[asterisk-users] TOS and security
Tilghman Lesher
tilghman at mail.jeffandtilghman.com
Fri Jul 18 14:55:15 CDT 2008
On Friday 18 July 2008 14:21:14 Bill Michaelson wrote:
> I'm preparing for a client install of * by doing a fresh one in-house.
> Unlike my earlier installation that runs asterisk as superuser, my
> current experimental box runs without such privilege. This is causing
> it to moan that it can't set TOS. I absolutely don't want to install it
> on the client LAN without this capability. If need be, I'll set the
> binary to run setuid root.
>
> But I'm looking for something more elegant. While googling, I found a
> suggestion to use iptables mangle rules to set TOS for all packets going
> out of the box on ports like 5060 and 10000:20000. Not a bad hack, but
> indiscriminate and this box will be handling other traffic besides the
> RTP. I'd like to do better.
>
> I thought of using POSIX access control to enable asterisk to do TOS
> setting without being root (would this be CAP_NET_RAW?), which sounds
> perfect, but so far I'm operating with stock ubuntu hardy, and I would
> like to avoid a kernel build to add this capability.
It's actually CAP_NET_ADMIN, and we already keep that privilege, if the
configure script detects that the capabilities library is available. Simply
set the runuser and rungroup in asterisk.conf, and Asterisk will automatically
keep those privileges during startup.
--
Tilghman
More information about the asterisk-users
mailing list