[asterisk-commits] russell: branch 1.4 r98265 - in /branches/1.4: ./ doc/ include/asterisk/ main/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Fri Jan 11 12:25:31 CST 2008


Author: russell
Date: Fri Jan 11 12:25:30 2008
New Revision: 98265

URL: http://svn.digium.com/view/asterisk?view=rev&rev=98265
Log:
Backport the ability to set the ToS bits on Linux when not running as root.
Normally, we would not backport features into 1.4, but, I was convinced by the
justification supplied by the supplier of this patch.  He pointed out that this
patch removes a requirement for running as root, thus reducing the potential
impacts of security issues.

(closes issue #11742)
Reported by: paravoid
Patches:
      libcap.diff uploaded by paravoid (license 200)

Modified:
    branches/1.4/configure
    branches/1.4/configure.ac
    branches/1.4/doc/security.txt
    branches/1.4/include/asterisk/autoconfig.h.in
    branches/1.4/main/Makefile
    branches/1.4/main/asterisk.c
    branches/1.4/makeopts.in

Modified: branches/1.4/configure
URL: http://svn.digium.com/view/asterisk/branches/1.4/configure?view=diff&rev=98265&r1=98264&r2=98265
==============================================================================
--- branches/1.4/configure (original)
+++ branches/1.4/configure Fri Jan 11 12:25:30 2008
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.ac Revision: 94077 .
+# From configure.ac Revision: 97734 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61 for asterisk 1.4.
 #
@@ -726,6 +726,10 @@
 CURL_INCLUDE
 CURL_DIR
 PBX_CURL
+CAP_LIB
+CAP_INCLUDE
+CAP_DIR
+PBX_CAP
 CURSES_LIB
 CURSES_INCLUDE
 CURSES_DIR
@@ -1503,6 +1507,7 @@
   --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
   --with-asound=PATH      use Advanced Linux Sound Architecture files in PATH
   --with-curl=PATH        use cURL files in PATH
+  --with-cap=PATH         use POSIX 1.e capabilities files in PATH
   --with-curses=PATH      use curses files in PATH
   --with-gnutls=PATH      use GNU TLS support (used for iksemel only) files in
                           PATH
@@ -7792,6 +7797,34 @@
 
 
 
+CAP_DESCRIP="POSIX 1.e capabilities"
+CAP_OPTION="cap"
+
+# Check whether --with-cap was given.
+if test "${with_cap+set}" = set; then
+  withval=$with_cap;
+case ${withval} in
+     n|no)
+     USE_CAP=no
+     ;;
+     y|ye|yes)
+     CAP_MANDATORY="yes"
+     ;;
+     *)
+     CAP_DIR="${withval}"
+     CAP_MANDATORY="yes"
+     ;;
+esac
+
+fi
+
+PBX_CAP=0
+
+
+
+
+
+
 CURSES_DESCRIP="curses"
 CURSES_OPTION="curses"
 
