Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 131363 Details for
Bug 159013
asterisk-1.4.0 (and related) ebuilds
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
allow Asterisk to set high ToS bits as non-root on Linux
CAP_NET_ADMIN.patch (text/plain), 22.89 KB, created by
Tim Dodge
on 2007-09-20 11:39:47 UTC
(
hide
)
Description:
allow Asterisk to set high ToS bits as non-root on Linux
Filename:
MIME Type:
Creator:
Tim Dodge
Created:
2007-09-20 11:39:47 UTC
Size:
22.89 KB
patch
obsolete
>diff -Naur asterisk-1.4.11.org/configure asterisk-1.4.11/configure >--- asterisk-1.4.11.org/configure 2007-09-20 10:06:02.153295000 +0100 >+++ asterisk-1.4.11/configure 2007-09-20 10:07:02.335245151 +0100 >@@ -720,6 +720,10 @@ > ALSA_INCLUDE > ALSA_DIR > PBX_ALSA >+CAP_LIB >+CAP_INCLUDE >+CAP_DIR >+PBX_CAP > CURL_LIB > CURL_INCLUDE > CURL_DIR >@@ -1499,6 +1503,7 @@ > --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) > --with-gnu-ld assume the C compiler uses GNU ld [default=no] > --with-asound=PATH use Advanced Linux Sound Architecture files in PATH >+ --with-cap=PATH use POSIX 1.e capabilities files in PATH > --with-curl=PATH use cURL files in PATH > --with-curses=PATH use curses files in PATH > --with-gnutls=PATH use GNU TLS support (used for iksemel only) files in >@@ -7602,6 +7607,34 @@ > > > >+CAP_DESCRIP="POSIX 1.e capabilities" >+CAP_OPTION="cap" >+ >+# Check whether --with-cap was given. >+if test "${with_cap+set}" = set; then >+ withval=$with_cap; >+case ${withval} in >+ n|no) >+ USE_CAP=no >+ ;; >+ y|ye|yes) >+ CAP_MANDATORY="yes" >+ ;; >+ *) >+ CAP_DIR="${withval}" >+ CAP_MANDATORY="yes" >+ ;; >+esac >+ >+fi >+ >+PBX_CAP=0 >+ >+ >+ >+ >+ >+ > CURL_DESCRIP="cURL" > CURL_OPTION="curl" > >@@ -16535,6 +16568,417 @@ > fi > > >+if test "x${host_os}" = "xlinux-gnu" ; then >+ >+if test "${USE_CAP}" != "no"; then >+ pbxlibdir="" >+ if test "x${CAP_DIR}" != "x"; then >+ if test -d ${CAP_DIR}/lib; then >+ pbxlibdir="-L${CAP_DIR}/lib" >+ else >+ pbxlibdir="-L${CAP_DIR}" >+ fi >+ fi >+ { echo "$as_me:$LINENO: checking for cap_from_text in -lcap" >&5 >+echo $ECHO_N "checking for cap_from_text in -lcap... $ECHO_C" >&6; } >+if test "${ac_cv_lib_cap_cap_from_text+set}" = set; then >+ echo $ECHO_N "(cached) $ECHO_C" >&6 >+else >+ ac_check_lib_save_LIBS=$LIBS >+LIBS="-lcap ${pbxlibdir} $LIBS" >+cat >conftest.$ac_ext <<_ACEOF >+/* confdefs.h. */ >+_ACEOF >+cat confdefs.h >>conftest.$ac_ext >+cat >>conftest.$ac_ext <<_ACEOF >+/* end confdefs.h. */ >+ >+/* Override any GCC internal prototype to avoid an error. >+ Use char because int might match the return type of a GCC >+ builtin and then its argument prototype would still apply. */ >+#ifdef __cplusplus >+extern "C" >+#endif >+char cap_from_text (); >+int >+main () >+{ >+return cap_from_text (); >+ ; >+ return 0; >+} >+_ACEOF >+rm -f conftest.$ac_objext conftest$ac_exeext >+if { (ac_try="$ac_link" >+case "(($ac_try" in >+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; >+ *) ac_try_echo=$ac_try;; >+esac >+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 >+ (eval "$ac_link") 2>conftest.er1 >+ ac_status=$? >+ grep -v '^ *+' conftest.er1 >conftest.err >+ rm -f conftest.er1 >+ cat conftest.err >&5 >+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 >+ (exit $ac_status); } && { >+ test -z "$ac_c_werror_flag" || >+ test ! -s conftest.err >+ } && test -s conftest$ac_exeext && >+ $as_test_x conftest$ac_exeext; then >+ ac_cv_lib_cap_cap_from_text=yes >+else >+ echo "$as_me: failed program was:" >&5 >+sed 's/^/| /' conftest.