files in --with-gnutls=PATH use GNU TLS support (used for iksemel only) files in
PATH PATH
@@ -7792,6 +7797,34 @@ PBX_CURL=0
CAP_DESCRIP="POSIX 1.e capabilities"
CAP_OPTION="cap"
# Check whether --with-cap was given.
if test "${with_cap+set}" = set; then
withval=$with_cap;
case ${withval} in
n|no)
USE_CAP=no
;;
y|ye|yes)
CAP_MANDATORY="yes"
;;
*)
CAP_DIR="${withval}"
CAP_MANDATORY="yes"
;;
esac
fi
PBX_CAP=0
CURSES_DESCRIP="curses" CURSES_DESCRIP="curses"
CURSES_OPTION="curses" CURSES_OPTION="curses"
@@ -17203,6 +17236,417 @@ echo "$as_me: *** without explicitly specifying --with-${CURSES_OPTION}" >&6;}
fi fi
if test "x${host_os}" = "xlinux-gnu" ; then
if test "${USE_CAP}" != "no"; then
pbxlibdir=""
if test "x${CAP_DIR}" != "x"; then
if test -d ${CAP_DIR}/lib; then
pbxlibdir="-L${CAP_DIR}/lib"
else
pbxlibdir="-L${CAP_DIR}"
fi
fi
{ echo "$as_me:$LINENO: checking for cap_from_text in -lcap" >&5
echo $ECHO_N "checking for cap_from_text in -lcap... $ECHO_C" >&6; }
if test "${ac_cv_lib_cap_cap_from_text+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lcap ${pbxlibdir} $LIBS"
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char cap_from_text ();
int
main ()
{
return cap_from_text ();
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
if { (ac_try="$ac_link"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest$ac_exeext &&
$as_test_x conftest$ac_exeext; then
ac_cv_lib_cap_cap_from_text=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_cv_lib_cap_cap_from_text=no
fi
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ echo "$as_me:$LINENO: result: $ac_cv_lib_cap_cap_from_text" >&5
echo "${ECHO_T}$ac_cv_lib_cap_cap_from_text" >&6; }
if test $ac_cv_lib_cap_cap_from_text = yes; then
AST_CAP_FOUND=yes
else
AST_CAP_FOUND=no
fi
if test "${AST_CAP_FOUND}" = "yes"; then
CAP_LIB="-lcap "
CAP_HEADER_FOUND="1"
if test "x${CAP_DIR}" != "x"; then
CAP_LIB="${pbxlibdir} ${CAP_LIB}"
CAP_INCLUDE="-I${CAP_DIR}/include"
saved_cppflags="${CPPFLAGS}"
CPPFLAGS="${CPPFLAGS} -I${CAP_DIR}/include"
if test "xsys/capability.h" != "x" ; then
as_ac_Header=`echo "ac_cv_header_${CAP_DIR}/include/sys/capability.h" | $as_tr_sh`
if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
{ echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5
echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; }
if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
fi
ac_res=`eval echo '${'$as_ac_Header'}'`
{ echo "$as_me:$LINENO: result: $ac_res" >&5
echo "${ECHO_T}$ac_res" >&6; }
else
# Is the header compilable?
{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h usability" >&5
echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h usability... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
#include <${CAP_DIR}/include/sys/capability.h>
_ACEOF
rm -f conftest.$ac_objext
if { (ac_try="$ac_compile"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest.$ac_objext; then
ac_header_compiler=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_compiler=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
echo "${ECHO_T}$ac_header_compiler" >&6; }
# Is the header present?
{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h presence" >&5
echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h presence... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <${CAP_DIR}/include/sys/capability.h>
_ACEOF
if { (ac_try="$ac_cpp conftest.$ac_ext"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } >/dev/null && {
test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
test ! -s conftest.err
}; then
ac_header_preproc=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_preproc=no
fi
rm -f conftest.err conftest.$ac_ext
{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
echo "${ECHO_T}$ac_header_preproc" >&6; }
# So? What about this header?
case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
yes:no: )
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&2;}
ac_header_preproc=yes
;;
no:yes:* )
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: check for missing prerequisite headers?" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: check for missing prerequisite headers?" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: section \"Present But Cannot Be Compiled\"" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: section \"Present But Cannot Be Compiled\"" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&2;}
