[asterisk-commits] tilghman: branch 1.6.0 r172503 - in /branches/1.6.0: ./ apps/ autoconf/ build...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Thu Jan 29 17:47:00 CST 2009
Author: tilghman
Date: Thu Jan 29 17:47:00 2009
New Revision: 172503
URL: http://svn.digium.com/svn-view/asterisk?view=rev&rev=172503
Log:
Merged revisions 172441 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk
................
r172441 | tilghman | 2009-01-29 17:15:40 -0600 (Thu, 29 Jan 2009) | 16 lines
Merged revisions 172438 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r172438 | tilghman | 2009-01-29 16:54:29 -0600 (Thu, 29 Jan 2009) | 9 lines
Lose the CAP_NET_ADMIN at every fork, instead of at startup. Otherwise, if
Asterisk runs as a non-root user and the administrator does a 'restart now',
Asterisk loses the ability to set QOS on packets.
(closes issue #14004)
Reported by: nemo
Patches:
20090105__bug14004.diff.txt uploaded by Corydon76 (license 14)
Tested by: Corydon76
........
................
Modified:
branches/1.6.0/ (props changed)
branches/1.6.0/apps/app_dahdiras.c
branches/1.6.0/apps/app_externalivr.c
branches/1.6.0/apps/app_festival.c
branches/1.6.0/apps/app_ices.c
branches/1.6.0/apps/app_mp3.c
branches/1.6.0/apps/app_nbscat.c
branches/1.6.0/autoconf/ast_func_fork.m4
branches/1.6.0/build_tools/menuselect-deps.in
branches/1.6.0/configure
branches/1.6.0/main/asterisk.c
branches/1.6.0/res/res_agi.c
branches/1.6.0/res/res_musiconhold.c
Propchange: branches/1.6.0/
------------------------------------------------------------------------------
Binary property 'trunk-merged' - no diff available.
Modified: branches/1.6.0/apps/app_dahdiras.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/apps/app_dahdiras.c?view=diff&rev=172503&r1=172502&r2=172503
==============================================================================
--- branches/1.6.0/apps/app_dahdiras.c (original)
+++ branches/1.6.0/apps/app_dahdiras.c Thu Jan 29 17:47:00 2009
@@ -27,6 +27,7 @@
/*** MODULEINFO
<depend>dahdi</depend>
+ <depend>working_fork</depend>
***/
#include "asterisk.h"
@@ -42,6 +43,9 @@
#endif /* __linux__ */
#include <fcntl.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
#include <dahdi/user.h>
@@ -76,6 +80,9 @@
int argc = 0;
char *stringp=NULL;
sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
sigfillset(&fullset);
pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -86,6 +93,16 @@
pthread_sigmask(SIG_SETMASK, &oldset, NULL);
return pid;
}
+
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
/* Restore original signal handlers */
for (x=0;x<NSIG;x++)
Modified: branches/1.6.0/apps/app_externalivr.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/apps/app_externalivr.c?view=diff&rev=172503&r1=172502&r2=172503
==============================================================================
--- branches/1.6.0/apps/app_externalivr.c (original)
+++ branches/1.6.0/apps/app_externalivr.c Thu Jan 29 17:47:00 2009
@@ -31,11 +31,18 @@
* \ingroup applications
*/
+/*** MODULEINFO
+ <depend>working_fork</depend>
+ ***/
+
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include <signal.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
#include "asterisk/lock.h"
#include "asterisk/file.h"
@@ -362,6 +369,15 @@
if (!pid) {
/* child process */
int i;
+#ifdef HAVE_CAP
+ cap_t cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
signal(SIGPIPE, SIG_DFL);
pthread_sigmask(SIG_UNBLOCK, &fullset, NULL);
Modified: branches/1.6.0/apps/app_festival.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/apps/app_festival.c?view=diff&rev=172503&r1=172502&r2=172503
==============================================================================
--- branches/1.6.0/apps/app_festival.c (original)
+++ branches/1.6.0/apps/app_festival.c Thu Jan 29 17:47:00 2009
@@ -26,6 +26,10 @@
*
* \ingroup applications
*/
+
+/*** MODULEINFO
+ <depend>working_fork</depend>
+ ***/
#include "asterisk.h"
@@ -39,6 +43,9 @@
#include <fcntl.h>
#include <ctype.h>
#include <errno.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
#include "asterisk/file.h"
#include "asterisk/channel.h"
@@ -123,6 +130,9 @@
char c;
#endif
sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
sigfillset(&fullset);
pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -134,6 +144,15 @@
pthread_sigmask(SIG_SETMASK, &oldset, NULL);
return res;
}
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
for (x = 0; x < 256; x++) {
if (x != fd)
close(x);
Modified: branches/1.6.0/apps/app_ices.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/apps/app_ices.c?view=diff&rev=172503&r1=172502&r2=172503
==============================================================================
--- branches/1.6.0/apps/app_ices.c (original)
+++ branches/1.6.0/apps/app_ices.c Thu Jan 29 17:47:00 2009
@@ -27,6 +27,10 @@
* \ingroup applications
*/
+/*** MODULEINFO
+ <depend>working_fork</depend>
+ ***/
+
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -34,6 +38,9 @@
#include <signal.h>
#include <fcntl.h>
#include <sys/time.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
#include "asterisk/paths.h" /* use ast_config_AST_CONFIG_DIR */
#include "asterisk/lock.h"
@@ -64,6 +71,9 @@
int res;
int x;
sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
sigfillset(&fullset);
pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -79,6 +89,16 @@
/* Stop ignoring PIPE */
signal(SIGPIPE, SIG_DFL);
pthread_sigmask(SIG_UNBLOCK, &fullset, NULL);
+
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
if (ast_opt_high_priority)
ast_set_priority(0);
Modified: branches/1.6.0/apps/app_mp3.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/apps/app_mp3.c?view=diff&rev=172503&r1=172502&r2=172503
==============================================================================
--- branches/1.6.0/apps/app_mp3.c (original)
+++ branches/1.6.0/apps/app_mp3.c Thu Jan 29 17:47:00 2009
@@ -25,12 +25,19 @@
* \ingroup applications
*/
+/*** MODULEINFO
+ <depend>working_fork</depend>
+ ***/
+
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include <sys/time.h>
#include <signal.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
#include "asterisk/lock.h"
#include "asterisk/file.h"
@@ -58,6 +65,9 @@
int res;
int x;
sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
sigfillset(&fullset);
pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -69,6 +79,15 @@
pthread_sigmask(SIG_SETMASK, &oldset, NULL);
return res;
}
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
if (ast_opt_high_priority)
ast_set_priority(0);
signal(SIGPIPE, SIG_DFL);
@@ -76,8 +95,7 @@
dup2(fd, STDOUT_FILENO);
for (x=STDERR_FILENO + 1;x<256;x++) {
- if (x != STDOUT_FILENO)
- close(x);
+ close(x);
}
/* Execute mpg123, but buffer if it's a net connection */
if (!strncasecmp(filename, "http://", 7)) {
Modified: branches/1.6.0/apps/app_nbscat.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/apps/app_nbscat.c?view=diff&rev=172503&r1=172502&r2=172503
==============================================================================
--- branches/1.6.0/apps/app_nbscat.c (original)
+++ branches/1.6.0/apps/app_nbscat.c Thu Jan 29 17:47:00 2009
@@ -25,6 +25,10 @@
* \ingroup applications
*/
+/*** MODULEINFO
+ <depend>working_fork</depend>
+ ***/
+
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -33,6 +37,9 @@
#include <sys/time.h>
#include <sys/socket.h>
#include <signal.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
#include "asterisk/lock.h"
#include "asterisk/file.h"
@@ -63,6 +70,9 @@
int res;
int x;
sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
sigfillset(&fullset);
pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -77,6 +87,15 @@
signal(SIGPIPE, SIG_DFL);
pthread_sigmask(SIG_UNBLOCK, &fullset, NULL);
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
if (ast_opt_high_priority)
ast_set_priority(0);
Modified: branches/1.6.0/autoconf/ast_func_fork.m4
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/autoconf/ast_func_fork.m4?view=diff&rev=172503&r1=172502&r2=172503
==============================================================================
--- branches/1.6.0/autoconf/ast_func_fork.m4 (original)
+++ branches/1.6.0/autoconf/ast_func_fork.m4 Thu Jan 29 17:47:00 2009
@@ -39,6 +39,8 @@
fi
if test "x$ac_cv_func_fork_works" = xyes; then
AC_DEFINE(HAVE_WORKING_FORK, 1, [Define to 1 if `fork' works.])
