[asterisk-commits] file: trunk r43830 - in /trunk: ./ doc/ main/
asterisk-commits at lists.digium.com
asterisk-commits at lists.digium.com
Wed Sep 27 14:48:01 MST 2006
Author: file
Date: Wed Sep 27 16:48:01 2006
New Revision: 43830
URL: http://svn.digium.com/view/asterisk?rev=43830&view=rev
Log:
Add ability to set high ToS bits as non-root on Linux using libcap (issue #7047 reported by maddison)
Modified:
trunk/configure
trunk/configure.ac
trunk/doc/security.txt
trunk/main/Makefile
trunk/main/asterisk.c
trunk/makeopts.in
Modified: trunk/configure
URL: http://svn.digium.com/view/asterisk/trunk/configure?rev=43830&r1=43829&r2=43830&view=diff
==============================================================================
--- trunk/configure (original)
+++ trunk/configure Wed Sep 27 16:48:01 2006
@@ -691,6 +691,9 @@
ALSA_LIB
ALSA_INCLUDE
PBX_ALSA
+CAP_LIB
+CAP_INCLUDE
+PBX_CAP
CURSES_LIB
CURSES_INCLUDE
PBX_CURSES
@@ -1425,6 +1428,7 @@
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-asound=PATH use Advanced Linux Sound Architecture files in PATH
+ --with-cap=PATH use POSIX 1.e capabilities files in PATH
--with-curses=PATH use curses files in PATH
--with-gnutls=PATH use GNU TLS support (used for iksemel only) files in
PATH
@@ -5391,6 +5395,33 @@
+CAP_DESCRIP="POSIX 1.e capabilities"
+CAP_OPTION="cap"
+
+# Check whether --with-cap was given.
+if test "${with_cap+set}" = set; then
+ withval=$with_cap;
+case ${withval} in
+ n|no)
+ USE_CAP=no
+ ;;
+ y|ye|yes)
+ CAP_MANDATORY="yes"
+ ;;
+ *)
+ CAP_DIR="${withval}"
+ CAP_MANDATORY="yes"
+ ;;
+esac
+
+fi
+
+PBX_CAP=0
+
+
+
+
+
CURSES_DESCRIP="curses"
CURSES_OPTION="curses"
@@ -15974,6 +16005,468 @@
fi
fi
+
+if test "x${host_os}" = "xlinux-gnu" ; then
+
+if test "${USE_CAP}" != "no"; then
+ pbxlibdir=""
+ if test "x${CAP_DIR}" != "x"; then
+ if test -d ${CAP_DIR}/lib; then
+ pbxlibdir="-L${CAP_DIR}/lib"
+ else
+ pbxlibdir="-L${CAP_DIR}"
+ fi
+ fi
+ { echo "$as_me:$LINENO: checking for cap_from_text in -lcap" >&5
+echo $ECHO_N "checking for cap_from_text in -lcap... $ECHO_C" >&6; }
+if test "${ac_cv_lib_cap_cap_from_text+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcap ${pbxlibdir} $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char cap_from_text ();
+int
+main ()
+{
+return cap_from_text ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; } &&
+ { ac_try='test -s conftest$ac_exeext'
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_cv_lib_cap_cap_from_text=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lib_cap_cap_from_text=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_cap_cap_from_text" >&5
+echo "${ECHO_T}$ac_cv_lib_cap_cap_from_text" >&6; }
+if test $ac_cv_lib_cap_cap_from_text = yes; then
+ AST_CAP_FOUND=yes
+else
+ AST_CAP_FOUND=no
+fi
+
+
+ if test "${AST_CAP_FOUND}" = "yes"; then
+ CAP_LIB="-lcap "
+ CAP_HEADER_FOUND="1"
+ if test "x${CAP_DIR}" != "x"; then
+ CAP_LIB="${pbxlibdir} ${CAP_LIB}"
+ CAP_INCLUDE="-I${CAP_DIR}/include"
+ if test "xsys/capability.h" != "x" ; then
+ as_ac_Header=`echo "ac_cv_header_${CAP_DIR}/include/sys/capability.h" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ { echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5
+echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+ # Is the header compilable?