$ac_ext >&5 >+ >+ ac_cv_lib_cap_cap_from_text=no >+fi >+ >+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ >+ conftest$ac_exeext conftest.$ac_ext >+LIBS=$ac_check_lib_save_LIBS >+fi >+{ echo "$as_me:$LINENO: result: $ac_cv_lib_cap_cap_from_text" >&5 >+echo "${ECHO_T}$ac_cv_lib_cap_cap_from_text" >&6; } >+if test $ac_cv_lib_cap_cap_from_text = yes; then >+ AST_CAP_FOUND=yes >+else >+ AST_CAP_FOUND=no >+fi >+ >+ >+ if test "${AST_CAP_FOUND}" = "yes"; then >+ CAP_LIB="-lcap " >+ CAP_HEADER_FOUND="1" >+ if test "x${CAP_DIR}" != "x"; then >+ CAP_LIB="${pbxlibdir} ${CAP_LIB}" >+ CAP_INCLUDE="-I${CAP_DIR}/include" >+ saved_cppflags="${CPPFLAGS}" >+ CPPFLAGS="${CPPFLAGS} -I${CAP_DIR}/include" >+ if test "xsys/capability.h" != "x" ; then >+ as_ac_Header=`echo "ac_cv_header_${CAP_DIR}/include/sys/capability.h" | $as_tr_sh` >+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then >+ { echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5 >+echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; } >+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then >+ echo $ECHO_N "(cached) $ECHO_C" >&6 >+fi >+ac_res=`eval echo '${'$as_ac_Header'}'` >+ { echo "$as_me:$LINENO: result: $ac_res" >&5 >+echo "${ECHO_T}$ac_res" >&6; } >+else >+ # Is the header compilable? >+{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h usability" >&5 >+echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h usability... $ECHO_C" >&6; } >+cat >conftest.$ac_ext <<_ACEOF >+/* confdefs.h. */ >+_ACEOF >+cat confdefs.h >>conftest.$ac_ext >+cat >>conftest.$ac_ext <<_ACEOF >+/* end confdefs.h. */ >+$ac_includes_default >+#include <${CAP_DIR}/include/sys/capability.h> >+_ACEOF >+rm -f conftest.$ac_objext >+if { (ac_try="$ac_compile" >+case "(($ac_try" in >+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; >+ *) ac_try_echo=$ac_try;; >+esac >+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 >+ (eval "$ac_compile") 2>conftest.er1 >+ ac_status=$? >+ grep -v '^ *+' conftest.er1 >conftest.err >+ rm -f conftest.er1 >+ cat conftest.err >&5 >+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 >+ (exit $ac_status); } && { >+ test -z "$ac_c_werror_flag" || >+ test ! -s conftest.err >+ } && test -s conftest.$ac_objext; then >+ ac_header_compiler=yes >+else >+ echo "$as_me: failed program was:" >&5 >+sed 's/^/| /' conftest.$ac_ext >&5 >+ >+ ac_header_compiler=no >+fi >+ >+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext >+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 >+echo "${ECHO_T}$ac_header_compiler" >&6; } >+ >+# Is the header present? >+{ echo "$as_me:$LINENO: checking ${CAP_DIR}/include/sys/capability.h presence" >&5 >+echo $ECHO_N "checking ${CAP_DIR}/include/sys/capability.h presence... $ECHO_C" >&6; } >+cat >conftest.$ac_ext <<_ACEOF >+/* confdefs.h. */ >+_ACEOF >+cat confdefs.h >>conftest.$ac_ext >+cat >>conftest.$ac_ext <<_ACEOF >+/* end confdefs.h. */ >+#include <${CAP_DIR}/include/sys/capability.h> >+_ACEOF >+if { (ac_try="$ac_cpp conftest.