[asterisk-users] TOS and security
Bill Michaelson
bill at cosi.com
Fri Jul 18 14:21:14 CDT 2008
I'm preparing for a client install of * by doing a fresh one in-house.
Unlike my earlier installation that runs asterisk as superuser, my
current experimental box runs without such privilege. This is causing
it to moan that it can't set TOS. I absolutely don't want to install it
on the client LAN without this capability. If need be, I'll set the
binary to run setuid root.
But I'm looking for something more elegant. While googling, I found a
suggestion to use iptables mangle rules to set TOS for all packets going
out of the box on ports like 5060 and 10000:20000. Not a bad hack, but
indiscriminate and this box will be handling other traffic besides the
RTP. I'd like to do better.
I thought of using POSIX access control to enable asterisk to do TOS
setting without being root (would this be CAP_NET_RAW?), which sounds
perfect, but so far I'm operating with stock ubuntu hardy, and I would
like to avoid a kernel build to add this capability.
Any other ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080718/dd57d462/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3221 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20080718/dd57d462/attachment.bin
More information about the asterisk-users
mailing list