The current wrapper system of asterisk init script doesn't work on hardened systems. Starting the services gives the following warning: [22935.360843] grsec: From 1....: denied read of sensitive /proc/pid/stat entry via fd passed across exec by /bin/cut[cut:7620] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:7617] uid/euid:0/0 gid/egid:0/0 As a result /var/run/asterisk/wrapper_loop.pid is empty, which means that the ''kill `cat /var/run/asterisk/wrapper_loop.pid`'' cannot work.
Jaco, I can actually confirm this on my system: Portage 2.1.11.31 (hardened/linux/amd64/no-multilib, gcc-4.5.4, glibc-2.15-r3, 3.7.0-hardened x86_64) ================================================================= System uname: Linux-3.7.0-hardened-x86_64-Dual-Core_AMD_Opteron-tm-_Processor_2218-with-gentoo-2.1 Timestamp of tree: Mon, 14 Jan 2013 12:30:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p37 dev-lang/python: 2.4.6, 2.7.3-r2 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.69 sys-devel/automake: 1.10.3, 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.6 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo x-portage ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA dlj-1.1" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/lib/asterisk" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /var/lib/asterisk/static-http/" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles lmirror merge-sync mirror news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles-cache.linx.net:8080/" LANG="en_GB.UTF-8" LC_ALL="en_GB.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://portage-rsync.linx.net/gentoo-portage" USE="amd64 apache2 berkdb bzip2 cli crypt curl cxx dahdi dri ecmark2 fortran gd gnutls hardened http iconv idn ilbc ipv6 jabber jbig jingle jpeg justify logrotate mmx modules mudflap mysql ncurses newt no-old-linux nptl ogg pam passwdqc pax_kernel pcre perl pppd python readline rtc session snmp span speex srtp sse sse2 ssl syslog unicode urandom vim-syntax vorbis watchdog xml xmlreader xmlwriter zaptel zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON (IP address obfuscated) grsec: From 888.888.888.888: denied read of sensitive /proc/pid/stat entry via fd passed across exec by /bin/cut[cut:23034] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/runscript.sh[runscript.sh:23031] uid/euid:0/0 gid/egid:0/0
Crap. That's not good. We need the PID value of the specific shell instance running the loop. $$ isn't good enough as per this example: jkroon@greyscale ~ $ ( echo >/dev/null | cut -d' ' -f4 </proc/self/stat; echo $$ ) | cat 1656 1414 If those values were the same we could have used $$. Other mechanisms of obtaining the PID of the shell instance running the wrapper - in a *portable* manner that will work with bash and dash (at least, those are probably the most two popular targets for /bin/sh). $$ gives me the PID of the outer bash script in the above case, and that's no good for the init script's needs. If we *knew* we were using bash we could use ${BASHPID}: jkroon@greyscale ~ $ ( echo >/dev/null | cut -d' ' -f4 </proc/self/stat; echo $$; echo $BASHPID ) | cat | cat 1697 1414 1697 but this is definitely not portable.
Ok, some additional notes on the init script I just spotted: in stop(), we should swap the is_running and killing of the wrapper script checks, or find a cleaner way to shut down the wrapper. One suggestion where we may not actually *need* the pidfile is to use a set of flag files instead. Possible scheme (using flock), uses a double-file but no pid: start: take flock on /var/run/asterisk_wrapper.lock check if /var/run/asterisk_wrapper.running exists, if it doesn't start it. wait for asterisk_wrapper.running to exist release flock on /var/run/asterisk_wrapper.lock stop (and forcestop actually): take flock on /var/run/asterisk_wrapper.lock if asterisk_wrapper.running exists - remove it issue asterisk shutdown command (either kill or asterisk -rx "core stop ...") release flock on /var/run/asterisk_wrapper.lock in the wrapper: on startup, create the .running file and set the trap to rm it. only loop as long as this file exists. Then, forcestop doesn't kill the wrapper. Perhaps we should try and address those issues in the same revamp?
Created attachment 335812 [details] updated asterisk init.d Rather simplified version, basic changelog from previous version: optimize is_running: - check for an asterisk pidfile first - if it doesn't exist obviously asterisk isn't running. - call pidof only once and store result in local variable. Loop itself: - merely touch /var/run/asterisk/wrapper_loop.running to indicate that the loop is running. - only loop as long as the file exists. - output terminating message on loop termination (handy for debugging). create wrapperstop() function: - checks for previously used .pid file and kills that pid. This is so that directly after an update /etc/init.d/asterisk {stop|forcestop|restart} will still work. - checks for .running file and rm's it. Update forcestop() to first call wrapperstop. Update stop() to utilize wrapperstop() - switching the wrapperstop to be before the is_running() check for asterisk. This is useful because I've seen cases where asterisk dies, but due to is_running returning false multiple wrapper loops eventually gets started - flooding my inbox with hundreds - sometimes THOUSANDS of pointless emails. There is one thing that should maybe still be addressed, and that is to reset the asterisk's running state to stopped from within the loop should asterisk terminate normally (ie, won't be restarted), and potentially "crashed" during the "wait for restart" periods - but I have no idea how to do that.
Vincent, could you confirm that this resolves the issue you reported earlier please?
Sorry for the delay. Yes it seems to fix the problem: - No more warning on start/stop - Start correctly - Restart correctly if the asterisk process is killed (with a 9 signal) Please tell me if you need more testing. (I discovered a SELinux glitch (the wrapper does not have rights to send mails), will look at it soon ;))
Thanks for the feedback. Sorry, not going to rip the email stuff out of there - I really need that.
+*asterisk-11.2.1 (24 Jan 2013) +*asterisk-1.8.20.1 (24 Jan 2013) + + 24 Jan 2013; Tony Vroon <chainsaw@gentoo.org> +files/1.8.0/asterisk.initd5, + -files/1.8.0/asterisk.initd, -files/1.8.0/asterisk.initd2, + -files/1.8.0/asterisk.initd3, +asterisk-1.8.20.1.ebuild, + +asterisk-11.2.1.ebuild: + Partial rewrite of the init script by Jaco Kroon addresses shortcomings + identified by Vincent Brillault in bug #445176. Upstream fixes include an + astcanary PID mix-up and a necessary reset of the RTP sequence counter when + SSRC changes.
