761442 – asterisk-13.36 - ast_db_put: Couldn't execute statement: attempt to write a readonly database

Bug 761442 - asterisk-13.36 - ast_db_put: Couldn't execute statement: attempt to write a readonly database

Summary: asterisk-13.36 - ast_db_put: Couldn't execute statement: attempt to write a r...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Jaco Kroon

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2020-12-23 22:23 UTC by Joseph
Modified:	2021-03-19 08:52 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/19912
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joseph 2020-12-23 22:23:02 UTC

After installing asterisk-13.36 asterisk could not start. 

/etc/init.d/asterisk start
 * Starting asterisk PBX ...
 *   Max open filedescriptors  : 4096
 *   Starting asterisk as      : asterisk:asterisk (+supplementaries)
 *   Signalling asterisk wrapper script to terminate ...                                                                                                                           [ !! ]
 * ERROR: asterisk failed to start

as root I had to type "asterisk" 
I think it creates database "astdb.sqlite3" in:
/var/lib/asterisk 

However, this database has owner root:root in other version of asterisk the owner was: 
-rw-r--r-- 1 asterisk asterisk 16384 Dec 23 15:02 astdb.sqlite3

But ever after changing the owner I'm getting an error when running asterisk
When devices is trying to register I get errors:

db.c:350 ast_db_put: Couldn't execute statement: SQL logic error
db.c:350 ast_db_put: Couldn't execute statement: attempt to write a readonly database





Reproducible: Always

Steps to Reproduce:
I've tried to follow the solution from:
https://community.asterisk.org/t/asterisk-warning/78443

But it didn't help.
I think the installation script has error and does not create correct file with appropriate permission ownership. 
Actual Results:  
For example old installation eg. asterisk-11.25  directory:
/var/lib/asterisk # 
total 56
drwxr-xr-x 2 root     root      4096 Jan 15  2018 agi-bin
-rw-r--r-- 1 asterisk asterisk 12288 Dec 23 13:44 astdb.sqlite3
drwxr-xr-x 2 asterisk asterisk  4096 Mar 14  2018 coredump
drwxr-xr-x 3 root     root      4096 Jan 15  2018 documentation
drwxr-xr-x 3 root     root      4096 Jan 15  2018 firmware
drwxr-xr-x 2 root     root      4096 Jan 15  2018 images
drwxr-xr-x 2 root     root      4096 Jan 15  2018 keys
drwxr-xr-x 2 asterisk asterisk  4096 Jan 15  2018 moh
drwxr-xr-x 2 root     root      4096 Jan 15  2018 phoneprov
drwxr-xr-x 3 root     root      4096 Apr  4  2013 sounds
drwxr-xr-x 2 root     root      4096 Jan 15  2018 static-http

New installation, astersik-13.36  everthing is root:root
/var/lib/asterisk # ll
total 84
drwxr-xr-x 2 root     root      4096 Dec 23 13:59 agi-bin
-rw-r--r-- 1 root     root     16384 Dec 23 15:02 astdb.sqlite3
drwxr-xr-x 3 root     root      4096 Dec 23 13:59 documentation
drwxr-xr-x 3 root     root      4096 Dec  6 18:39 firmware
drwxr-xr-x 2 root     root      4096 Dec 23 13:59 images
drwxr-xr-x 2 root     root      4096 Dec 23 13:59 keys
drwxr-xr-x 2 root     root      4096 Dec 23 13:59 moh
drwxr-xr-x 2 root     root      4096 Dec 23 13:59 phoneprov
drwxr-xr-x 2 root     root      4096 Dec 23 13:59 rest-api
drwxr-xr-x 2 root     root      4096 Dec 23 13:59 scripts
drwxr-xr-x 3 root     root      4096 Dec 23 13:59 sounds
drwxr-xr-x 2 root     root      4096 Dec 23 13:59 static-http
drwxr-xr-x 2 root     root      4096 Dec 23 13:59 third-party