( cat <<\_ASBOX
## ------------------------------- ##
## Report this to www.asterisk.org ##
## ------------------------------- ##
_ASBOX
) | sed "s/^/$as_me: WARNING: /" >&2
;;
esac
{ echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5
echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; }
if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
eval "$as_ac_Header=\$ac_header_preproc"
fi
ac_res=`eval echo '${'$as_ac_Header'}'`
{ echo "$as_me:$LINENO: result: $ac_res" >&5
echo "${ECHO_T}$ac_res" >&6; }
fi
if test `eval echo '${'$as_ac_Header'}'` = yes; then
CAP_HEADER_FOUND=1
else
CAP_HEADER_FOUND=0
fi
fi
CPPFLAGS="${saved_cppflags}"
else
if test "xsys/capability.h" != "x" ; then
if test "${ac_cv_header_sys_capability_h+set}" = set; then
{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5
echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
if test "${ac_cv_header_sys_capability_h+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
fi
{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
else
# Is the header compilable?
{ echo "$as_me:$LINENO: checking sys/capability.h usability" >&5
echo $ECHO_N "checking sys/capability.h usability... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
#include <sys/capability.h>
_ACEOF
rm -f conftest.$ac_objext
if { (ac_try="$ac_compile"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } && {
test -z "$ac_c_werror_flag" ||
test ! -s conftest.err
} && test -s conftest.$ac_objext; then
ac_header_compiler=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_compiler=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
echo "${ECHO_T}$ac_header_compiler" >&6; }
# Is the header present?
{ echo "$as_me:$LINENO: checking sys/capability.h presence" >&5
echo $ECHO_N "checking sys/capability.h presence... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <sys/capability.h>
_ACEOF
if { (ac_try="$ac_cpp conftest.$ac_ext"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } >/dev/null && {
test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
test ! -s conftest.err
}; then
ac_header_preproc=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_preproc=no
fi
rm -f conftest.err conftest.$ac_ext
{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
echo "${ECHO_T}$ac_header_preproc" >&6; }
# So? What about this header?
case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
yes:no: )
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5
echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;}
ac_header_preproc=yes
;;
no:yes:* )
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5
echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: check for missing prerequisite headers?" >&5
echo "$as_me: WARNING: sys/capability.h: check for missing prerequisite headers?" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5
echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: section \"Present But Cannot Be Compiled\"" >&5
echo "$as_me: WARNING: sys/capability.h: section \"Present But Cannot Be Compiled\"" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5
echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5
echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;}
( cat <<\_ASBOX
## ------------------------------- ##
## Report this to www.asterisk.org ##
## ------------------------------- ##
_ASBOX
) | sed "s/^/$as_me: WARNING: /" >&2
;;
esac
{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5
echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
if test "${ac_cv_header_sys_capability_h+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_cv_header_sys_capability_h=$ac_header_preproc
fi
{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
fi
if test $ac_cv_header_sys_capability_h = yes; then
CAP_HEADER_FOUND=1
else
CAP_HEADER_FOUND=0
fi
fi
fi
if test "x${CAP_HEADER_FOUND}" = "x0" ; then
if test -n "${CAP_MANDATORY}" ;
then
{ echo "$as_me:$LINENO: ***" >&5
echo "$as_me: ***" >&6;}
{ echo "$as_me:$LINENO: *** It appears that you do not have the cap development package installed." >&5
