[asterisk-commits] tilghman: branch 1.4 r86066 - /branches/1.4/main/asterisk.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Wed Oct 17 10:23:51 CDT 2007 

Author: tilghman
Date: Wed Oct 17 10:23:51 2007
New Revision: 86066

URL: http://svn.digium.com/view/asterisk?view=rev&rev=86066
Log:
When runuser/rungroup is specified, a remote console could only be attained by root

Modified:
    branches/1.4/main/asterisk.c

Modified: branches/1.4/main/asterisk.c
URL: http://svn.digium.com/view/asterisk/branches/1.4/main/asterisk.c?view=diff&rev=86066&r1=86065&r2=86066
==============================================================================
--- branches/1.4/main/asterisk.c (original)
+++ branches/1.4/main/asterisk.c Wed Oct 17 10:23:51 2007
@@ -2547,7 +2547,7 @@
 	FILE *f;
 	sigset_t sigs;
 	int num;
-	int is_child_of_nonroot = 0;
+	int isroot = 1;
 	char *buf;
 	char *runuser = NULL, *rungroup = NULL;
 
@@ -2559,6 +2559,9 @@
 	for (x=0; x<argc; x++)
 		_argv[x] = argv[x];
 	_argv[x] = NULL;
+
+	if (geteuid() != 0)
+		isroot = 0;
 
 	/* if the progname is rasterisk consider it a remote console */
 	if (argv[0] && (strstr(argv[0], "rasterisk")) != NULL) {
@@ -2573,11 +2576,7 @@
 	ast_builtins_init();
 	ast_utils_init();
 	tdd_init();
-	/* When Asterisk restarts after it has dropped the root privileges,
-	 * it can't issue setuid(), setgid(), setgroups() or set_priority() 
-	 */
-	if (getenv("ASTERISK_ALREADY_NONROOT"))
-		is_child_of_nonroot=1;
+
 	if (getenv("HOME")) 
 		snprintf(filename, sizeof(filename), "%s/.asterisk_history", getenv("HOME"));
 	/* Check for options */
@@ -2712,10 +2711,10 @@
 
 #ifndef __CYGWIN__
 
-	if (!is_child_of_nonroot) 
+	if (isroot) 
 		ast_set_priority(ast_opt_high_priority);
 
-	if (!is_child_of_nonroot && rungroup) {
+	if (isroot && rungroup) {
 		struct group *gr;
 		gr = getgrnam(rungroup);
 		if (!gr) {
@@ -2734,11 +2733,15 @@
 			ast_verbose("Running as group '%s'\n", rungroup);
 	}
 
-	if (!is_child_of_nonroot && runuser) {
+	if (runuser && !ast_test_flag(&ast_options, AST_OPT_FLAG_REMOTE)) {
 		struct passwd *pw;
 		pw = getpwnam(runuser);
 		if (!pw) {
 			ast_log(LOG_WARNING, "No such user '%s'!\n", runuser);
+			exit(1);
+		}
+		if (!isroot && pw->pw_uid != geteuid()) {
+			ast_log(LOG_ERROR, "Asterisk started as nonroot, but runuser '%s' requested.\n", runuser);
 			exit(1);
 		}
 		if (!rungroup) {
@@ -2755,7 +2758,6 @@
 			ast_log(LOG_WARNING, "Unable to setuid to %d (%s)\n", (int)pw->pw_uid, runuser);
 			exit(1);
 		}
-		setenv("ASTERISK_ALREADY_NONROOT", "yes", 1);
 		if (option_verbose)
 			ast_verbose("Running as user '%s'\n", runuser);
 	}

More information about the asterisk-commits mailing list