+{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h usability" >&5
+echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+$ac_includes_default
+#include <${CAP_DIR}/include/sys/capability.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; } &&
+ { ac_try='test -s conftest.$ac_objext'
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_header_compiler=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h presence" >&5
+echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <${CAP_DIR}/include/sys/capability.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } >/dev/null; then
+ if test -s conftest.err; then
+ ac_cpp_err=$ac_c_preproc_warn_flag
+ ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
+ else
+ ac_cpp_err=
+ fi
+else
+ ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+ ac_header_preproc=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So? What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+ yes:no: )
+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&2;}
+ ac_header_preproc=yes
+ ;;
+ no:yes:* )
+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&2;}
+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: check for missing prerequisite headers?" >&2;}
+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&2;}
+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: section \"Present But Cannot Be Compiled\"" >&2;}
+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&2;}
+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&2;}
+
+ ;;
+esac
+{ echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5
+echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+ CAP_HEADER_FOUND=1
+else
+ CAP_HEADER_FOUND=0
+fi
+
+
+ fi
+ else
+ if test "xsys/capability.h" != "x" ; then
+ if test "${ac_cv_header_sys_capability_h+set}" = set; then
+ { echo "$as_me:$LINENO: checking for sys/capability.h" >&5
+echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_sys_capability_h+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
+echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
+else
+ # Is the header compilable?
+{ echo "$as_me:$LINENO: checking sys/capability.h usability" >&5
+echo $ECHO_N "checking sys/capability.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+$ac_includes_default
+#include <sys/capability.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } &&
+ { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; } &&
+ { ac_try='test -s conftest.$ac_objext'
+ { (case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_try") 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; }; then
+ ac_header_compiler=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking sys/capability.h presence" >&5
+echo $ECHO_N "checking sys/capability.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <sys/capability.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } >/dev/null; then
+ if test -s conftest.err; then
+ ac_cpp_err=$ac_c_preproc_warn_flag
+ ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
+ else
+ ac_cpp_err=
+ fi
+else
+ ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+ ac_header_preproc=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So? What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+ yes:no: )
+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;}
+ ac_header_preproc=yes
+ ;;
+ no:yes:* )
+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;}
+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: sys/capability.h: check for missing prerequisite headers?" >&2;}
+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;}
+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: sys/capability.h: section \"Present But Cannot Be Compiled\"" >&2;}
+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;}
+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;}
+
+ ;;
+esac
+{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5
+echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_sys_capability_h+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_cv_header_sys_capability_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
+echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
+
+fi
+if test $ac_cv_header_sys_capability_h = yes; then
+ CAP_HEADER_FOUND=1
+else
+ CAP_HEADER_FOUND=0
+fi
+
+
+ fi
+ fi
+ if test "x${CAP_HEADER_FOUND}" = "x0" ; then
+ if test ! -z "${CAP_MANDATORY}" ;