@@ -17202,6 +17235,417 @@
    fi
 fi
 
+
+if test "x${host_os}" = "xlinux-gnu" ; then
+
+if test "${USE_CAP}" != "no"; then
+   pbxlibdir=""
+   if test "x${CAP_DIR}" != "x"; then
+      if test -d ${CAP_DIR}/lib; then
+      	 pbxlibdir="-L${CAP_DIR}/lib"
+      else
+      	 pbxlibdir="-L${CAP_DIR}"
+      fi
+   fi
+   { echo "$as_me:$LINENO: checking for cap_from_text in -lcap" >&5
+echo $ECHO_N "checking for cap_from_text in -lcap... $ECHO_C" >&6; }
+if test "${ac_cv_lib_cap_cap_from_text+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcap ${pbxlibdir}  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char cap_from_text ();
+int
+main ()
+{
+return cap_from_text ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_cap_cap_from_text=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_cap_cap_from_text=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_cap_cap_from_text" >&5
+echo "${ECHO_T}$ac_cv_lib_cap_cap_from_text" >&6; }
+if test $ac_cv_lib_cap_cap_from_text = yes; then
+  AST_CAP_FOUND=yes
+else
+  AST_CAP_FOUND=no
+fi
+
+
+   if test "${AST_CAP_FOUND}" = "yes"; then
+      CAP_LIB="-lcap "
+      CAP_HEADER_FOUND="1"
+      if test "x${CAP_DIR}" != "x"; then
+         CAP_LIB="${pbxlibdir} ${CAP_LIB}"
+	 CAP_INCLUDE="-I${CAP_DIR}/include"
+	 saved_cppflags="${CPPFLAGS}"
+	 CPPFLAGS="${CPPFLAGS} -I${CAP_DIR}/include"
+	 if test "xsys/capability.h" != "x" ; then
+	    as_ac_Header=`echo "ac_cv_header_${CAP_DIR}/include/sys/capability.h" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5
+echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h usability" >&5
+echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <${CAP_DIR}/include/sys/capability.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h presence" >&5
+echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <${CAP_DIR}/include/sys/capability.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&2;}
+    ( cat <<\_ASBOX
+## ------------------------------- ##
+## Report this to www.asterisk.org ##
+## ------------------------------- ##
+_ASBOX
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5
+echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  CAP_HEADER_FOUND=1
+else
+  CAP_HEADER_FOUND=0
+fi
+
+
+	 fi
+	 CPPFLAGS="${saved_cppflags}"
+      else
+	 if test "xsys/capability.h" != "x" ; then
+            if test "${ac_cv_header_sys_capability_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for sys/capability.h" >&5
+echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_sys_capability_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
+echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking sys/capability.h usability" >&5
+echo $ECHO_N "checking sys/capability.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <sys/capability.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking sys/capability.h presence" >&5
+echo $ECHO_N "checking sys/capability.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/capability.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: sys/capability.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: sys/capability.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;}
+    ( cat <<\_ASBOX
+## ------------------------------- ##
+## Report this to www.asterisk.org ##
+## ------------------------------- ##
+_ASBOX
+     ) | sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5
+echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_sys_capability_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_sys_capability_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5
+echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; }
+
+fi
+if test $ac_cv_header_sys_capability_h = yes; then
+  CAP_HEADER_FOUND=1
+else
+  CAP_HEADER_FOUND=0
+fi
+
+
+	 fi
+      fi
+      if test "x${CAP_HEADER_FOUND}" = "x0" ; then
+         if test -n "${CAP_MANDATORY}" ;
+         then
+            { echo "$as_me:$LINENO: ***" >&5
+echo "$as_me: ***" >&6;}
+            { echo "$as_me:$LINENO: *** It appears that you do not have the cap development package installed." >&5
+echo "$as_me: *** It appears that you do not have the cap development package installed." >&6;}
+            { echo "$as_me:$LINENO: *** Please install it to include ${CAP_DESCRIP} support, or re-run configure" >&5
+echo "$as_me: *** Please install it to include ${CAP_DESCRIP} support, or re-run configure" >&6;}
+            { echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5
+echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;}
+            exit 1
+         fi
+         CAP_LIB=""
+         CAP_INCLUDE=""
+         PBX_CAP=0
+      else
+         PBX_CAP=1
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_CAP 1
+_ACEOF
+
+      fi
+   elif test -n "${CAP_MANDATORY}";
+   then
+      { echo "$as_me:$LINENO: ***" >&5
+echo "$as_me: ***" >&6;}
+      { echo "$as_me:$LINENO: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&5
+echo "$as_me: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&6;}
+      { echo "$as_me:$LINENO: *** Either correct the installation, or run configure" >&5
+echo "$as_me: *** Either correct the installation, or run configure" >&6;}
+      { echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5
+echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;}
+      exit 1
+   fi
+fi
+
+fi
 
 GSM_INTERNAL="yes"
 
@@ -34024,6 +34468,10 @@
 CURL_INCLUDE!$CURL_INCLUDE$ac_delim
 CURL_DIR!$CURL_DIR$ac_delim
 PBX_CURL!$PBX_CURL$ac_delim
+CAP_LIB!$CAP_LIB$ac_delim
+CAP_INCLUDE!$CAP_INCLUDE$ac_delim
+CAP_DIR!$CAP_DIR$ac_delim
+PBX_CAP!$PBX_CAP$ac_delim
 CURSES_LIB!$CURSES_LIB$ac_delim
 CURSES_INCLUDE!$CURSES_INCLUDE$ac_delim
 CURSES_DIR!$CURSES_DIR$ac_delim
@@ -34108,10 +34556,6 @@
 PWLIB_INCLUDE!$PWLIB_INCLUDE$ac_delim
 PWLIB_DIR!$PWLIB_DIR$ac_delim
 PBX_PWLIB!$PBX_PWLIB$ac_delim
-OPENH323_LIB!$OPENH323_LIB$ac_delim
-OPENH323_INCLUDE!$OPENH323_INCLUDE$ac_delim
-OPENH323_DIR!$OPENH323_DIR$ac_delim
-PBX_OPENH323!$PBX_OPENH323$ac_delim
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -34153,6 +34597,10 @@
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
+OPENH323_LIB!$OPENH323_LIB$ac_delim
+OPENH323_INCLUDE!$OPENH323_INCLUDE$ac_delim
+OPENH323_DIR!$OPENH323_DIR$ac_delim
+PBX_OPENH323!$PBX_OPENH323$ac_delim
 RADIUS_LIB!$RADIUS_LIB$ac_delim
 RADIUS_INCLUDE!$RADIUS_INCLUDE$ac_delim
 RADIUS_DIR!$RADIUS_DIR$ac_delim
@@ -34247,7 +34695,7 @@
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 92; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 96; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
@@ -34266,7 +34714,7 @@
 
