|author||russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b>||2008-01-11 18:25:30 +0000|
|committer||russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b>||2008-01-11 18:25:30 +0000|
Backport the ability to set the ToS bits on Linux when not running as root.
Normally, we would not backport features into 1.4, but, I was convinced by the justification supplied by the supplier of this patch. He pointed out that this patch removes a requirement for running as root, thus reducing the potential impacts of security issues. (closes issue #11742) Reported by: paravoid Patches: libcap.diff uploaded by paravoid (license 200) git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@98265 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'doc')
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/security.txt b/doc/security.txt
index 0801679cc..3adf53624 100644
@@ -28,6 +28,13 @@ The IAX2 protocol supports strong RSA key authentication as well as
AES encryption of voice and signalling. The SIP channel does not
support encryption in this version of Asterisk.
+By default, if you have libcap available, Asterisk will try to retain the
+CAP_NET_ADMIN capability when running as a non-root user. If you do not need
+that capability you may want to configure Asterisk with --without-cap; however,
+this will prevent Asterisk from being able to mark high ToS bits under Linux.
+More information on CAP_NET_ADMIN is available at:
* DIALPLAN SECURITY
First and foremost remember this: