In file /etc/conf.d/asterisk installed by net-misc/asterisk-11.23.1 variable ASTERISK_USER is described as having option to run asterisk as some user with all groups that user is a member of. This setting used to work at least in net-misc/asterisk-11.21.2. However, new init script introduced with net-misc/asterisk-11.23.0 version bump (from bug #582512) broke this functionality since it unconditionally provides "-G" command line parameter to asterisk (which previous version didn't do). You can see in https://github.com/asterisk/asterisk/blob/11.23/main/asterisk.c#L3960 that with "rungroup" set (which is set if "-G" command line parameter is present) the code skips initgroups() call and so runs without supplemental groups (existing groups were dropped few lines earlier).
Jaco, was that intentional?
Definitely not. Always passing -G was intentional (my use-case it's pretty much a given that I need that). Does asterisk initialize supplemental groups if you only pass -U? From what I recall it then only does setuid() and ends up still having a group of root ... but I can retest that. Based on the linked code it should be fine. I'll upload a patch (and an updated version of the script in a moment). I still haven't managed to fix the other screwup I mentioned to you in IRC: <jkroon> Chainsaw, i picked up a possible issue with the wrapper in asterisk. <jkroon> on restart it can actually spawn multiple wrappers. <jkroon> still contemplating the best possible fix. <jkroon> just so you are aware so long. <jkroon> looks like I may need to create a lock file for the loop itself, with pid in it, and then use a signal to notify the wrapper to stop, which will only release the lock post-shutdown. <jkroon> but i'll figure that one out. <jkroon> not sure why it became a problem for us now. <jkroon> seems to happen if asterisk doesn't actually stop in time and the next startup then causes problems Will try and perform that here too at the same time. In essense: The wrapper itself rm's the .running file. Whilst that file exists it keeps looping: failure to shutdown in time (asterisk stop) leaves the file not existing but the loop still running. next startup then creates the file again, and spawns a loop. This then results in both loops continuing to run.
Created attachment 447886 [details] asterisk.init9 The update to fix the wrapper script is even harder than I thought - but in the meantime we can at least fix -G without going backwards on the other changes. You'll need to confirm test this one whether it does what's intended, but at the very least it should give you an indication: * Starting asterisk as : asterisk:asterisk [ ok ] vs: * Starting asterisk as : asterisk:asterisk (+suplementaries) [ ok ] And in the latter case the cmdline is: /usr/sbin/asterisk -C /etc/asterisk/asterisk.conf -f -g -U asterisk So it looks good now. In the former case -G is still passed.
Created attachment 447888 [details, diff] diff showing the changes made for review As promised. Want to discuss the wrapper loop situation with you first. We may have to implement a max wait before forcibly killing asterisk. Or at the very least possibly add an extra function achieve that (forcestop and forcerestart perhaps). Including config to do that automatically after a configured timeout.
(In reply to Jaco Kroon from comment #2) (..) > Does asterisk initialize supplemental groups if you only pass -U? From what > I recall it then only does setuid() and ends up still having a group of root > ... but I can retest that. Based on the linked code it should be fine. Yes it does (as long as it was originally started as root) - link in my first comment points to the code part where initgroups() is called. Also, while waiting for this bug to be fixed I've commented "OPTS="${OPTS} -G ${ast_group}" line in the init script and this resulted in supplemental groups being correctly added.
Tony, This one we also still need to look at. Kind Regards, Jaco
Created attachment 504458 [details] asterisk.init10 Updated version of update, building on previous, and implementing the following additional improvements: * Ability to select alternate stop mechanism, selection between: - core stop now - drops all calls and shuts down immediately. - core stop gracefully - stop accepting new calls, shut down when all done. - core stop when convenient - keep accepting new calls, shut down at first opportunity. * Ability to modify the total wait time (eg, normally I don't mind waiting even two hours for a call to finish, but I cannot afford to drop calls, thus why I'd also *normally* want to use "core stop when convenient"), including being able to wait indefinitely. * Cosmetic changes to use ast_instancename variable in more locations. Update to confd file also required to utilize these changes. I did pick up that before outputting the waiting line it can take some time, which is due to the asterisk CLI not actually returning immediately. I don't think this is a serious problem as it'll wait a few seconds normally.
Created attachment 504460 [details] asterisk.confd
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bef6c9937500cd1ff103da2117d7e20f268cfa47 commit bef6c9937500cd1ff103da2117d7e20f268cfa47 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2020-03-15 18:45:40 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-03-20 09:09:29 +0000 net-misc/asterisk: version bump 13.32.0 Normal release. Issues reported to Gentoo fixed from upstream was mysql's my_bool that went away. Include patches for binutils 2.34 (also submitted upstream so expect removal in next release). Also includes various init script improvements I've been running with for a while now. Closes: https://bugs.gentoo.org/594964 Closes: https://bugs.gentoo.org/624038 Closes: https://bugs.gentoo.org/710484 Closes: https://bugs.gentoo.org/711582 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/14986 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/asterisk/Manifest | 1 + net-misc/asterisk/asterisk-13.32.0.ebuild | 332 ++++++++++++++++++ .../files/asterisk-13.32.0-binutils-2.34.patch | 17 + .../asterisk-historic-dahdiras-without-root.patch | 23 ++ .../asterisk-historic-dundi-null-dereference.patch | 40 +++ ...terisk-historic-invert-gmine-search-order.patch | 12 + .../asterisk-historic-no-var-run-install.patch | 14 + .../asterisk/files/asterisk-historic-uclibc.patch | 23 ++ net-misc/asterisk/files/confd-13.32.0 | 160 +++++++++ net-misc/asterisk/files/initd-13.32.0 | 380 +++++++++++++++++++++ 10 files changed, 1002 insertions(+)
