[asterisk-users] CAP_FOWNER=ep for asterisk

Tilghman Lesher tilghman at mail.jeffandtilghman.com
Wed Aug 19 12:18:27 CDT 2009


On Wednesday 19 August 2009 10:43:37 Tilghman Lesher wrote:
> On Wednesday 19 August 2009 05:54:32 Raimund Sacherer wrote:
> > I need CAP_FOWNER=ep for the asterisk process, i set it with setcap on
> > the file /usr/sbin/asterisk, it's there when i look on it with getcap,
> > but after starting and loocking with getpcaps there's only
> > cap_net_admin+ep set.
> >
> > So how exactly do I set CAP_FOWNER? Do I have to patch and recompile
> > or is there another solution I did not see yet?
>
> You'd need to patch and recompile.  I really don't think this is really all
> that safe of a modification.  Is there another way (such as through groups)
> that you can do what you want here?

As an addendum, cap_net_admin actually has +eip, because if you ever use
"core restart now", those capabilities would otherwise be dropped.  This also
means that whereever Asterisk forks off a separate process to do something
(System, AGI, MOH, etc.), it has to drop those privileges before the exec().
If you proceed with your modification, you should do similar, in order to
avoid possible security issues.  BTW, this gets much simpler starting in 1.6.1
with the ast_safe_fork() API call, which does all of those safety procedures
and more, in one place.

-- 
Tilghman & Teryl
with Peter, Cottontail, Midnight, Thumper, & Johnny (bunnies)
and Harry, BB, & George (dogs)



More information about the asterisk-users mailing list