dect
/
asterisk
Archived
13
0
Fork 0
Code Releases Activity

Add ability to set high ToS bits as non-root on Linux using libcap (issue #7047 reported by maddison) 

git-svn-id: http://svn.digium.com/svn/asterisk/trunk@43830 f38db490-d61c-443f-a65b-d21fe96a405b
This commit is contained in:
file 2006-09-27 21:48:01 +00:00
parent 8d39395066
commit c3414d6078
6 changed files with 547 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

510
configure vendored
View File

@ -691,6 +691,9 @@ AST_DEVMODE
ALSA_LIB
ALSA_INCLUDE
PBX_ALSA
CAP_LIB
CAP_INCLUDE
PBX_CAP
CURSES_LIB
CURSES_INCLUDE
PBX_CURSES
@ -1425,6 +1428,7 @@ Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-asound=PATH use Advanced Linux Sound Architecture files in PATH
--with-cap=PATH use POSIX 1.e capabilities files in PATH
--with-curses=PATH use curses files in PATH
--with-gnutls=PATH use GNU TLS support (used for iksemel only) files in
PATH
@ -5391,6 +5395,33 @@ PBX_ALSA=0
CAP_DESCRIP="POSIX 1.e capabilities"
CAP_OPTION="cap"
# Check whether --with-cap was given.
if test "${with_cap+set}" = set; then
withval=$with_cap;
case ${withval} in
n|no)
USE_CAP=no
;;
y|ye|yes)
CAP_MANDATORY="yes"
;;
*)
CAP_DIR="${withval}"
CAP_MANDATORY="yes"
;;
esac
fi
PBX_CAP=0
CURSES_DESCRIP="curses"
CURSES_OPTION="curses"
@ -15975,6 +16006,468 @@ echo "$as_me: *** without explicitly specifying --with-${CURSES_OPTION}" >&6;}
fi
if test "x${host_os}" = "xlinux-gnu" ; then
if test "${USE_CAP}" != "no"; then
pbxlibdir=""
if test "x${CAP_DIR}" != "x"; then
if test -d ${CAP_DIR}/lib; then
pbxlibdir="-L${CAP_DIR}/lib"
else
pbxlibdir="-L${CAP_DIR}"
fi
fi
{ echo "$as_me:$LINENO: checking for cap_from_text in -lcap" >&5
echo $ECHO_N "checking for cap_from_text in -lcap... $ECHO_C" >&6; }
if test "${ac_cv_lib_cap_cap_from_text+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lcap ${pbxlibdir} $LIBS"
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char cap_from_text ();
int
main ()
{
return cap_from_text ();
;
return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
if { (ac_try="$ac_link"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_link") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } &&
{ ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
{ (case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; } &&
{ ac_try='test -s conftest$ac_exeext'
{ (case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
ac_cv_lib_cap_cap_from_text=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_cv_lib_cap_cap_from_text=no
fi
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ echo "$as_me:$LINENO: result: $ac_cv_lib_cap_cap_from_text" >&5
echo "${ECHO_T}$ac_cv_lib_cap_cap_from_text" >&6; }
if test $ac_cv_lib_cap_cap_from_text = yes; then
AST_CAP_FOUND=yes
else
AST_CAP_FOUND=no
fi
if test "${AST_CAP_FOUND}" = "yes"; then
CAP_LIB="-lcap "
CAP_HEADER_FOUND="1"
if test "x${CAP_DIR}" != "x"; then
CAP_LIB="${pbxlibdir} ${CAP_LIB}"
CAP_INCLUDE="-I${CAP_DIR}/include"
if test "xsys/capability.h" != "x" ; then
as_ac_Header=`echo "ac_cv_header_${CAP_DIR}/include/sys/capability.h" | $as_tr_sh`
if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
{ echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5
echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; }
if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
fi
ac_res=`eval echo '${'$as_ac_Header'}'`
{ echo "$as_me:$LINENO: result: $ac_res" >&5
echo "${ECHO_T}$ac_res" >&6; }
else
# Is the header compilable?
{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h usability" >&5
echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h usability... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
#include <${CAP_DIR}/include/sys/capability.h>
_ACEOF
rm -f conftest.$ac_objext
if { (ac_try="$ac_compile"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } &&
{ ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
{ (case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; } &&
{ ac_try='test -s conftest.$ac_objext'
{ (case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
ac_header_compiler=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_compiler=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
echo "${ECHO_T}$ac_header_compiler" >&6; }
# Is the header present?
{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h presence" >&5
echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h presence... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <${CAP_DIR}/include/sys/capability.h>
_ACEOF
if { (ac_try="$ac_cpp conftest.$ac_ext"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } >/dev/null; then
if test -s conftest.err; then
ac_cpp_err=$ac_c_preproc_warn_flag
ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
else
ac_cpp_err=
fi
else
ac_cpp_err=yes
fi
if test -z "$ac_cpp_err"; then
ac_header_preproc=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_preproc=no
fi
rm -f conftest.err conftest.$ac_ext
{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
echo "${ECHO_T}$ac_header_preproc" >&6; }
# So? What about this header?
case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
yes:no: )
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&2;}
ac_header_preproc=yes
;;
no:yes:* )
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: check for missing prerequisite headers?" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: check for missing prerequisite headers?" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: section \"Present But Cannot Be Compiled\"" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: section \"Present But Cannot Be Compiled\"" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&2;}
{ echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&5
echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&2;}
;;
esac
{ echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5
echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; }
if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
eval "$as_ac_Header=\$ac_header_preproc"
fi
ac_res=`eval echo '${'$as_ac_Header'}'`
{ echo "$as_me:$LINENO: result: $ac_res" >&5
echo "${ECHO_T}$ac_res" >&6; }
fi
if test `eval echo '${'$as_ac_Header'}'` = yes; then
CAP_HEADER_FOUND=1
else
CAP_HEADER_FOUND=0
fi
fi
else
if test "xsys/capability.h" != "x" ; then
if test "${ac_cv_header_sys_capability_h+set}" = set; then
{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5
echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
if test "${ac_cv_header_sys_capability_h+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
fi
{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
else
# Is the header compilable?
{ echo "$as_me:$LINENO: checking sys/capability.h usability" >&5
echo $ECHO_N "checking sys/capability.h usability... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
$ac_includes_default
#include <sys/capability.h>
_ACEOF
rm -f conftest.$ac_objext
if { (ac_try="$ac_compile"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_compile") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } &&
{ ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
{ (case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; } &&
{ ac_try='test -s conftest.$ac_objext'
{ (case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_try") 2>&5
ac_status=$?
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); }; }; then
ac_header_compiler=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_compiler=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
echo "${ECHO_T}$ac_header_compiler" >&6; }
# Is the header present?
{ echo "$as_me:$LINENO: checking sys/capability.h presence" >&5
echo $ECHO_N "checking sys/capability.h presence... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h. */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h. */
#include <sys/capability.h>
_ACEOF
if { (ac_try="$ac_cpp conftest.$ac_ext"
case "(($ac_try" in
*\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
*) ac_try_echo=$ac_try;;
esac
eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
(eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
ac_status=$?
grep -v '^ *+' conftest.er1 >conftest.err
rm -f conftest.er1
cat conftest.err >&5
echo "$as_me:$LINENO: \$? = $ac_status" >&5
(exit $ac_status); } >/dev/null; then
if test -s conftest.err; then
ac_cpp_err=$ac_c_preproc_warn_flag
ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
else
ac_cpp_err=
fi
else
ac_cpp_err=yes
fi
if test -z "$ac_cpp_err"; then
ac_header_preproc=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
ac_header_preproc=no
fi
rm -f conftest.err conftest.$ac_ext
{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
echo "${ECHO_T}$ac_header_preproc" >&6; }
