diff options
-rwxr-xr-x | configure | 466 | ||||
-rw-r--r-- | configure.ac | 5 | ||||
-rw-r--r-- | doc/security.txt | 7 | ||||
-rw-r--r-- | include/asterisk/autoconfig.h.in | 3 | ||||
-rw-r--r-- | main/Makefile | 3 | ||||
-rw-r--r-- | main/asterisk.c | 31 | ||||
-rw-r--r-- | makeopts.in | 3 |
7 files changed, 503 insertions, 15 deletions
@@ -1,5 +1,5 @@ #! /bin/sh -# From configure.ac Revision: 94077 . +# From configure.ac Revision: 97734 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.61 for asterisk 1.4. # @@ -726,6 +726,10 @@ CURL_LIB CURL_INCLUDE CURL_DIR PBX_CURL +CAP_LIB +CAP_INCLUDE +CAP_DIR +PBX_CAP CURSES_LIB CURSES_INCLUDE CURSES_DIR @@ -1503,6 +1507,7 @@ Optional Packages: --with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-asound=PATH use Advanced Linux Sound Architecture files in PATH --with-curl=PATH use cURL files in PATH + --with-cap=PATH use POSIX 1.e capabilities files in PATH --with-curses=PATH use curses files in PATH --with-gnutls=PATH use GNU TLS support (used for iksemel only) files in PATH @@ -7792,6 +7797,34 @@ PBX_CURL=0 +CAP_DESCRIP="POSIX 1.e capabilities" +CAP_OPTION="cap" + +# Check whether --with-cap was given. +if test "${with_cap+set}" = set; then + withval=$with_cap; +case ${withval} in + n|no) + USE_CAP=no + ;; + y|ye|yes) + CAP_MANDATORY="yes" + ;; + *) + CAP_DIR="${withval}" + CAP_MANDATORY="yes" + ;; +esac + +fi + +PBX_CAP=0 + + + + + + CURSES_DESCRIP="curses" CURSES_OPTION="curses" @@ -17203,6 +17236,417 @@ echo "$as_me: *** without explicitly specifying --with-${CURSES_OPTION}" >&6;} fi +if test "x${host_os}" = "xlinux-gnu" ; then + +if test "${USE_CAP}" != "no"; then + pbxlibdir="" + if test "x${CAP_DIR}" != "x"; then + if test -d ${CAP_DIR}/lib; then + pbxlibdir="-L${CAP_DIR}/lib" + else + pbxlibdir="-L${CAP_DIR}" + fi + fi + { echo "$as_me:$LINENO: checking for cap_from_text in -lcap" >&5 +echo $ECHO_N "checking for cap_from_text in -lcap... $ECHO_C" >&6; } +if test "${ac_cv_lib_cap_cap_from_text+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcap ${pbxlibdir} $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char cap_from_text (); +int +main () +{ +return cap_from_text (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && + $as_test_x conftest$ac_exeext; then + ac_cv_lib_cap_cap_from_text=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_lib_cap_cap_from_text=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ echo "$as_me:$LINENO: result: $ac_cv_lib_cap_cap_from_text" >&5 +echo "${ECHO_T}$ac_cv_lib_cap_cap_from_text" >&6; } +if test $ac_cv_lib_cap_cap_from_text = yes; then + AST_CAP_FOUND=yes +else + AST_CAP_FOUND=no +fi + + + if test "${AST_CAP_FOUND}" = "yes"; then + CAP_LIB="-lcap " + CAP_HEADER_FOUND="1" + if test "x${CAP_DIR}" != "x"; then + CAP_LIB="${pbxlibdir} ${CAP_LIB}" + CAP_INCLUDE="-I${CAP_DIR}/include" + saved_cppflags="${CPPFLAGS}" + CPPFLAGS="${CPPFLAGS} -I${CAP_DIR}/include" + if test "xsys/capability.h" != "x" ; then + as_ac_Header=`echo "ac_cv_header_${CAP_DIR}/include/sys/capability.h" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5 +echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +ac_res=`eval echo '${'$as_ac_Header'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } +else + # Is the header compilable? +{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h usability" >&5 +echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h usability... $ECHO_C" >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <${CAP_DIR}/include/sys/capability.h> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +echo "${ECHO_T}$ac_header_compiler" >&6; } + +# Is the header present? +{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h presence" >&5 +echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h presence... $ECHO_C" >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <${CAP_DIR}/include/sys/capability.h> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +echo "${ECHO_T}$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5 +echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;} + { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&5 +echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&5 +echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&2;} + { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: check for missing prerequisite headers?" >&5 +echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: check for missing prerequisite headers?" >&2;} + { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&5 +echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&2;} + { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: section \"Present But Cannot Be Compiled\"" >&5 +echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: section \"Present But Cannot Be Compiled\"" >&2;} + { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&5 +echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&2;} + { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&5 +echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&2;} + ( cat <<\_ASBOX +## ------------------------------- ## +## Report this to www.asterisk.org ## +## ------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 + ;; +esac +{ echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5 +echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval echo '${'$as_ac_Header'}'` + { echo "$as_me:$LINENO: result: $ac_res" >&5 +echo "${ECHO_T}$ac_res" >&6; } + +fi +if test `eval echo '${'$as_ac_Header'}'` = yes; then + CAP_HEADER_FOUND=1 +else + CAP_HEADER_FOUND=0 +fi + + + fi + CPPFLAGS="${saved_cppflags}" + else + if test "xsys/capability.h" != "x" ; then + if test "${ac_cv_header_sys_capability_h+set}" = set; then + { echo "$as_me:$LINENO: checking for sys/capability.h" >&5 +echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; } +if test "${ac_cv_header_sys_capability_h+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5 +echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; } +else + # Is the header compilable? +{ echo "$as_me:$LINENO: checking sys/capability.h usability" >&5 +echo $ECHO_N "checking sys/capability.h usability... $ECHO_C" >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <sys/capability.h> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +echo "${ECHO_T}$ac_header_compiler" >&6; } + +# Is the header present? +{ echo "$as_me:$LINENO: checking sys/capability.h presence" >&5 +echo $ECHO_N "checking sys/capability.h presence... $ECHO_C" >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <sys/capability.h> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi + +rm -f conftest.err conftest.$ac_ext +{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +echo "${ECHO_T}$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5 +echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;} + { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5 +echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5 +echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;} + { echo "$as_me:$LINENO: WARNING: sys/capability.h: check for missing prerequisite headers?" >&5 +echo "$as_me: WARNING: sys/capability.h: check for missing prerequisite headers?" >&2;} + { echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5 +echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;} + { echo "$as_me:$LINENO: WARNING: sys/capability.h: section \"Present But Cannot Be Compiled\"" >&5 +echo "$as_me: WARNING: sys/capability.h: section \"Present But Cannot Be Compiled\"" >&2;} + { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5 +echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;} + { echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5 +echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;} + ( cat <<\_ASBOX +## ------------------------------- ## +## Report this to www.asterisk.org ## +## ------------------------------- ## +_ASBOX + ) | sed "s/^/$as_me: WARNING: /" >&2 + ;; +esac +{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5 +echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; } +if test "${ac_cv_header_sys_capability_h+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_cv_header_sys_capability_h=$ac_header_preproc +fi +{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5 +echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; } + +fi +if test $ac_cv_header_sys_capability_h = yes; then + CAP_HEADER_FOUND=1 +else + CAP_HEADER_FOUND=0 +fi + + + fi + fi + if test "x${CAP_HEADER_FOUND}" = "x0" ; then + if test -n "${CAP_MANDATORY}" ; + then + { echo "$as_me:$LINENO: ***" >&5 +echo "$as_me: ***" >&6;} + { echo "$as_me:$LINENO: *** It appears that you do not have the cap development package installed." >&5 +echo "$as_me: *** It appears that you do not have the cap development package installed." >&6;} + { echo "$as_me:$LINENO: *** Please install it to include ${CAP_DESCRIP} support, or re-run configure" >&5 +echo "$as_me: *** Please install it to include ${CAP_DESCRIP} support, or re-run configure" >&6;} + { echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5 +echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;} + exit 1 + fi + CAP_LIB="" + CAP_INCLUDE="" + PBX_CAP=0 + else + PBX_CAP=1 + +cat >>confdefs.h <<_ACEOF +#define HAVE_CAP 1 +_ACEOF + + fi + elif test -n "${CAP_MANDATORY}"; + then + { echo "$as_me:$LINENO: ***" >&5 +echo "$as_me: ***" >&6;} + { echo "$as_me:$LINENO: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&5 +echo "$as_me: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&6;} + { echo "$as_me:$LINENO: *** Either correct the installation, or run configure" >&5 +echo "$as_me: *** Either correct the installation, or run configure" >&6;} + { echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5 +echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;} + exit 1 + fi +fi + +fi + GSM_INTERNAL="yes" GSM_SYSTEM="yes" @@ -34024,6 +34468,10 @@ CURL_LIB!$CURL_LIB$ac_delim CURL_INCLUDE!$CURL_INCLUDE$ac_delim CURL_DIR!$CURL_DIR$ac_delim PBX_CURL!$PBX_CURL$ac_delim +CAP_LIB!$CAP_LIB$ac_delim +CAP_INCLUDE!$CAP_INCLUDE$ac_delim +CAP_DIR!$CAP_DIR$ac_delim +PBX_CAP!$PBX_CAP$ac_delim CURSES_LIB!$CURSES_LIB$ac_delim CURSES_INCLUDE!$CURSES_INCLUDE$ac_delim CURSES_DIR!$CURSES_DIR$ac_delim @@ -34108,10 +34556,6 @@ PWLIB_LIB!$PWLIB_LIB$ac_delim PWLIB_INCLUDE!$PWLIB_INCLUDE$ac_delim PWLIB_DIR!$PWLIB_DIR$ac_delim PBX_PWLIB!$PBX_PWLIB$ac_delim -OPENH323_LIB!$OPENH323_LIB$ac_delim -OPENH323_INCLUDE!$OPENH323_INCLUDE$ac_delim -OPENH323_DIR!$OPENH323_DIR$ac_delim -PBX_OPENH323!$PBX_OPENH323$ac_delim _ACEOF if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then @@ -34153,6 +34597,10 @@ _ACEOF ac_delim='%!_!# ' for ac_last_try in false false false false false :; do cat >conf$$subs.sed <<_ACEOF +OPENH323_LIB!$OPENH323_LIB$ac_delim +OPENH323_INCLUDE!$OPENH323_INCLUDE$ac_delim +OPENH323_DIR!$OPENH323_DIR$ac_delim +PBX_OPENH323!$PBX_OPENH323$ac_delim RADIUS_LIB!$RADIUS_LIB$ac_delim RADIUS_INCLUDE!$RADIUS_INCLUDE$ac_delim RADIUS_DIR!$RADIUS_DIR$ac_delim @@ -34247,7 +34695,7 @@ CURL_CONFIG!$CURL_CONFIG$ac_delim LTLIBOBJS!$LTLIBOBJS$ac_delim _ACEOF - if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 92; then + if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 96; then break elif $ac_last_try; then { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 @@ -34266,7 +34714,7 @@ fi cat >>$CONFIG_STATUS <<_ACEOF cat >"\$tmp/subs-3.sed" <<\CEOF$ac_eof -/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end +/@[a-zA-Z_][a-zA-Z_0-9]*@/!b _ACEOF sed ' s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g @@ -34279,8 +34727,6 @@ N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n ' >>$CONFIG_STATUS <conf$$subs.sed rm -f conf$$subs.sed cat >>$CONFIG_STATUS <<_ACEOF -:end -s/|#_!!_#|//g CEOF$ac_eof _ACEOF @@ -34528,7 +34974,7 @@ s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t $ac_datarootdir_hack -" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" >$tmp/out +" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" | sed 's/|#_!!