emerge --info
Portage 3.0.9 (python 3.8.6-final-0, default/linux/amd64/17.1/desktop, gcc-9.3.0, glibc-2.32-r3, 5.4.72-gentoo x86_64)
=================================================================
System uname: Linux-5.4.72-gentoo-x86_64-AMD_Ryzen_7_3800XT_8-Core_Processor-with-glibc2.2.5
KiB Mem:    32854404 total,  11358256 free
KiB Swap:     524284 total,    524284 free
Timestamp of repository gentoo: Wed, 23 Dec 2020 06:30:01 +0000
Head commit of repository gentoo: 6c359a2eac57578d5b4155291a5bff607cbcdca5
sh bash 5.0_p18
ld GNU ld (Gentoo 2.34 p6) 2.34.0
app-shells/bash:          5.0_p18::gentoo
dev-java/java-config:     2.3.1::gentoo
dev-lang/perl:            5.30.3::gentoo
dev-lang/python:          3.7.9::gentoo, 3.8.6::gentoo, 3.9.0::gentoo
dev-util/cmake:           3.17.4-r1::gentoo
sys-apps/baselayout:      2.7::gentoo
sys-apps/openrc:          0.42.1::gentoo
sys-apps/sandbox:         2.20::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r5::gentoo
sys-devel/automake:       1.16.2-r1::gentoo
sys-devel/binutils:       2.34-r2::gentoo
sys-devel/gcc:            9.3.0-r2::gentoo
sys-devel/gcc-config:     2.3.2-r1::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.3::gentoo
sys-kernel/linux-headers: 5.4-r1::gentoo (virtual/os-headers)
sys-libs/glibc:           2.32-r3::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-verify-jobs: 1
    sync-rsync-verify-metamanifest: yes
    sync-rsync-verify-max-age: 24
    sync-rsync-extra-opts: 

brother-overlay
    location: /var/lib/layman/brother-overlay
    masters: gentoo
    priority: 50

Local
    location: /usr/local/portage
    masters: gentoo
    priority: 99999999

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA @FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/fax /usr/lib64/libreoffice/program/sofficerc /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /var/spool/fax/etc /var/www/localhost/htdocs/phpmyadmin"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.4/ext-active/ /etc/php/cgi-php7.4/ext-active/ /etc/php/cli-php7.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /var/spool/fax/etc/xferfaxlog"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/distfiles"
EMERGE_DEFAULT_OPTS="--autounmask-write=y --keep-going --with-bdeps=y"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -O2 -pipe"
GENTOO_MIRRORS="http://mirror.csclub.uwaterloo.ca/gentoo-distfiles/ http://gentoo.osuosl.org/ ftp://mirror.csclub.uwaterloo.ca/gentoo-distfiles/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/ http://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j8 --load-average=8"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acpi alsa amd64 apache2 bluetooth branding bzip2 cairo cdda cdr cgi cleartype cli corefonts crypt cups dbus dri dts dvd dvdr elogind emboss encode exif fam flac foomaticdb fortran gdbm gif gimp gimpprint gpm gtk gui iconv icu ipv6 java jpeg kpathsea lcms libglvnd libnotify libtirpc lock mad mng mp3 mp4 mpeg multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds qt5 qtk readline scanner sdl seccomp session spell split-usr ssl startup-notification svg tcpd tetex thunar tiff truetype type1 udev udisks unicode upower usb vorbis wxwidgets x264 xattr xcb xml xv xvid zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" L10N="en" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_8" PYTHON_TARGETS="python2_7 python3_8" RUBY_TARGETS="ruby25 ruby26" SANE_BACKENDS="fujitsu epson2" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Joseph 2020-12-23 23:36:27 UTC

I've tried asterisk-16.13.0 same thing is happening.

When user remove the file: /var/lib/asterisk/astdb.sqlite3
and start astersik this file should be created isn't it?

but /etc/init.d/asterisk start
fail to start and this file isn't created. 

This file is created when user type as root: "asterisk" but with wrong ownership.
As a result one can start asterisk with: "/etc/init.d/asterisk start"

but any device that is trying to register to running asterisk is getting error messages:


[Dec 23 16:27:05] WARNING[5481]: db.c:350 ast_db_put: Couldn't execute statement: SQL logic error
    -- Registered SIP 'pstn-5665' at 10.0.0.110:5060
       > Saved useragent "Audiocodes-Sip-Gateway-/v.5.80A.032.003" for peer pstn-5665
[Dec 23 16:27:05] WARNING[5481]: db.c:350 ast_db_put: Couldn't execute statement: SQL logic error
    -- Registered SIP 'pstn-1270' at 10.0.0.110:5060
       > Saved useragent "Audiocodes-Sip-Gateway-/v.5.80A.032.003" for peer pstn-1270
[Dec 23 16:27:05] NOTICE[5481]: chan_sip.c:24776 handle_response_peerpoke: Peer 'pstn-5665' is now Reachable. (62ms / 2000ms)
[Dec 23 16:27:05] WARNING[5481]: db.c:350 ast_db_put: Couldn't execute statement: attempt to write a readonly database
    -- Registered SIP '369' at 10.0.0.110:5060
       > Saved useragent "Audiocodes-Sip-Gateway-/v.5.80A.032.003" for peer 369
[Dec 23 16:27:05] NOTICE[5481]: chan_sip.c:24776 handle_response_peerpoke: Peer 'pstn-1270' is now Reachable. (88ms / 2000ms)
[Dec 23 16:27:05] WARNING[5481]: db.c:350 ast_db_put: Couldn't execute statement: attempt to write a readonly database
    -- Registered SIP '55' at 10.0.0.110:5060
       > Saved useragent "Audiocodes-Sip-Gateway-/v.5.80A.032.003" for peer 55
[Dec 23 16:27:05] NOTICE[5481]: chan_sip.c:24776 handle_response_peerpoke: Peer '55' is now Reachable. (38ms / 2000ms)

Correcting ownership of "astdb.sqlite3" file does not solve the problem, so I suspect there are other files that have wrong ownership.

Comment 2 Joseph 2020-12-24 00:03:46 UTC

I was correct, the problem is with Gentoo initialization/initialization script:
/etc/init.d/asterisk start

This script suppose to check and/or create the directory permission 
asterisk:root  /var/lib/asterisk

but it doesn't. Executing command as root "asterisk", creates that directory and database "astdb.sqlite3" but with wrong ownership "root:root" that is why asterisk can not write to that database

The solution is to change ownership of dir from:
root:root  /var/lib/asterisk

to:
asterisk:root  /var/lib/asterisk

and database "astdb.sqlite3" with ownership:
-rw-r--r-- 1 asterisk asterisk astdb.sqlite3

Same thing is happening with asterisk-16.
Are you folks checking these ebuild before marking them "stable"???

Comment 3 Jaco Kroon 2020-12-24 09:09:07 UTC

Yes you're right.

Sorry, I place the sqlite DB in /var/lib/asterisk/astdb (which is mounted on ramdisk) owned asterisk:asterisk.

Other than that single file in /var/lib/asterisk nothing else needs writing for asterisk.

Quick fix for you: chown asterisk: /var/lib/asterisk

Alternatively, move astdb to a location (/var/spool/asterisk?) which is writeable by asterisk.

Long term solutions:

1. Ebuild to set ownership of /var/lib/asterisk to asterisk:asterisk
2. Tamper with default configs such that astdb resides in /var/lib/asterisk/astdb by default, and we install that as asterisk:asterisk 755 by default.

I don't like 1 for reasons of security. But do-able. If asterisk owns /var/lib/asterisk it becomes possible that a primary stage attack could result in an attacker updating stuff in /var/lib/asterisk (which includes audio played bck to callers, the static http server content, scripts potentially executed by asterisk or related processes etc ...) - so possibly not excessively serious, but still preferred to be avoided. /var/spool/asterisk on the other hand

I don't like 2 for reasons of migration complexity (existing installed systems). Basically we'd need to install the additional folder. And at asterisk startup, determine if /var/lib/asterisk/astdb.sqlite3 exists, what the configured astdb dir is and then move it to the configured folder (or we can make assumptions, or simply fail startup or something). Either way, this gets really nasty very quickly. Or force the user to manually migrate first if this is an existing install in pkg_setup() ?

I do like option 2 better for "new installs", but tricky to migrate existing installs.

Ideas or comments?

Comment 4 Joseph 2020-12-24 20:02:21 UTC

Thank you for looking into it. I hope it will solve other some frustration.  It must be a bug from the asterisk upstreem branch as I've notice a lot of similar messages on other forums.