 cat >>$CONFIG_STATUS <<_ACEOF
 cat >"\$tmp/subs-3.sed" <<\CEOF$ac_eof
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
 _ACEOF
 sed '
 s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
@@ -34279,8 +34727,6 @@
 ' >>$CONFIG_STATUS <conf$$subs.sed
 rm -f conf$$subs.sed
 cat >>$CONFIG_STATUS <<_ACEOF
-:end
-s/|#_!!_#|//g
 CEOF$ac_eof
 _ACEOF
 
@@ -34528,7 +34974,7 @@
 s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
 s&@INSTALL@&$ac_INSTALL&;t t
 $ac_datarootdir_hack
-" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" >$tmp/out
+" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" | sed 's/|#_!!_#|//g' >$tmp/out
 
 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
   { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&

Modified: branches/1.4/configure.ac
URL: http://svn.digium.com/view/asterisk/branches/1.4/configure.ac?view=diff&rev=98265&r1=98264&r2=98265
==============================================================================
--- branches/1.4/configure.ac (original)
+++ branches/1.4/configure.ac Fri Jan 11 12:25:30 2008
@@ -174,6 +174,7 @@
 
 AST_EXT_LIB_SETUP([ALSA], [Advanced Linux Sound Architecture], [asound])
 AST_EXT_LIB_SETUP([CURL], [cURL], [curl])
+AST_EXT_LIB_SETUP([CAP], [POSIX 1.e capabilities], [cap])
 AST_EXT_LIB_SETUP([CURSES], [curses], [curses])
 AST_EXT_LIB_SETUP([GNUTLS], [GNU TLS support (used for iksemel only)], [gnutls])
 AST_EXT_LIB_SETUP([GSM], [GSM], [gsm], [, or 'internal'])
@@ -397,6 +398,10 @@
 AST_EXT_LIB_CHECK([ALSA], [asound], [snd_spcm_init], [alsa/asoundlib.h], [-lm -ldl])
 
 AST_EXT_LIB_CHECK([CURSES], [curses], [initscr], [curses.h])
+
+if test "x${host_os}" = "xlinux-gnu" ; then
+  AST_EXT_LIB_CHECK([CAP], [cap], [cap_from_text], [sys/capability.h])
+fi
 
 GSM_INTERNAL="yes"
 AC_SUBST(GSM_INTERNAL)

Modified: branches/1.4/doc/security.txt
URL: http://svn.digium.com/view/asterisk/branches/1.4/doc/security.txt?view=diff&rev=98265&r1=98264&r2=98265
==============================================================================
--- branches/1.4/doc/security.txt (original)
+++ branches/1.4/doc/security.txt Fri Jan 11 12:25:30 2008
@@ -27,6 +27,13 @@
 The IAX2 protocol supports strong RSA key authentication as well as
 AES encryption of voice and signalling. The SIP channel does not
 support encryption in this version of Asterisk.
+
+By default, if you have libcap available, Asterisk will try to retain the
+CAP_NET_ADMIN capability when running as a non-root user. If you do not need
+that capability you may want to configure Asterisk with --without-cap; however,
+this will prevent Asterisk from being able to mark high ToS bits under Linux.
+More information on CAP_NET_ADMIN is available at:
+http://www.lids.org/lids-howto/node48.html
 
 * DIALPLAN SECURITY
 

Modified: branches/1.4/include/asterisk/autoconfig.h.in
URL: http://svn.digium.com/view/asterisk/branches/1.4/include/asterisk/autoconfig.h.in?view=diff&rev=98265&r1=98264&r2=98265
==============================================================================
--- branches/1.4/include/asterisk/autoconfig.h.in (original)
+++ branches/1.4/include/asterisk/autoconfig.h.in Fri Jan 11 12:25:30 2008
@@ -61,6 +61,9 @@
 