$ac_ext" >+case "(($ac_try" in >+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; >+ *) ac_try_echo=$ac_try;; >+esac >+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 >+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 >+ ac_status=$? >+ grep -v '^ *+' conftest.er1 >conftest.err >+ rm -f conftest.er1 >+ cat conftest.err >&5 >+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 >+ (exit $ac_status); } >/dev/null && { >+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || >+ test ! -s conftest.err >+ }; then >+ ac_header_preproc=yes >+else >+ echo "$as_me: failed program was:" >&5 >+sed 's/^/| /' conftest.$ac_ext >&5 >+ >+ ac_header_preproc=no >+fi >+ >+rm -f conftest.err conftest.$ac_ext >+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 >+echo "${ECHO_T}$ac_header_preproc" >&6; } >+ >+# So? What about this header? >+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in >+ yes:no: ) >+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5 >+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;} >+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&5 >+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the compiler's result" >&2;} >+ ac_header_preproc=yes >+ ;; >+ no:yes:* ) >+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&5 >+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: present but cannot be compiled" >&2;} >+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: check for missing prerequisite headers?" >&5 >+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: check for missing prerequisite headers?" >&2;} >+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&5 >+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: see the Autoconf documentation" >&2;} >+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: section \"Present But Cannot Be Compiled\"" >&5 >+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: section \"Present But Cannot Be Compiled\"" >&2;} >+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&5 >+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: proceeding with the preprocessor's result" >&2;} >+ { echo "$as_me:$LINENO: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&5 >+echo "$as_me: WARNING: ${CAP_DIR}/include/sys/capability.h: in the future, the compiler will take precedence" >&2;} >+ ( cat <<\_ASBOX >+## ------------------------------- ## >+## Report this to www.asterisk.org ## >+## ------------------------------- ## >+_ASBOX >+ ) | sed "s/^/$as_me: WARNING: /" >&2 >+ ;; >+esac >+{ echo "$as_me:$LINENO: checking for ${CAP_DIR}/include/sys/capability.h" >&5 >+echo $ECHO_N "checking for ${CAP_DIR}/include/sys/capability.h... $ECHO_C" >&6; } >+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then >+ echo $ECHO_N "(cached) $ECHO_C" >&6 >+else >+ eval "$as_ac_Header=\$ac_header_preproc" >+fi >+ac_res=`eval echo '${'$as_ac_Header'}'` >+ { echo "$as_me:$LINENO: result: $ac_res" >&5 >+echo "${ECHO_T}$ac_res" >&6; } >+ >+fi >+if test `eval echo '${'$as_ac_Header'}'` = yes; then >+ CAP_HEADER_FOUND=1 >+else >+ CAP_HEADER_FOUND=0 >+fi >+ >+ >+ fi >+ CPPFLAGS="${saved_cppflags}" >+ else >+ if test "xsys/capability.h" != "x" ; then >+ if test "${ac_cv_header_sys_capability_h+set}" = set; then >+ { echo "$as_me:$LINENO: checking for sys/capability.h" >&5 >+echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; } >+if test "${ac_cv_header_sys_capability_h+set}" = set; then >+ echo $ECHO_N "(cached) $ECHO_C" >&6 >+fi >+{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5 >+echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; } >+else >+ # Is the header compilable? >+{ echo "$as_me:$LINENO: checking sys/capability.h usability" >&5 >+echo $ECHO_N "checking sys/capability.h usability... $ECHO_C" >&6; } >+cat >conftest.