# So? What about this header?
case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
yes:no: )
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5
echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;}
ac_header_preproc=yes
;;
no:yes:* )
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5
echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: check for missing prerequisite headers?" >&5
echo "$as_me: WARNING: sys/capability.h: check for missing prerequisite headers?" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5
echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: section \"Present But Cannot Be Compiled\"" >&5
echo "$as_me: WARNING: sys/capability.h: section \"Present But Cannot Be Compiled\"" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5
echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;}
{ echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5
echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;}
;;
esac
{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5
echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
if test "${ac_cv_header_sys_capability_h+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_cv_header_sys_capability_h=$ac_header_preproc
fi
{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
fi
if test $ac_cv_header_sys_capability_h = yes; then
CAP_HEADER_FOUND=1
else
CAP_HEADER_FOUND=0
fi
fi
fi
if test "x${CAP_HEADER_FOUND}" = "x0" ; then
if test ! -z "${CAP_MANDATORY}" ;
then
{ echo "$as_me:$LINENO: ***" >&5
echo "$as_me: ***" >&6;}
{ echo "$as_me:$LINENO: *** It appears that you do not have the cap development package installed." >&5
echo "$as_me: *** It appears that you do not have the cap development package installed." >&6;}
{ echo "$as_me:$LINENO: *** Please install it to include ${CAP_DESCRIP} support" >&5
echo "$as_me: *** Please install it to include ${CAP_DESCRIP} support" >&or re-run configure;}
{ echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5
echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;}
exit 1
fi
CAP_LIB=""
CAP_INCLUDE=""
PBX_CAP=0
else
PBX_CAP=1
cat >>confdefs.h <<_ACEOF
#define HAVE_CAP 1
_ACEOF
fi
elif test ! -z "${CAP_MANDATORY}";
then
{ echo "$as_me:$LINENO: ***" >&5
echo "$as_me: ***" >&6;}
{ echo "$as_me:$LINENO: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&5
echo "$as_me: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&6;}
{ echo "$as_me:$LINENO: *** Either correct the installation" >&5
echo "$as_me: *** Either correct the installation" >&or run configure;}
{ echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5
echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;}
exit 1
fi
fi
fi
GSM_INTERNAL="yes"
GSM_SYSTEM="yes"
@ -31772,14 +32265,14 @@ AST_DEVMODE!$AST_DEVMODE$ac_delim
ALSA_LIB!$ALSA_LIB$ac_delim
ALSA_INCLUDE!$ALSA_INCLUDE$ac_delim
PBX_ALSA!$PBX_ALSA$ac_delim
CAP_LIB!$CAP_LIB$ac_delim
CAP_INCLUDE!$CAP_INCLUDE$ac_delim
PBX_CAP!$PBX_CAP$ac_delim
CURSES_LIB!$CURSES_LIB$ac_delim
CURSES_INCLUDE!$CURSES_INCLUDE$ac_delim
PBX_CURSES!$PBX_CURSES$ac_delim
GNUTLS_LIB!$GNUTLS_LIB$ac_delim
GNUTLS_INCLUDE!$GNUTLS_INCLUDE$ac_delim
PBX_GNUTLS!$PBX_GNUTLS$ac_delim
GSM_LIB!$GSM_LIB$ac_delim
GSM_INCLUDE!$GSM_INCLUDE$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@ -31821,6 +32314,9 @@ _ACEOF
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF
PBX_GNUTLS!$PBX_GNUTLS$ac_delim
GSM_LIB!$GSM_LIB$ac_delim
GSM_INCLUDE!$GSM_INCLUDE$ac_delim
PBX_GSM!$PBX_GSM$ac_delim
IKSEMEL_LIB!$IKSEMEL_LIB$ac_delim
IKSEMEL_INCLUDE!$IKSEMEL_INCLUDE$ac_delim
@ -31915,9 +32411,6 @@ PBX_VORBIS!$PBX_VORBIS$ac_delim
VPB_LIB!$VPB_LIB$ac_delim
VPB_INCLUDE!$VPB_INCLUDE$ac_delim
PBX_VPB!$PBX_VPB$ac_delim
ZLIB_LIB!$ZLIB_LIB$ac_delim
ZLIB_INCLUDE!$ZLIB_INCLUDE$ac_delim
PBX_ZLIB!$PBX_ZLIB$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@ -31959,6 +32452,9 @@ _ACEOF
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF
ZLIB_LIB!$ZLIB_LIB$ac_delim
ZLIB_INCLUDE!$ZLIB_INCLUDE$ac_delim
PBX_ZLIB!$PBX_ZLIB$ac_delim
ZAPTEL_LIB!$ZAPTEL_LIB$ac_delim
ZAPTEL_INCLUDE!$ZAPTEL_INCLUDE$ac_delim
PBX_ZAPTEL!$PBX_ZAPTEL$ac_delim
@ -31998,7 +32494,7 @@ CURL_LIB!$CURL_LIB$ac_delim
LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 37; then
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 40; then
break
elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5