+ PBX_WORKING_FORK=1
+ AC_SUBST(PBX_WORKING_FORK)
fi
])# AST_FUNC_FORK
Modified: branches/1.6.0/build_tools/menuselect-deps.in
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/build_tools/menuselect-deps.in?view=diff&rev=172503&r1=172502&r2=172503
==============================================================================
--- branches/1.6.0/build_tools/menuselect-deps.in (original)
+++ branches/1.6.0/build_tools/menuselect-deps.in Thu Jan 29 17:47:00 2009
@@ -47,4 +47,5 @@
VORBIS=@PBX_VORBIS@
VPBAPI=@PBX_VPB@
WINARCH=@WINARCH@
+WORKING_VFORK=@WORKING_VFORK@
ZLIB=@PBX_ZLIB@
Modified: branches/1.6.0/main/asterisk.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/main/asterisk.c?view=diff&rev=172503&r1=172502&r2=172503
==============================================================================
--- branches/1.6.0/main/asterisk.c (original)
+++ branches/1.6.0/main/asterisk.c Thu Jan 29 17:47:00 2009
@@ -873,6 +873,15 @@
#endif
if (pid == 0) {
+#ifdef HAVE_CAP
+ cap_t cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
#ifdef HAVE_WORKING_FORK
if (ast_opt_high_priority)
ast_set_priority(0);
@@ -897,7 +906,7 @@
}
ast_unreplace_sigchld();
-#else
+#else /* !defined(HAVE_WORKING_FORK) && !defined(HAVE_WORKING_VFORK) */
res = -1;
#endif
@@ -3197,7 +3206,7 @@
if (has_cap) {
cap_t cap;
- cap = cap_from_text("cap_net_admin=ep");
+ cap = cap_from_text("cap_net_admin=eip");
if (cap_set_proc(cap))
ast_log(LOG_WARNING, "Unable to install capabilities.\n");
Modified: branches/1.6.0/res/res_agi.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/res/res_agi.c?view=diff&rev=172503&r1=172502&r2=172503
==============================================================================
--- branches/1.6.0/res/res_agi.c (original)
+++ branches/1.6.0/res/res_agi.c Thu Jan 29 17:47:00 2009
@@ -23,6 +23,10 @@
* \author Mark Spencer <markster at digium.com>
*/
+/*** MODULEINFO
+ <depend>working_fork</depend>
+ ***/
+
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -33,6 +37,9 @@
#include <sys/wait.h>
#include <sys/stat.h>
#include <pthread.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
#include "asterisk/paths.h" /* use many ast_config_AST_*_DIR */
#include "asterisk/network.h"
@@ -667,6 +674,16 @@
return AGI_RESULT_FAILURE;
}
if (!pid) {
+#ifdef HAVE_CAP
+ cap_t cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ /* Careful with order! Logging cannot happen after we close FDs */
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
+
/* Pass paths to AGI via environmental variables */
setenv("AST_CONFIG_DIR", ast_config_AST_CONFIG_DIR, 1);
setenv("AST_CONFIG_FILE", ast_config_AST_CONFIG_FILE, 1);
Modified: branches/1.6.0/res/res_musiconhold.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/res/res_musiconhold.c?view=diff&rev=172503&r1=172502&r2=172503
==============================================================================
--- branches/1.6.0/res/res_musiconhold.c (original)
+++ branches/1.6.0/res/res_musiconhold.c Thu Jan 29 17:47:00 2009
@@ -28,6 +28,7 @@
/*** MODULEINFO
<conflict>win32</conflict>
<use>dahdi</use>
+ <depend>working_fork</depend>
***/
#include "asterisk.h"
@@ -49,6 +50,9 @@
#ifdef HAVE_DAHDI
#include <dahdi/user.h>
#endif
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
#include "asterisk/lock.h"
#include "asterisk/file.h"
@@ -491,7 +495,15 @@
return -1;
}
if (!class->pid) {
+ /* Child */
int x;
+#ifdef HAVE_CAP
+ cap_t cap;
+#endif
+ if (strcasecmp(class->dir, "nodir") && chdir(class->dir) < 0) {
+ ast_log(LOG_WARNING, "chdir() failed: %s\n", strerror(errno));
+ _exit(1);
+ }
if (ast_opt_high_priority)
ast_set_priority(0);
@@ -500,6 +512,14 @@
signal(SIGPIPE, SIG_DFL);
pthread_sigmask(SIG_UNBLOCK, &signal_set, NULL);
+#ifdef HAVE_CAP
+ cap = cap_from_text("cap_net_admin-eip");
+
+ if (cap_set_proc(cap)) {
+ ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+ }
+ cap_free(cap);
+#endif
close(fds[0]);
/* Stdout goes to pipe */
dup2(fds[1], STDOUT_FILENO);
@@ -509,12 +529,8 @@
close(x);
}
}
- /* Child */
- if (strcasecmp(class->dir, "nodir") && chdir(class->dir) < 0) {
- ast_log(LOG_WARNING, "chdir() failed: %s\n", strerror(errno));
- _exit(1);
- }
setpgid(0, getpid());
+
if (ast_test_flag(class, MOH_CUSTOM)) {
execv(argv[0], argv);
} else {
More information about the asterisk-commits
mailing list