$ac_ext <<_ACEOF >+/* confdefs.h. */ >+_ACEOF >+cat confdefs.h >>conftest.$ac_ext >+cat >>conftest.$ac_ext <<_ACEOF >+/* end confdefs.h. */ >+$ac_includes_default >+#include <sys/capability.h> >+_ACEOF >+rm -f conftest.$ac_objext >+if { (ac_try="$ac_compile" >+case "(($ac_try" in >+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; >+ *) ac_try_echo=$ac_try;; >+esac >+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 >+ (eval "$ac_compile") 2>conftest.er1 >+ ac_status=$? >+ grep -v '^ *+' conftest.er1 >conftest.err >+ rm -f conftest.er1 >+ cat conftest.err >&5 >+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 >+ (exit $ac_status); } && { >+ test -z "$ac_c_werror_flag" || >+ test ! -s conftest.err >+ } && test -s conftest.$ac_objext; then >+ ac_header_compiler=yes >+else >+ echo "$as_me: failed program was:" >&5 >+sed 's/^/| /' conftest.$ac_ext >&5 >+ >+ ac_header_compiler=no >+fi >+ >+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext >+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 >+echo "${ECHO_T}$ac_header_compiler" >&6; } >+ >+# Is the header present? >+{ echo "$as_me:$LINENO: checking sys/capability.h presence" >&5 >+echo $ECHO_N "checking sys/capability.h presence... $ECHO_C" >&6; } >+cat >conftest.$ac_ext <<_ACEOF >+/* confdefs.h. */ >+_ACEOF >+cat confdefs.h >>conftest.$ac_ext >+cat >>conftest.$ac_ext <<_ACEOF >+/* end confdefs.h. */ >+#include <sys/capability.h> >+_ACEOF >+if { (ac_try="$ac_cpp conftest.$ac_ext" >+case "(($ac_try" in >+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; >+ *) ac_try_echo=$ac_try;; >+esac >+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 >+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 >+ ac_status=$? >+ grep -v '^ *+' conftest.er1 >conftest.err >+ rm -f conftest.er1 >+ cat conftest.err >&5 >+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 >+ (exit $ac_status); } >/dev/null && { >+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || >+ test ! -s conftest.err >+ }; then >+ ac_header_preproc=yes >+else >+ echo "$as_me: failed program was:" >&5 >+sed 's/^/| /' conftest.$ac_ext >&5 >+ >+ ac_header_preproc=no >+fi >+ >+rm -f conftest.err conftest.$ac_ext >+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 >+echo "${ECHO_T}$ac_header_preproc" >&6; } >+ >+# So? What about this header? >+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in >+ yes:no: ) >+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&5 >+echo "$as_me: WARNING: sys/capability.h: accepted by the compiler, rejected by the preprocessor!" >&2;} >+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the compiler's result" >&5 >+echo "$as_me: WARNING: sys/capability.h: proceeding with the compiler's result" >&2;} >+ ac_header_preproc=yes >+ ;; >+ no:yes:* ) >+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: present but cannot be compiled" >&5 >+echo "$as_me: WARNING: sys/capability.h: present but cannot be compiled" >&2;} >+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: check for missing prerequisite headers?" >&5 >+echo "$as_me: WARNING: sys/capability.h: check for missing prerequisite headers?" >&2;} >+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: see the Autoconf documentation" >&5 >+echo "$as_me: WARNING: sys/capability.h: see the Autoconf documentation" >&2;} >+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: section \"Present But Cannot Be Compiled\"" >&5 >+echo "$as_me: WARNING: sys/capability.h: section \"Present But Cannot Be Compiled\"" >&2;} >+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&5 >+echo "$as_me: WARNING: sys/capability.h: proceeding with the preprocessor's result" >&2;} >+ { echo "$as_me:$LINENO: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&5 >+echo "$as_me: WARNING: sys/capability.h: in the future, the compiler will take precedence" >&2;} >+ ( cat <<\_ASBOX >+## ------------------------------- ## >+## Report this to www.asterisk.org ## >+## ------------------------------- ## >+_ASBOX >+ ) | sed "s/^/$as_me: WARNING: /" >&2 >+ ;; >+esac >+{ echo "$as_me:$LINENO: checking for sys/capability.h" >&5 >+echo $ECHO_N "checking for sys/capability.h... $ECHO_C" >&6; } >+if test "${ac_cv_header_sys_capability_h+set}" = set; then >+ echo $ECHO_N "(cached) $ECHO_C" >&6 >+else >+ ac_cv_header_sys_capability_h=$ac_header_preproc >+fi >+{ echo "$as_me:$LINENO: result: $ac_cv_header_sys_capability_h" >&5 >+echo "${ECHO_T}$ac_cv_header_sys_capability_h" >&6; } >+ >+fi >+if test $ac_cv_header_sys_capability_h = yes; then >+ CAP_HEADER_FOUND=1 >+else >+ CAP_HEADER_FOUND=0 >+fi >+ >+ >+ fi >+ fi >+ if test "x${CAP_HEADER_FOUND}" = "x0" ; then >+ if test -n "${CAP_MANDATORY}" ; >+ then >+ { echo "$as_me:$LINENO: ***" >&5 >+echo "$as_me: ***" >&6;} >+ { echo "$as_me:$LINENO: *** It appears that you do not have the cap development package installed." >&5 >+echo "$as_me: *** It appears that you do not have the cap development package installed." >&6;} >+ { echo "$as_me:$LINENO: *** Please install it to include ${CAP_DESCRIP} support, or re-run configure" >&5 >+echo "$as_me: *** Please install it to include ${CAP_DESCRIP} support, or re-run configure" >&6;} >+ { echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5 >+echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;} >+ exit 1 >+ fi >+ CAP_LIB="" >+ CAP_INCLUDE="" >+ PBX_CAP=0 >+ else >+ PBX_CAP=1 >+ >+cat >>confdefs.h <<_ACEOF >+#define HAVE_CAP 1 >+_ACEOF >+ >+ fi >+ elif test -n "${CAP_MANDATORY}"; >+ then >+ { echo "$as_me:$LINENO: ***" >&5 >+echo "$as_me: ***" >&6;} >+ { echo "$as_me:$LINENO: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&5 >+echo "$as_me: *** The ${CAP_DESCRIP} installation on this system appears to be broken." >&6;} >+ { echo "$as_me:$LINENO: *** Either correct the installation, or run configure" >&5 >+echo "$as_me: *** Either correct the installation, or run configure" >&6;} >+ { echo "$as_me:$LINENO: *** without explicitly specifying --with-${CAP_OPTION}" >&5 >+echo "$as_me: *** without explicitly specifying --with-${CAP_OPTION}" >&6;} >+ exit 1 >+ fi >+fi >+ >+fi >+ > > if test "${USE_CURSES}" != "no"; then > pbxlibdir="" >@@ -33274,6 +33718,10 @@ > ALSA_INCLUDE!$ALSA_INCLUDE$ac_delim > ALSA_DIR!$ALSA_DIR$ac_delim > PBX_ALSA!$PBX_ALSA$ac_delim >+CAP_LIB!$CAP_LIB$ac_delim >+CAP_INCLUDE!$CAP_INCLUDE$ac_delim >+CAP_DIR!$CAP_DIR$ac_delim >+PBX_CAP!$PBX_CAP$ac_delim > CURL_LIB!$CURL_LIB$ac_delim > CURL_INCLUDE!