+ then
+ { echo "$as_me:$LINENO: ***" >&5
+echo "$as_me: ***" >&6;}
+ { echo "$as_me:$LINENO: *** It appears that you do not have the cap development package installed." >&5
+echo "$as_me: *** It appears that you do not have the cap development package installed." >&6;}
+ { echo "$as_me:$LINENO: *** Please install it to include ${CAP_DESCRIP} support" >&5
+echo "$as_me: *** Please install it to include ${CAP_DESCRIP} support" >&or re-run configure;}
+ { echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5
+echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;}
+ exit 1
+ fi
+ CAP_LIB=""
+ CAP_INCLUDE=""
+ PBX_CAP=0
+ else
+ PBX_CAP=1
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_CAP 1
+_ACEOF
+
+ fi
+ elif test ! -z "${CAP_MANDATORY}";
+ then
+ { echo "$as_me:$LINENO: ***" >&5
+echo "$as_me: ***" >&6;}
+ { echo "$as_me:$LINENO: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&5
+echo "$as_me: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&6;}
+ { echo "$as_me:$LINENO: *** Either correct the installation" >&5
+echo "$as_me: *** Either correct the installation" >&or run configure;}
+ { echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5
+echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;}
+ exit 1
+ fi
+fi
+
+fi
GSM_INTERNAL="yes"
@@ -31772,14 +32265,14 @@
ALSA_LIB!$ALSA_LIB$ac_delim
ALSA_INCLUDE!$ALSA_INCLUDE$ac_delim
PBX_ALSA!$PBX_ALSA$ac_delim
+CAP_LIB!$CAP_LIB$ac_delim
+CAP_INCLUDE!$CAP_INCLUDE$ac_delim
+PBX_CAP!$PBX_CAP$ac_delim
CURSES_LIB!$CURSES_LIB$ac_delim
CURSES_INCLUDE!$CURSES_INCLUDE$ac_delim
PBX_CURSES!$PBX_CURSES$ac_delim
GNUTLS_LIB!$GNUTLS_LIB$ac_delim
GNUTLS_INCLUDE!$GNUTLS_INCLUDE$ac_delim
-PBX_GNUTLS!$PBX_GNUTLS$ac_delim
-GSM_LIB!$GSM_LIB$ac_delim
-GSM_INCLUDE!$GSM_INCLUDE$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -31821,6 +32314,9 @@
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF
+PBX_GNUTLS!$PBX_GNUTLS$ac_delim
+GSM_LIB!$GSM_LIB$ac_delim
+GSM_INCLUDE!$GSM_INCLUDE$ac_delim
PBX_GSM!$PBX_GSM$ac_delim
IKSEMEL_LIB!$IKSEMEL_LIB$ac_delim
IKSEMEL_INCLUDE!$IKSEMEL_INCLUDE$ac_delim
@@ -31915,9 +32411,6 @@
VPB_LIB!$VPB_LIB$ac_delim
VPB_INCLUDE!$VPB_INCLUDE$ac_delim
PBX_VPB!$PBX_VPB$ac_delim
-ZLIB_LIB!$ZLIB_LIB$ac_delim
-ZLIB_INCLUDE!$ZLIB_INCLUDE$ac_delim
-PBX_ZLIB!$PBX_ZLIB$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -31959,6 +32452,9 @@
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF
+ZLIB_LIB!$ZLIB_LIB$ac_delim
+ZLIB_INCLUDE!$ZLIB_INCLUDE$ac_delim
+PBX_ZLIB!$PBX_ZLIB$ac_delim
ZAPTEL_LIB!$ZAPTEL_LIB$ac_delim
ZAPTEL_INCLUDE!$ZAPTEL_INCLUDE$ac_delim
PBX_ZAPTEL!$PBX_ZAPTEL$ac_delim
@@ -31998,7 +32494,7 @@
LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF
- if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 37; then
+ if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 40; then
break
elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
Modified: trunk/configure.ac
URL: http://svn.digium.com/view/asterisk/trunk/configure.ac?rev=43830&r1=43829&r2=43830&view=diff
==============================================================================
--- trunk/configure.ac (original)
+++ trunk/configure.ac Wed Sep 27 16:48:01 2006
@@ -175,6 +175,7 @@
# by the --with option name, to make things easier for the users :-)
AST_EXT_LIB_SETUP([ALSA], [Advanced Linux Sound Architecture], [asound])
+AST_EXT_LIB_SETUP([CAP], [POSIX 1.e capabilities], [cap])
AST_EXT_LIB_SETUP([CURSES], [curses], [curses])
AST_EXT_LIB_SETUP([GNUTLS], [GNU TLS support (used for iksemel only)], [gnutls])
AST_EXT_LIB_SETUP([GSM], [GSM], [gsm], [, or 'internal'])
@@ -330,6 +331,10 @@
AST_EXT_LIB_CHECK([CURSES], [curses], [initscr], [curses.h])
+if test "x${host_os}" = "xlinux-gnu" ; then
+ AST_EXT_LIB_CHECK([CAP], [cap], [cap_from_text], [sys/capability.h])
+fi
+
GSM_INTERNAL="yes"
AC_SUBST(GSM_INTERNAL)
GSM_SYSTEM="yes"
Modified: trunk/doc/security.txt
URL: http://svn.digium.com/view/asterisk/trunk/doc/security.txt?rev=43830&r1=43829&r2=43830&view=diff
==============================================================================
--- trunk/doc/security.txt (original)
+++ trunk/doc/security.txt Wed Sep 27 16:48:01 2006
@@ -27,6 +27,13 @@
The IAX2 protocol supports strong RSA key authentication as well as
AES encryption of voice and signalling. The SIP channel does not
support encryption in this version of Asterisk.