Another problem I have with asterik-13 and  asterik-16 is the MWI.

asterisk-13 takes over an hour to clear the MWI light

In astersik-11 MWI light was cleared as soon as I checked the message.
In asterink-13 it takes about 20min to set the light ON and the light
takes over an hour to clear. (I've standard POTS phones)

What had changed?

In sip.cong

[400]
...
mailbox=400

voicemail.conf
[default]
400 => ,user, email

I've tried to enable in sip.conf "subscribemwi=yes" but it doesn't help.
On Asterisk-mailing-list someone commented that they had experience the same thing after upgrading to Asterisk-13 and the problem was solved by upgrading to asterisk-16

--------quote-------
I had this problem following an upgrade between releases of Asterisk 13 last year, but I upgraded to Asterisk 16 and the problem went away without any need for configuration changes.

Julian
------end quote-------

I just emerged astersik-16.13.0 but it didn't solve the problem.  The MWI light on my phone does not light up. 

I know they change the way MWI works starting from asterisk-12 but. I can not find any instruction how to make it to work. 
Any pointers? 

....{@} * {@} * {@}         Merry X-mas and a Happy New Year!
{@} * {@} * {@} * {@}       Wish you all extra ordinary good luck!
     {@} * {@} * {@}
     \ \ \ 2021 / / /

Comment 5 Jaco Kroon 2020-12-25 03:16:37 UTC

Hi,

(In reply to Joseph from comment #4)
> Thank you for looking into it. I hope it will solve other some frustration. 
> It must be a bug from the asterisk upstreem branch as I've notice a lot of
> similar messages on other forums.

Interesting.  And I think you may be right (from 16.15.1-r1 ebuild):

265     diropts -m 0750 -o asterisk -g root
266     keepdir /var/lib/asterisk

Our init script in 11 used to perform some resets, wonder if that's not perhaps the change you're after.  I suggest we keep root:root for /var/lib/asterisk - but then store asbdb elsewhere not in there (I just need to figure out migration).  Even if the process ends up blocking in pkg_setup() and forcing manual migration.

> Another problem I have with asterik-13 and  asterik-16 is the MWI.
> 
> asterisk-13 takes over an hour to clear the MWI light
> 
> In astersik-11 MWI light was cleared as soon as I checked the message.
> In asterink-13 it takes about 20min to set the light ON and the light
> takes over an hour to clear. (I've standard POTS phones)
> 
> What had changed?

Both chan_sip?  File a bug upstream please.  I'm probably one of the only people still willing to touch chan_sip.  Once logged upstream, you're welcome to prod me.  If I recall I saw similar things off late, but haven't bothered investigating just yet.  Should be a separate bug here too, but let's please first fix that upstream, not @ Gentoo.

> I've tried to enable in sip.conf "subscribemwi=yes" but it doesn't help.
> On Asterisk-mailing-list someone commented that they had experience the same
> thing after upgrading to Asterisk-13 and the problem was solved by upgrading
> to asterisk-16

If that's the case, we're too late, 13 is in security-only mode now.  I'm going to be pushing for 16 stable early in 2021 (hopeful by March).  Adding 18 builds as ~, and keeping 13 in case someone really needs it.  Will probably hard-mask around middle of the year and give 3-6 months heads up.

Kind Regards,
Jaco

Comment 6 Joseph 2020-12-25 04:35:42 UTC

I would like to submit a bug report but I don't know where to.
Can you provide a link? 

I'm not a developer just an end user.

Comment 7 Jaco Kroon 2020-12-25 15:05:23 UTC

(In reply to Joseph from comment #6)
> I would like to submit a bug report but I don't know where to.
> Can you provide a link? 
> 
> I'm not a developer just an end user.

https://issues.asterisk.org/

Please just confirm affected versions first.

Comment 8 Joseph 2020-12-25 21:41:47 UTC

I created an upstream bug:
https://issues.asterisk.org/jira/browse/ASTERISK-29224?filter=-2

Maybe somebody will look into it.  As I've mentioned because of MWI light not working, I can use use ver.13 in production.  This bug had not been fixed in Ver.13 which is obsolete; they no longer accept bugs issues for this version.  
This bug had been carry over to ver. 16 (I'm currently on 16.13.0); which is not suitable for production because of this bug. 

They are introducing new versions without fixing old one.  What is the point of moving forward when old stuff doesn't work?  