_#|//g' >$tmp/out test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && diff --git a/configure.ac b/configure.ac index 34ceebaaa..1c167ff07 100644 --- a/configure.ac +++ b/configure.ac @@ -174,6 +174,7 @@ AC_SUBST(AST_DEVMODE) AST_EXT_LIB_SETUP([ALSA], [Advanced Linux Sound Architecture], [asound]) AST_EXT_LIB_SETUP([CURL], [cURL], [curl]) +AST_EXT_LIB_SETUP([CAP], [POSIX 1.e capabilities], [cap]) AST_EXT_LIB_SETUP([CURSES], [curses], [curses]) AST_EXT_LIB_SETUP([GNUTLS], [GNU TLS support (used for iksemel only)], [gnutls]) AST_EXT_LIB_SETUP([GSM], [GSM], [gsm], [, or 'internal']) @@ -398,6 +399,10 @@ AST_EXT_LIB_CHECK([ALSA], [asound], [snd_spcm_init], [alsa/asoundlib.h], [-lm -l AST_EXT_LIB_CHECK([CURSES], [curses], [initscr], [curses.h]) +if test "x${host_os}" = "xlinux-gnu" ; then + AST_EXT_LIB_CHECK([CAP], [cap], [cap_from_text], [sys/capability.h]) +fi + GSM_INTERNAL="yes" AC_SUBST(GSM_INTERNAL) GSM_SYSTEM="yes" diff --git a/doc/security.txt b/doc/security.txt index 0801679cc..3adf53624 100644 --- a/doc/security.txt +++ b/doc/security.txt @@ -28,6 +28,13 @@ The IAX2 protocol supports strong RSA key authentication as well as AES encryption of voice and signalling. The SIP channel does not support encryption in this version of Asterisk. +By default, if you have libcap available, Asterisk will try to retain the +CAP_NET_ADMIN capability when running as a non-root user. If you do not need +that capability you may want to configure Asterisk with --without-cap; however, +this will prevent Asterisk from being able to mark high ToS bits under Linux. +More information on CAP_NET_ADMIN is available at: +http://www.lids.org/lids-howto/node48.html + * DIALPLAN SECURITY First and foremost remember this: diff --git a/include/asterisk/autoconfig.h.in b/include/asterisk/autoconfig.h.in index bdb34ef60..3906df6b3 100644 --- a/include/asterisk/autoconfig.h.in +++ b/include/asterisk/autoconfig.h.in @@ -62,6 +62,9 @@ /* Define to 1 if you have the `bzero' function. */ #undef HAVE_BZERO +/* Define to indicate the ${CAP_DESCRIP} library */ +#undef HAVE_CAP + /* Define to 1 if your system has a working `chown' function. */ #undef HAVE_CHOWN diff --git a/main/Makefile b/main/Makefile index 915891eb8..aeb13bd47 100644 --- a/main/Makefile +++ b/main/Makefile @@ -55,6 +55,9 @@ ifneq ($(findstring $(OSARCH), linux-gnu uclinux linux-uclibc ),) ifneq ($(findstring LOADABLE_MODULES,$(MENUSELECT_CFLAGS)),) AST_LIBS+=-ldl endif + ifneq (x$(CAP_LIB),x) + AST_LIBS+=$(CAP_LIB) + endif AST_LIBS+=-lpthread $(EDITLINE_LIB) -lm -lresolv else AST_LIBS+=$(EDITLINE_LIB) -lm diff --git a/main/asterisk.c b/main/asterisk.c index 0aff65e0a..4906e7b5f 100644 --- a/main/asterisk.c +++ b/main/asterisk.c @@ -82,13 +82,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #include <sys/stat.h> #ifdef linux #include <sys/prctl.h> -#endif +#ifdef HAVE_CAP +#include <sys/capability.h> +#endif /* HAVE_CAP */ +#endif /* linux */ #include <regex.h> -#ifdef linux -#include <sys/prctl.h> -#endif - #if defined(__FreeBSD__) || defined( __NetBSD__ ) || defined(SOLARIS) #include <netdb.h> #if defined(SOLARIS) @@ -2734,12 +2733,21 @@ int main(int argc, char *argv[]) } if (runuser && !ast_test_flag(&ast_options, AST_OPT_FLAG_REMOTE)) { +#ifdef HAVE_CAP + int has_cap = 1; +#endif /* HAVE_CAP */ struct passwd *pw; pw = getpwnam(runuser); if (!pw) { ast_log(LOG_WARNING, "No such user '%s'!\n", runuser); exit(1); } +#ifdef HAVE_CAP + if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { + ast_log(LOG_WARNING, "Unable to keep capabilities.\n"); + has_cap = 0; + } +#endif /* HAVE_CAP */ if (!isroot && pw->pw_uid != geteuid()) { ast_log(LOG_ERROR, "Asterisk started as nonroot, but runuser '%s' requested.\n", runuser); exit(1); @@ -2760,6 +2768,19 @@ int main(int argc, char *argv[]) } if (option_verbose) ast_verbose("Running as user '%s'\n", runuser); +#ifdef HAVE_CAP + if (has_cap) { + cap_t cap; + + cap = cap_from_text("cap_net_admin=ep"); + + if (cap_set_proc(cap)) + ast_log(LOG_WARNING, "Unable to install capabilities.\n"); + + if (cap_free(cap)) + ast_log(LOG_WARNING, "Unable to drop capabilities.\n"); + } +#endif /* HAVE_CAP */ } #endif /* __CYGWIN__ */ diff --git a/makeopts.in b/makeopts.in index 045b7c117..bfd0c39e6 100644 --- a/makeopts.in +++ b/makeopts.in @@ -175,6 +175,9 @@ MISDN_LIB=@MISDN_LIB@ SUPPSERV_INCLUDE=@SUPPSERV_INCLUDE@ SUPPSERV_LIB=@SUPPSERV_LIB@ +CAP_LIB=@CAP_LIB@ +CAP_INCLUDE=@CAP_INCLUDE@ + TERMCAP_INCLUDE=@TERMCAP_INCLUDE@ TERMCAP_LIB=@TERMCAP_LIB@ TERMCAP_DIR=@TERMCAP_DIR@ |