echo "$as_me: *** It appears that you do not have the cap development package installed." >&6;}
{ echo "$as_me:$LINENO: *** Please install it to include ${CAP_DESCRIP} support, or re-run configure" >&5
echo "$as_me: *** Please install it to include ${CAP_DESCRIP} support, or re-run configure" >&6;}
{ echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5
echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;}
exit 1
fi
CAP_LIB=""
CAP_INCLUDE=""
PBX_CAP=0
else
PBX_CAP=1
cat >>confdefs.h <<_ACEOF
#define HAVE_CAP 1
_ACEOF
fi
elif test -n "${CAP_MANDATORY}";
then
{ echo "$as_me:$LINENO: ***" >&5
echo "$as_me: ***" >&6;}
{ echo "$as_me:$LINENO: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&5
echo "$as_me: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&6;}
{ echo "$as_me:$LINENO: *** Either correct the installation, or run configure" >&5
echo "$as_me: *** Either correct the installation, or run configure" >&6;}
{ echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5
echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;}
exit 1
fi
fi
fi
GSM_INTERNAL="yes" GSM_INTERNAL="yes"
GSM_SYSTEM="yes" GSM_SYSTEM="yes"
@@ -34024,6 +34468,10 @@ CURL_LIB!$CURL_LIB$ac_delim
CURL_INCLUDE!$CURL_INCLUDE$ac_delim CURL_INCLUDE!$CURL_INCLUDE$ac_delim
CURL_DIR!$CURL_DIR$ac_delim CURL_DIR!$CURL_DIR$ac_delim
PBX_CURL!$PBX_CURL$ac_delim PBX_CURL!$PBX_CURL$ac_delim
CAP_LIB!$CAP_LIB$ac_delim
CAP_INCLUDE!$CAP_INCLUDE$ac_delim
CAP_DIR!$CAP_DIR$ac_delim
PBX_CAP!$PBX_CAP$ac_delim
CURSES_LIB!$CURSES_LIB$ac_delim CURSES_LIB!$CURSES_LIB$ac_delim
CURSES_INCLUDE!$CURSES_INCLUDE$ac_delim CURSES_INCLUDE!$CURSES_INCLUDE$ac_delim
CURSES_DIR!$CURSES_DIR$ac_delim CURSES_DIR!$CURSES_DIR$ac_delim
@@ -34108,10 +34556,6 @@ PWLIB_LIB!$PWLIB_LIB$ac_delim
PWLIB_INCLUDE!$PWLIB_INCLUDE$ac_delim PWLIB_INCLUDE!$PWLIB_INCLUDE$ac_delim
PWLIB_DIR!$PWLIB_DIR$ac_delim PWLIB_DIR!$PWLIB_DIR$ac_delim
PBX_PWLIB!$PBX_PWLIB$ac_delim PBX_PWLIB!$PBX_PWLIB$ac_delim
OPENH323_LIB!$OPENH323_LIB$ac_delim
OPENH323_INCLUDE!$OPENH323_INCLUDE$ac_delim
OPENH323_DIR!$OPENH323_DIR$ac_delim
PBX_OPENH323!$PBX_OPENH323$ac_delim
_ACEOF _ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -34153,6 +34597,10 @@ _ACEOF
ac_delim='%!_!# ' ac_delim='%!_!# '
for ac_last_try in false false false false false :; do for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF cat >conf$$subs.sed <<_ACEOF
OPENH323_LIB!$OPENH323_LIB$ac_delim
OPENH323_INCLUDE!$OPENH323_INCLUDE$ac_delim
OPENH323_DIR!$OPENH323_DIR$ac_delim
PBX_OPENH323!$PBX_OPENH323$ac_delim
RADIUS_LIB!$RADIUS_LIB$ac_delim RADIUS_LIB!$RADIUS_LIB$ac_delim
RADIUS_INCLUDE!$RADIUS_INCLUDE$ac_delim RADIUS_INCLUDE!$RADIUS_INCLUDE$ac_delim
RADIUS_DIR!$RADIUS_DIR$ac_delim RADIUS_DIR!$RADIUS_DIR$ac_delim
@@ -34247,7 +34695,7 @@ CURL_CONFIG!$CURL_CONFIG$ac_delim
LTLIBOBJS!$LTLIBOBJS$ac_delim LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF _ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 92; then if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 96; then
break break
elif $ac_last_try; then elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
@@ -34266,7 +34714,7 @@ fi
cat >>$CONFIG_STATUS <<_ACEOF cat >>$CONFIG_STATUS <<_ACEOF
cat >"\$tmp/subs-3.sed" <<\CEOF$ac_eof cat >"\$tmp/subs-3.sed" <<\CEOF$ac_eof
/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
_ACEOF _ACEOF
sed ' sed '
s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
@@ -34279,8 +34727,6 @@ N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
' >>$CONFIG_STATUS <conf$$subs.sed ' >>$CONFIG_STATUS <conf$$subs.sed
rm -f conf$$subs.sed rm -f conf$$subs.sed
cat >>$CONFIG_STATUS <<_ACEOF cat >>$CONFIG_STATUS <<_ACEOF
:end
s/|#_!!_#|//g
CEOF$ac_eof CEOF$ac_eof
_ACEOF _ACEOF
@@ -34528,7 +34974,7 @@ s&@abs_builddir@&$ac_abs_builddir&;t t
s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
s&@INSTALL@&$ac_INSTALL&;t t s&@INSTALL@&$ac_INSTALL&;t t
$ac_datarootdir_hack $ac_datarootdir_hack
" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" >$tmp/out " $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" | sed 's/|#_!!_#|//g' >$tmp/out
test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
{ ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&