Starting with Asterisk-18 channel-SIP will be obsolete, replaced by "pjsip".
Introducing new can of worm.  Will our equipment work with pjsip is a big question mark.

In production, we need reliable technology.  My asterisk-11.25 is still working in production as all seem to work.

Comment 9 Jaco Kroon 2021-01-08 19:30:08 UTC

Hi All,

Just want to update.  Whilst I pushed a -r2 (still WIP), this is specifically not included since it's a fairly major change.

I'm assuming that existing systems will keep working, but new systems are a problem (and there is a simple workaround).

Fixing this for new installs should be fairly easy, but I'm trying to figure out how to handle existing installs.

Comment 10 Joseph 2021-01-08 21:44:18 UTC

It shouldn't be difficult for an existing installations. Write some kind of a script to check for correct ownership of the file and directory 

asterisk:root  /var/lib/asterisk

and database "astdb.sqlite3" with ownership:
-rw-r--r-- 1 asterisk asterisk astdb.sqlite3

If it is anything else, overwrite it.

Comment 11 Jaco Kroon 2021-01-09 10:58:54 UTC

Hi,

(In reply to Joseph from comment #10)
> It shouldn't be difficult for an existing installations. Write some kind of
> a script to check for correct ownership of the file and directory 
> 
> asterisk:root  /var/lib/asterisk

existing ownership permissions aren't modified.  However, the above really is the *wrong* ownership, root:root is more appropriate.  The *only* reason asterisk needs write here is because of astdb ... which is why I'd prefer to put it in a folder of it's own under /var/lib/asterisk, namely /var/lib/asterisk/astdb - and update the defaults to point there too, but existing astdb files will need to be migrated.  Something in the init script might be good enough to detect that /var/lib/aterisk/astdb exists, as well as /var/lib/asterisk/asterisk.sqlite3 and rather warn the user and refuse to start.

coredump is already like this, so /var/lib/asterisk/coredump is asterisk:asterisk since in the case of a coredump the kernel will (if asterisk init script set it up) write, as the asterisk user, a coredump file here.

If you look at everything else in /var/lib/asterisk, it's root:root and that's adequate (and in my opinion, better - there is no reason for asterisk to be able to write to ANY of that).

I can check the current settings, but you need to keep things like binary packages in mind too.  The one sticky issue is that I can only access the filesystem during certain phases due to more and more strict sandboxing (which is a good thing).

> and database "astdb.sqlite3" with ownership:
> -rw-r--r-- 1 asterisk asterisk astdb.sqlite3

This is right, but in and by itself not good enough due to:

-rw-r--r--  1 asterisk asterisk  13K Jan  9 12:54 astdb.sqlite3-journal

Which only exists as long as sqlite has the database open.

Comment 12 Jaco Kroon 2021-03-13 19:21:58 UTC

Joseph,

I realize it's not 16/18 yet, but would it be possible for you to test this ebuild so long as well?

https://github.com/gentoo/gentoo/blob/55aab032d45d698f08ef8e81212f4e2b45c1827b/net-misc/asterisk/asterisk-13.38.2-r1.ebuild

I'll be applying the same changes to the 16 ebuild and then hopefully sort out an 18 ebuild too asap.

Kind Regards,
Jaco

Comment 13 Larry the Git Cow gentoo-dev

2021-03-19 08:52:07 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c21e28747944f84b98359b37cfe4d2f2e0b7bb0b

commit c21e28747944f84b98359b37cfe4d2f2e0b7bb0b
Author: Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-03-13 19:59:24 +0000
Commit: Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-19 08:51:49 +0000

net-misc/asterisk: rev bump for 16.

Same changes as for 13, except that format_ogg_speex isn't being dropped
since it it was introduced in 16.

Closes: https://bugs.gentoo.org/772821
Introduce USE=deprecated to enable deprecated apps/funcs/features. For
now, this is only app_macro.

Closes: https://bugs.gentoo.org/775005
net-misc/asterisk: injects some CFLAGS. Thanks Sam.

Closes: https://bugs.gentoo.org/767262
systemd automagic dependency.

Closes: https://bugs.gentoo.org/775353
Make asterisk depend on the pjproject SUBSLOT. Ie, rebuild if pjproject
gets updated.