$CURL_INCLUDE$ac_delim > CURL_DIR!$CURL_DIR$ac_delim >@@ -33363,10 +33811,6 @@ > PWLIB_DIR!$PWLIB_DIR$ac_delim > PBX_PWLIB!$PBX_PWLIB$ac_delim > OPENH323_LIB!$OPENH323_LIB$ac_delim >-OPENH323_INCLUDE!$OPENH323_INCLUDE$ac_delim >-OPENH323_DIR!$OPENH323_DIR$ac_delim >-PBX_OPENH323!$PBX_OPENH323$ac_delim >-QT_LIB!$QT_LIB$ac_delim > _ACEOF > > if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then >@@ -33408,6 +33852,10 @@ > ac_delim='%!_!# ' > for ac_last_try in false false false false false :; do > cat >conf$$subs.sed <<_ACEOF >+OPENH323_INCLUDE!$OPENH323_INCLUDE$ac_delim >+OPENH323_DIR!$OPENH323_DIR$ac_delim >+PBX_OPENH323!$PBX_OPENH323$ac_delim >+QT_LIB!$QT_LIB$ac_delim > QT_INCLUDE!$QT_INCLUDE$ac_delim > QT_DIR!$QT_DIR$ac_delim > PBX_QT!$PBX_QT$ac_delim >@@ -33502,7 +33950,7 @@ > LTLIBOBJS!$LTLIBOBJS$ac_delim > _ACEOF > >- if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 92; then >+ if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 96; then > break > elif $ac_last_try; then > { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 >@@ -33521,7 +33969,7 @@ > > cat >>$CONFIG_STATUS <<_ACEOF > cat >"\$tmp/subs-3.sed" <<\CEOF$ac_eof >-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end >+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b > _ACEOF > sed ' > s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g >@@ -33534,8 +33982,6 @@ > ' >>$CONFIG_STATUS <conf$$subs.sed > rm -f conf$$subs.sed > cat >>$CONFIG_STATUS <<_ACEOF >-:end >-s/|#_!!_#|//g > CEOF$ac_eof > _ACEOF > >@@ -33783,7 +34229,7 @@ > s&@abs_top_builddir@&$ac_abs_top_builddir&;t t > s&@INSTALL@&$ac_INSTALL&;t t > $ac_datarootdir_hack >-" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" >$tmp/out >+" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" | sed 's/|#_!!_#|//g' >$tmp/out > > test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && > { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } && >diff -Naur asterisk-1.4.11.org/configure.ac asterisk-1.4.11/configure.ac >--- asterisk-1.4.11.org/configure.ac 2007-08-06 15:18:20.000000000 +0100 >+++ asterisk-1.4.11/configure.ac 2007-09-20 10:06:40.490537305 +0100 >@@ -171,6 +171,7 @@ > # by the --with option name, to make things easier for the users :-) > > AST_EXT_LIB_SETUP([ALSA], [Advanced Linux Sound Architecture], [asound]) >+AST_EXT_LIB_SETUP([CAP], [POSIX 1.e capabilities], [cap]) > AST_EXT_LIB_SETUP([CURL], [cURL], [curl]) > AST_EXT_LIB_SETUP([CURSES], [curses], [curses]) > AST_EXT_LIB_SETUP([GNUTLS], [GNU TLS support (used for iksemel only)], [gnutls]) >@@ -393,6 +394,10 @@ > > AST_EXT_LIB_CHECK([ALSA], [asound], [snd_spcm_init], [alsa/asoundlib.h], [-lm -ldl]) > >+if test "x${host_os}" = "xlinux-gnu" ; then >+ AST_EXT_LIB_CHECK([CAP], [cap], [cap_from_text], [sys/capability.h]) >+fi >+ > AST_EXT_LIB_CHECK([CURSES], [curses], [initscr], [curses.h]) > > GSM_INTERNAL="yes" >diff -Naur asterisk-1.4.11.org/doc/security.txt asterisk-1.4.11/doc/security.txt >--- asterisk-1.4.11.org/doc/security.txt 2007-03-16 01:41:00.000000000 +0000 >+++ asterisk-1.4.11/doc/security.txt 2007-09-20 10:06:40.490537305 +0100 >@@ -28,6 +28,13 @@ > AES encryption of voice and signalling. The SIP channel does not > support encryption in this version of Asterisk. > >+By default, if you have libcap available, Asterisk will try to retain the >+CAP_NET_ADMIN capability when