diff options
Diffstat (limited to 'main/asterisk.c')
-rw-r--r-- | main/asterisk.c | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/main/asterisk.c b/main/asterisk.c index 2ece4c7d8..91d4513d0 100644 --- a/main/asterisk.c +++ b/main/asterisk.c @@ -80,13 +80,12 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #include <sys/stat.h> #ifdef linux #include <sys/prctl.h> -#endif +#ifdef HAVE_CAP +#include <sys/capability.h> +#endif /* HAVE_CAP */ +#endif /* linux */ #include <regex.h> -#ifdef linux -#include <sys/prctl.h> -#endif - #if defined(__FreeBSD__) || defined( __NetBSD__ ) || defined(SOLARIS) #include <netdb.h> #if defined(SOLARIS) @@ -2521,12 +2520,22 @@ int main(int argc, char *argv[]) } if (!is_child_of_nonroot && runuser) { +#ifdef HAVE_CAP + cap_t cap; + int has_cap = 1; +#endif /* HAVE_CAP */ struct passwd *pw; pw = getpwnam(runuser); if (!pw) { ast_log(LOG_WARNING, "No such user '%s'!\n", runuser); exit(1); } +#ifdef HAVE_CAP + if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { + ast_log(LOG_WARNING, "Unable to keep capabilities.\n"); + has_cap = 0; + } +#endif /* HAVE_CAP */ if (!rungroup) { if (setgid(pw->pw_gid)) { ast_log(LOG_WARNING, "Unable to setgid to %d!\n", (int)pw->pw_gid); @@ -2544,6 +2553,18 @@ int main(int argc, char *argv[]) setenv("ASTERISK_ALREADY_NONROOT", "yes", 1); if (option_verbose) ast_verbose("Running as user '%s'\n", runuser); +#ifdef HAVE_CAP + if (has_cap) { + cap = cap_from_text("cap_net_admin=ep"); + if (cap_set_proc(cap)) { + ast_log(LOG_WARNING, "Unable to install capabilities.\n"); + break; + } + if (cap_free(cap)) { + ast_log(LOG_WARNING, "Unable to drop capabilities.\n"); + } + } +#endif /* HAVE_CAP */ } #endif /* __CYGWIN__ */ |