Closes: https://bugs.gentoo.org/761442
Repair "security" issue in that /var/lib/asterisk can now be root:root.
The problem with having it asterisk: is that any arbitrary code vuln
becomes a data modification one. So with this as root:root we can at
least prevent modifications to /var/lib/asterisk whilst still allowing
/var/lib/asterisk/astdb to be modified as required.

Repair default voicemail selection. Thank you pkgcheck scan.

Drop ASTCFLAGS= and ASTLDFLAGS since ./configure already imports these.
I believe Tony added this as a hammer to deal with 775005 above since
these got re-added again after the asterisk injected ones. By setting
DEBUG= and OPTIMIZE= this problem should now be something of the past.

Introduce GENTOO_ASTERISK_CUSTOM_MENUSELECT= environment variable that
can be set from make.conf and takes a string similar to USE flags,
except that these gets passed to menuselect one by one, if -option as
--disable option, else --enable option. Prefixes + and - is supported,
and will be stripped before passing to menuselect.

menuselect has been patched to exit non-zero in case of invalid option
passed to --enable or --disable, resulting in above being reliable (if
you have something invalid in there, it will die).

Accordingly drop format_ogg_speex which doesn't exist in asterisk 13.

Drop no longer required ncurses dependencies (system libedit).

Explicitly pass ASTCACHEDIR=/var/cache/asterisk, and update install
patch to not install this path, handle in tmpfiles and initd since we're
not supposed to install into /var/cache either ...

Package-Manager: Portage-3.0.13, Repoman-3.0.2
Signed-off-by: Jaco Kroon <jaco@uls.co.za>
Signed-off-by: Joonas Niilola <juippis@gentoo.org>

net-misc/asterisk/asterisk-16.16.2-r1.ebuild | 365 +++++++++++++++++++++
.../asterisk-16.16.2-no-var-run-install.patch | 2 +-
net-misc/asterisk/files/asterisk.tmpfiles3.conf | 2 +
net-misc/asterisk/files/confd-16.16.2-r1 | 171 ++++++++++
net-misc/asterisk/files/initd-16.16.2-r1 | 363 ++++++++++++++++++++
net-misc/asterisk/metadata.xml | 3 +-
6 files changed, 904 insertions(+), 2 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c7d0aa6515bffacdaed2237cd28231100465422

commit 2c7d0aa6515bffacdaed2237cd28231100465422
Author: Jaco Kroon <jaco@uls.co.za>
AuthorDate: 2021-03-13 12:13:02 +0000
Commit: Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-19 08:51:49 +0000

net-misc/asterisk: version bump for 13.

This is primarily aimed to fixing bugs, asterisk 13 is sec-only
upstream, so no further fixes will be made except to address bugs
reported to bus.gentoo.org.

Note that bugs aren't being closed since 16* is still affected (will be
fixed on next bump, just waiting for 16.17.0 to be cut).

Bug: https://bugs.gentoo.org/775005
net-misc/asterisk: injects some CFLAGS. Thanks Sam.

Bug: https://bugs.gentoo.org/767262
systemd automagic dependency.

Bug: https://bugs.gentoo.org/775353
Make asterisk depend on the pjproject SUBSLOT. Ie, rebuild if pjproject
gets updated.

Bug: https://bugs.gentoo.org/761442
Repair "security" issue in that /var/lib/asterisk can now be root:root.
The problem with having it asterisk: is that any arbitrary code vuln
becomes a data modification one. So with this as root:root we can at
least prevent modifications to /var/lib/asterisk whilst still allowing
/var/lib/asterisk/astdb to be modified as required.

Repair default voicemail selection. Thank you pkgcheck scan.

menuselect has been patched to exit non-zero in case of invalid option
passed to --enable or --disable, resulting in above being reliable (if
you have something invalid in there, it will die).

Accordingly drop format_ogg_speex which doesn't exist in asterisk 13.

Drop no longer required ncurses dependencies (system libedit).

Signed-off-by: Jaco Kroon <jaco@uls.co.za>
Signed-off-by: Joonas Niilola <juippis@gentoo.org>

net-misc/asterisk/asterisk-13.38.2-r1.ebuild | 348 +++++++++++++++++++++
.../asterisk-13.38.2-r1-menuselect-exitcodes.patch | 67 ++++
2 files changed, 415 insertions(+)