5
configure.ac
View File

@@ -174,6 +174,7 @@ AC_SUBST(AST_DEVMODE)
AST_EXT_LIB_SETUP([ALSA], [Advanced Linux Sound Architecture], [asound]) AST_EXT_LIB_SETUP([ALSA], [Advanced Linux Sound Architecture], [asound])
AST_EXT_LIB_SETUP([CURL], [cURL], [curl]) AST_EXT_LIB_SETUP([CURL], [cURL], [curl])
AST_EXT_LIB_SETUP([CAP], [POSIX 1.e capabilities], [cap])
AST_EXT_LIB_SETUP([CURSES], [curses], [curses]) AST_EXT_LIB_SETUP([CURSES], [curses], [curses])
AST_EXT_LIB_SETUP([GNUTLS], [GNU TLS support (used for iksemel only)], [gnutls]) AST_EXT_LIB_SETUP([GNUTLS], [GNU TLS support (used for iksemel only)], [gnutls])
AST_EXT_LIB_SETUP([GSM], [GSM], [gsm], [, or 'internal']) AST_EXT_LIB_SETUP([GSM], [GSM], [gsm], [, or 'internal'])
@@ -398,6 +399,10 @@ AST_EXT_LIB_CHECK([ALSA], [asound], [snd_spcm_init], [alsa/asoundlib.h], [-lm -l
AST_EXT_LIB_CHECK([CURSES], [curses], [initscr], [curses.h]) AST_EXT_LIB_CHECK([CURSES], [curses], [initscr], [curses.h])
if test "x${host_os}" = "xlinux-gnu" ; then
AST_EXT_LIB_CHECK([CAP], [cap], [cap_from_text], [sys/capability.h])
fi
GSM_INTERNAL="yes" GSM_INTERNAL="yes"
AC_SUBST(GSM_INTERNAL) AC_SUBST(GSM_INTERNAL)
GSM_SYSTEM="yes" GSM_SYSTEM="yes"

7
doc/security.txt
View File

@@ -28,6 +28,13 @@ The IAX2 protocol supports strong RSA key authentication as well as
AES encryption of voice and signalling. The SIP channel does not AES encryption of voice and signalling. The SIP channel does not
support encryption in this version of Asterisk. support encryption in this version of Asterisk.
By default, if you have libcap available, Asterisk will try to retain the
CAP_NET_ADMIN capability when running as a non-root user. If you do not need
that capability you may want to configure Asterisk with --without-cap; however,
this will prevent Asterisk from being able to mark high ToS bits under Linux.
More information on CAP_NET_ADMIN is available at:
http://www.lids.org/lids-howto/node48.html
* DIALPLAN SECURITY * DIALPLAN SECURITY
First and foremost remember this: First and foremost remember this:

3
include/asterisk/autoconfig.h.in
View File

@@ -62,6 +62,9 @@
/* Define to 1 if you have the `bzero' function. */ /* Define to 1 if you have the `bzero' function. */
#undef HAVE_BZERO #undef HAVE_BZERO
/* Define to indicate the ${CAP_DESCRIP} library */
#undef HAVE_CAP
/* Define to 1 if your system has a working `chown' function. */ /* Define to 1 if your system has a working `chown' function. */
#undef HAVE_CHOWN #undef HAVE_CHOWN