+
+By default, if you have libcap available, Asterisk will try to retain the
+CAP_NET_ADMIN capability when running as a non-root user. If you do not need
+that capability you may want to configure Asterisk with --without-cap; however,
+this will prevent Asterisk from being able to mark high ToS bits under Linux.
+More information on CAP_NET_ADMIN is available at:
+http://www.lids.org/lids-howto/node48.html
* DIALPLAN SECURITY
Modified: trunk/main/Makefile
URL: http://svn.digium.com/view/asterisk/trunk/main/Makefile?rev=43830&r1=43829&r2=43830&view=diff
==============================================================================
--- trunk/main/Makefile (original)
+++ trunk/main/Makefile Wed Sep 27 16:48:01 2006
@@ -49,6 +49,9 @@
ifneq ($(findstring $(OSARCH), linux-gnu uclinux ),)
ifneq ($(findstring LOADABLE_MODULES,$(MENUSELECT_CFLAGS)),)
AST_LIBS+=-ldl
+ endif
+ ifneq (x$(CAP_LIB),x)
+ AST_LIBS+=$(CAP_LIB)
endif
AST_LIBS+=-lpthread $(EDITLINE_LIB) -lm -lresolv
else
Modified: trunk/main/asterisk.c
URL: http://svn.digium.com/view/asterisk/trunk/main/asterisk.c?rev=43830&r1=43829&r2=43830&view=diff
==============================================================================
--- trunk/main/asterisk.c (original)
+++ trunk/main/asterisk.c Wed Sep 27 16:48:01 2006
@@ -80,12 +80,11 @@
#include <sys/stat.h>
#ifdef linux
#include <sys/prctl.h>
-#endif
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
+#endif /* linux */
#include <regex.h>
-
-#ifdef linux
-#include <sys/prctl.h>
-#endif
#if defined(__FreeBSD__) || defined( __NetBSD__ ) || defined(SOLARIS)
#include <netdb.h>
@@ -2521,12 +2520,22 @@
}
if (!is_child_of_nonroot && runuser) {
+#ifdef HAVE_CAP
+ cap_t cap;
+ int has_cap = 1;
+#endif /* HAVE_CAP */
struct passwd *pw;
pw = getpwnam(runuser);
if (!pw) {
ast_log(LOG_WARNING, "No such user '%s'!\n", runuser);
exit(1);
}
+#ifdef HAVE_CAP
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
+ ast_log(LOG_WARNING, "Unable to keep capabilities.\n");
+ has_cap = 0;
+ }
+#endif /* HAVE_CAP */
if (!rungroup) {
if (setgid(pw->pw_gid)) {
ast_log(LOG_WARNING, "Unable to setgid to %d!\n", (int)pw->pw_gid);
@@ -2544,6 +2553,18 @@
setenv("ASTERISK_ALREADY_NONROOT", "yes", 1);
if (option_verbose)
ast_verbose("Running as user '%s'\n", runuser);
+#ifdef HAVE_CAP
+ if (has_cap) {
+ cap = cap_from_text("cap_net_admin=ep");
+ if (cap_set_proc(cap)) {
+ ast_log(LOG_WARNING, "Unable to install capabilities.\n");
+ break;
+ }
+ if (cap_free(cap)) {
+ ast_log(LOG_WARNING, "Unable to drop capabilities.\n");
+ }
+ }
+#endif /* HAVE_CAP */
}
#endif /* __CYGWIN__ */
Modified: trunk/makeopts.in
URL: http://svn.digium.com/view/asterisk/trunk/makeopts.in?rev=43830&r1=43829&r2=43830&view=diff
==============================================================================
--- trunk/makeopts.in (original)
+++ trunk/makeopts.in Wed Sep 27 16:48:01 2006
@@ -160,3 +160,6 @@
SUPPSERV_INCLUDE=@SUPPSERV_INCLUDE@
SUPPSERV_LIB=@SUPPSERV_LIB@
+
+CAP_LIB=@CAP_LIB@
+CAP_INCLUDE=@CAP_INCLUDE@
More information about the asterisk-commits
mailing list