5
configure.ac
View File

@ -175,6 +175,7 @@ AC_SUBST(AST_DEVMODE)
# by the --with option name, to make things easier for the users :-)
AST_EXT_LIB_SETUP([ALSA], [Advanced Linux Sound Architecture], [asound])
AST_EXT_LIB_SETUP([CAP], [POSIX 1.e capabilities], [cap])
AST_EXT_LIB_SETUP([CURSES], [curses], [curses])
AST_EXT_LIB_SETUP([GNUTLS], [GNU TLS support (used for iksemel only)], [gnutls])
AST_EXT_LIB_SETUP([GSM], [GSM], [gsm], [, or 'internal'])
@ -330,6 +331,10 @@ AST_EXT_LIB_CHECK([ALSA], [asound], [snd_spcm_init], [alsa/asoundlib.h], [-lm -l
AST_EXT_LIB_CHECK([CURSES], [curses], [initscr], [curses.h])
if test "x${host_os}" = "xlinux-gnu" ; then
AST_EXT_LIB_CHECK([CAP], [cap], [cap_from_text], [sys/capability.h])
fi
GSM_INTERNAL="yes"
AC_SUBST(GSM_INTERNAL)
GSM_SYSTEM="yes"

7
doc/security.txt
View File

@ -28,6 +28,13 @@ The IAX2 protocol supports strong RSA key authentication as well as
AES encryption of voice and signalling. The SIP channel does not
support encryption in this version of Asterisk.
By default, if you have libcap available, Asterisk will try to retain the
CAP_NET_ADMIN capability when running as a non-root user. If you do not need
that capability you may want to configure Asterisk with --without-cap; however,
this will prevent Asterisk from being able to mark high ToS bits under Linux.
More information on CAP_NET_ADMIN is available at:
http://www.lids.org/lids-howto/node48.html
* DIALPLAN SECURITY
First and foremost remember this:

3
main/Makefile
View File

@ -50,6 +50,9 @@ ifneq ($(findstring $(OSARCH), linux-gnu uclinux ),)
ifneq ($(findstring LOADABLE_MODULES,$(MENUSELECT_CFLAGS)),)
AST_LIBS+=-ldl
endif
ifneq (x$(CAP_LIB),x)
AST_LIBS+=$(CAP_LIB)
endif
AST_LIBS+=-lpthread $(EDITLINE_LIB) -lm -lresolv
else
AST_LIBS+=$(EDITLINE_LIB) -lm

31
main/asterisk.c
View File

@ -80,13 +80,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include <sys/stat.h>
#ifdef linux
#include <sys/prctl.h>
#endif
#ifdef HAVE_CAP
#include <sys/capability.h>
#endif /* HAVE_CAP */
#endif /* linux */
#include <regex.h>
#ifdef linux
#include <sys/prctl.h>
#endif
#if defined(__FreeBSD__) || defined( __NetBSD__ ) || defined(SOLARIS)
#include <netdb.h>
#if defined(SOLARIS)
@ -2521,12 +2520,22 @@ int main(int argc, char *argv[])
}
if (!is_child_of_nonroot && runuser) {
#ifdef HAVE_CAP
cap_t cap;
int has_cap = 1;
#endif /* HAVE_CAP */
struct passwd *pw;
pw = getpwnam(runuser);
if (!pw) {
ast_log(LOG_WARNING, "No such user '%s'!\n", runuser);
exit(1);
}
#ifdef HAVE_CAP
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
ast_log(LOG_WARNING, "Unable to keep capabilities.\n");
has_cap = 0;
}
#endif /* HAVE_CAP */
if (!rungroup) {
if (setgid(pw->pw_gid)) {
ast_log(LOG_WARNING, "Unable to setgid to %d!\n", (int)pw->pw_gid);
@ -2544,6 +2553,18 @@ int main(int argc, char *argv[])
setenv("ASTERISK_ALREADY_NONROOT", "yes", 1);
if (option_verbose)
ast_verbose("Running as user '%s'\n", runuser);
#ifdef HAVE_CAP
if (has_cap) {
cap = cap_from_text("cap_net_admin=ep");
if (cap_set_proc(cap)) {
ast_log(LOG_WARNING, "Unable to install capabilities.\n");
break;
}
if (cap_free(cap)) {
ast_log(LOG_WARNING, "Unable to drop capabilities.\n");
}
}
#endif /* HAVE_CAP */
}
#endif /* __CYGWIN__ */

3
makeopts.in
View File

@ -160,3 +160,6 @@ MISDN_LIB=@MISDN_LIB@
SUPPSERV_INCLUDE=@SUPPSERV_INCLUDE@
SUPPSERV_LIB=@SUPPSERV_LIB@
CAP_LIB=@CAP_LIB@
CAP_INCLUDE=@CAP_INCLUDE@