3
main/Makefile
View File

@@ -55,6 +55,9 @@ ifneq ($(findstring $(OSARCH), linux-gnu uclinux linux-uclibc ),)
ifneq ($(findstring LOADABLE_MODULES,$(MENUSELECT_CFLAGS)),) ifneq ($(findstring LOADABLE_MODULES,$(MENUSELECT_CFLAGS)),)
AST_LIBS+=-ldl AST_LIBS+=-ldl
endif endif
ifneq (x$(CAP_LIB),x)
AST_LIBS+=$(CAP_LIB)
endif
AST_LIBS+=-lpthread $(EDITLINE_LIB) -lm -lresolv AST_LIBS+=-lpthread $(EDITLINE_LIB) -lm -lresolv
else else
AST_LIBS+=$(EDITLINE_LIB) -lm AST_LIBS+=$(EDITLINE_LIB) -lm

31
main/asterisk.c
View File

@@ -82,13 +82,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include <sys/stat.h> #include <sys/stat.h>
#ifdef linux #ifdef linux
#include <sys/prctl.h> #include <sys/prctl.h>
#endif #ifdef HAVE_CAP
#include <sys/capability.h>
#endif /* HAVE_CAP */
#endif /* linux */
#include <regex.h> #include <regex.h>
#ifdef linux
#include <sys/prctl.h>
#endif
#if defined(__FreeBSD__) || defined( __NetBSD__ ) || defined(SOLARIS) #if defined(__FreeBSD__) || defined( __NetBSD__ ) || defined(SOLARIS)
#include <netdb.h> #include <netdb.h>
#if defined(SOLARIS) #if defined(SOLARIS)
@@ -2734,12 +2733,21 @@ int main(int argc, char *argv[])
} }
if (runuser && !ast_test_flag(&ast_options, AST_OPT_FLAG_REMOTE)) { if (runuser && !ast_test_flag(&ast_options, AST_OPT_FLAG_REMOTE)) {
#ifdef HAVE_CAP
int has_cap = 1;
#endif /* HAVE_CAP */
struct passwd *pw; struct passwd *pw;
pw = getpwnam(runuser); pw = getpwnam(runuser);
if (!pw) { if (!pw) {
ast_log(LOG_WARNING, "No such user '%s'!\n", runuser); ast_log(LOG_WARNING, "No such user '%s'!\n", runuser);
exit(1); exit(1);
} }
#ifdef HAVE_CAP
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
ast_log(LOG_WARNING, "Unable to keep capabilities.\n");
has_cap = 0;
}
#endif /* HAVE_CAP */
if (!isroot && pw->pw_uid != geteuid()) { if (!isroot && pw->pw_uid != geteuid()) {
ast_log(LOG_ERROR, "Asterisk started as nonroot, but runuser '%s' requested.\n", runuser); ast_log(LOG_ERROR, "Asterisk started as nonroot, but runuser '%s' requested.\n", runuser);
exit(1); exit(1);
@@ -2760,6 +2768,19 @@ int main(int argc, char *argv[])
} }
if (option_verbose) if (option_verbose)
ast_verbose("Running as user '%s'\n", runuser); ast_verbose("Running as user '%s'\n", runuser);
#ifdef HAVE_CAP
if (has_cap) {
cap_t cap;
cap = cap_from_text("cap_net_admin=ep");
if (cap_set_proc(cap))
ast_log(LOG_WARNING, "Unable to install capabilities.\n");
if (cap_free(cap))
ast_log(LOG_WARNING, "Unable to drop capabilities.\n");
}
#endif /* HAVE_CAP */
} }
#endif /* __CYGWIN__ */ #endif /* __CYGWIN__ */

3
makeopts.in
View File

@@ -175,6 +175,9 @@ MISDN_LIB=@MISDN_LIB@
SUPPSERV_INCLUDE=@SUPPSERV_INCLUDE@ SUPPSERV_INCLUDE=@SUPPSERV_INCLUDE@
SUPPSERV_LIB=@SUPPSERV_LIB@ SUPPSERV_LIB=@SUPPSERV_LIB@
CAP_LIB=@CAP_LIB@
CAP_INCLUDE=@CAP_INCLUDE@
TERMCAP_INCLUDE=@TERMCAP_INCLUDE@ TERMCAP_INCLUDE=@TERMCAP_INCLUDE@
TERMCAP_LIB=@TERMCAP_LIB@ TERMCAP_LIB=@TERMCAP_LIB@
TERMCAP_DIR=@TERMCAP_DIR@ TERMCAP_DIR=@TERMCAP_DIR@