Merged revisions 172438 via svnmerge from

https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r172438 | tilghman | 2009-01-29 16:54:29 -0600 (Thu, 29 Jan 2009) | 9 lines Lose the CAP_NET_ADMIN at every fork, instead of at startup. Otherwise, if Asterisk runs as a non-root user and the administrator does a 'restart now', Asterisk loses the ability to set QOS on packets. (closes issue #14004) Reported by: nemo Patches: 20090105__bug14004.diff.txt uploaded by Corydon76 (license 14) Tested by: Corydon76 ........ git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@172441 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-09-03 11:25:35 +00:00 · 2009-01-29 23:15:40 +00:00
parent 3b08de23df
commit 80f91f6ab7
5 changed files with 42 additions and 10 deletions
--- a/main/app.c
+++ b/main/app.c
@@ -36,6 +36,9 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 #include <sys/time.h>       /* for getrlimit(2) */
 #include <sys/resource.h>   /* for getrlimit(2) */
 #include <stdlib.h>         /* for closefrom(3) */
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */

 #include "asterisk/paths.h"	/* use ast_config_AST_DATA_DIR */
 #include "asterisk/channel.h"
@@ -1883,6 +1886,14 @@ int ast_safe_fork(int stop_reaper)
 		return pid;
 	} else {
 		/* Child */
+#ifdef HAVE_CAP
+		cap_t cap = cap_from_text("cap_net_admin-eip");
+
+		if (cap_set_proc(cap)) {
+			ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+		}
+		cap_free(cap);
+#endif

 		/* Before we unblock our signals, return our trapped signals back to the defaults */
 		signal(SIGHUP, SIG_DFL);