running as a non-root user. If you do not need >+that capability you may want to configure Asterisk with --without-cap; however, >+this will prevent Asterisk from being able to mark high ToS bits under Linux. >+More information on CAP_NET_ADMIN is available at: >+http://www.lids.org/lids-howto/node48.html >+ > * DIALPLAN SECURITY > > First and foremost remember this: >diff -Naur asterisk-1.4.11.org/main/asterisk.c asterisk-1.4.11/main/asterisk.c >--- asterisk-1.4.11.org/main/asterisk.c 2007-06-28 00:29:14.000000000 +0100 >+++ asterisk-1.4.11/main/asterisk.c 2007-09-20 10:06:40.494537431 +0100 >@@ -82,13 +82,12 @@ > #include <sys/stat.h> > #ifdef linux > #include <sys/prctl.h> >-#endif >+#ifdef HAVE_CAP >+#include <sys/capability.h> >+#endif /* HAVE_CAP */ >+#endif /* linux */ > #include <regex.h> > >-#ifdef linux >-#include <sys/prctl.h> >-#endif >- > #if defined(__FreeBSD__) || defined( __NetBSD__ ) || defined(SOLARIS) > #include <netdb.h> > #if defined(SOLARIS) >@@ -2718,12 +2717,22 @@ > } > > if (!is_child_of_nonroot && runuser) { >+#ifdef HAVE_CAP >+ cap_t cap; >+ int has_cap = 1; >+#endif /* HAVE_CAP */ > struct passwd *pw; > pw = getpwnam(runuser); > if (!pw) { > ast_log(LOG_WARNING, "No such user '%s'!\n", runuser); > exit(1); > } >+#ifdef HAVE_CAP >+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { >+ ast_log(LOG_WARNING, "Unable to keep capabilities.\n"); >+ has_cap = 0; >+ } >+#endif /* HAVE_CAP */ > if (!rungroup) { > if (setgid(pw->pw_gid)) { > ast_log(LOG_WARNING, "Unable to setgid to %d!\n", (int)pw->pw_gid); >@@ -2741,6 +2750,18 @@ > setenv("ASTERISK_ALREADY_NONROOT", "yes", 1); > if (option_verbose) > ast_verbose("Running as user '%s'\n", runuser); >+#ifdef HAVE_CAP >+ if (has_cap) { >+ cap = cap_from_text("cap_net_admin=ep"); >+ if (cap_set_proc(cap)) { >+ ast_log(LOG_WARNING, "Unable to install capabilities.\n"); >+ break; >+ } >+ if (cap_free(cap)) { >+ ast_log(LOG_WARNING, "Unable to drop capabilities.\n"); >+ } >+ } >+#endif /* HAVE_CAP */ > } > > #endif /* __CYGWIN__ */ >diff -Naur asterisk-1.4.11.org/main/Makefile asterisk-1.4.11/main/Makefile >--- asterisk-1.4.11.org/main/Makefile 2007-07-03 21:17:31.000000000 +0100 >+++ asterisk-1.4.11/main/Makefile 2007-09-20 10:06:40.494537431 +0100 >@@ -55,6 +55,9 @@ > ifneq ($(findstring LOADABLE_MODULES,$(MENUSELECT_CFLAGS)),) > AST_LIBS+=-ldl > endif >+ ifneq (x$(CAP_LIB),x) >+ AST_LIBS+=$(CAP_LIB) >+ endif > AST_LIBS+=-lpthread $(EDITLINE_LIB) -lm -lresolv > else > AST_LIBS+=$(EDITLINE_LIB) -lm >diff -Naur asterisk-1.4.11.org/makeopts.in asterisk-1.4.11/makeopts.in >--- asterisk-1.4.11.org/makeopts.in 2007-06-29 15:18:36.000000000 +0100 >+++ asterisk-1.4.11/makeopts.in 2007-09-20 10:06:40.494537431 +0100 >@@ -175,6 +175,9 @@ > SUPPSERV_INCLUDE=@SUPPSERV_INCLUDE@ > SUPPSERV_LIB=@SUPPSERV_LIB@ > >+CAP_LIB=@CAP_LIB@ >+CAP_INCLUDE=@CAP_INCLUDE@ >+ > TERMCAP_INCLUDE=@TERMCAP_INCLUDE@ > TERMCAP_LIB=@TERMCAP_LIB@ > TERMCAP_DIR=@TERMCAP_DIR@
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 159013
:
105003
|
105004
|
105448
|
120258
|
120271
|
120272
|
124810
|
124811
|
124812
|
128192
| 131363 |
136200
|
136202
|
136204
|
136205
|
136207
|
136209
|
140019
|
140021
|
140038
|
140041
|
140042
|
140043
|
143656
|
143658
|
143660
|
143940
|
143941
|
143942
|
144324
|
144326
|
147840
|
147843
|
147845
|
147851
|
161232
|
161233