 /* Define to 1 if you have the `bzero' function. */
 #undef HAVE_BZERO
+
+/* Define to indicate the ${CAP_DESCRIP} library */
+#undef HAVE_CAP
 
 /* Define to 1 if your system has a working `chown' function. */
 #undef HAVE_CHOWN

Modified: branches/1.4/main/Makefile
URL: http://svn.digium.com/view/asterisk/branches/1.4/main/Makefile?view=diff&rev=98265&r1=98264&r2=98265
==============================================================================
--- branches/1.4/main/Makefile (original)
+++ branches/1.4/main/Makefile Fri Jan 11 12:25:30 2008
@@ -54,6 +54,9 @@
 ifneq ($(findstring $(OSARCH), linux-gnu uclinux linux-uclibc ),)
   ifneq ($(findstring LOADABLE_MODULES,$(MENUSELECT_CFLAGS)),)
   AST_LIBS+=-ldl
+  endif
+  ifneq (x$(CAP_LIB),x)
+    AST_LIBS+=$(CAP_LIB)
   endif
   AST_LIBS+=-lpthread $(EDITLINE_LIB) -lm -lresolv
 else

Modified: branches/1.4/main/asterisk.c
URL: http://svn.digium.com/view/asterisk/branches/1.4/main/asterisk.c?view=diff&rev=98265&r1=98264&r2=98265
==============================================================================
--- branches/1.4/main/asterisk.c (original)
+++ branches/1.4/main/asterisk.c Fri Jan 11 12:25:30 2008
@@ -82,12 +82,11 @@
 #include <sys/stat.h>
 #ifdef linux
 #include <sys/prctl.h>
-#endif
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
+#endif /* linux */
 #include <regex.h>
-
-#ifdef linux
-#include <sys/prctl.h>
-#endif
 
 #if  defined(__FreeBSD__) || defined( __NetBSD__ ) || defined(SOLARIS)
 #include <netdb.h>
@@ -2734,12 +2733,21 @@
 	}
 
 	if (runuser && !ast_test_flag(&ast_options, AST_OPT_FLAG_REMOTE)) {
+#ifdef HAVE_CAP
+		int has_cap = 1;
+#endif /* HAVE_CAP */
 		struct passwd *pw;
 		pw = getpwnam(runuser);
 		if (!pw) {
 			ast_log(LOG_WARNING, "No such user '%s'!\n", runuser);
 			exit(1);
 		}
+#ifdef HAVE_CAP
+		if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
+			ast_log(LOG_WARNING, "Unable to keep capabilities.\n");
+			has_cap = 0;
+		}
+#endif /* HAVE_CAP */
 		if (!isroot && pw->pw_uid != geteuid()) {
 			ast_log(LOG_ERROR, "Asterisk started as nonroot, but runuser '%s' requested.\n", runuser);
 			exit(1);
@@ -2760,6 +2768,19 @@
 		}
 		if (option_verbose)
 			ast_verbose("Running as user '%s'\n", runuser);
+#ifdef HAVE_CAP
+		if (has_cap) {
+			cap_t cap;
+
+			cap = cap_from_text("cap_net_admin=ep");
+
+			if (cap_set_proc(cap))
+				ast_log(LOG_WARNING, "Unable to install capabilities.\n");
+
+			if (cap_free(cap))
+				ast_log(LOG_WARNING, "Unable to drop capabilities.\n");
+		}
+#endif /* HAVE_CAP */
 	}
 
 #endif /* __CYGWIN__ */

Modified: branches/1.4/makeopts.in
URL: http://svn.digium.com/view/asterisk/branches/1.4/makeopts.in?view=diff&rev=98265&r1=98264&r2=98265
==============================================================================
--- branches/1.4/makeopts.in (original)
+++ branches/1.4/makeopts.in Fri Jan 11 12:25:30 2008
@@ -175,6 +175,9 @@
 SUPPSERV_INCLUDE=@SUPPSERV_INCLUDE@
 SUPPSERV_LIB=@SUPPSERV_LIB@
 
+CAP_LIB=@CAP_LIB@
+CAP_INCLUDE=@CAP_INCLUDE@
+
 TERMCAP_INCLUDE=@TERMCAP_INCLUDE@
 TERMCAP_LIB=@TERMCAP_LIB@
 TERMCAP_DIR=@TERMCAP_DIR@




More information about the asterisk-commits mailing list