[asterisk-users] TOS and security
I'm preparing for a client install of * by doing a fresh one in-house. Unlike my earlier installation that runs asterisk as superuser, my current experimental box runs without such privilege. This is causing it to moan that it can't set TOS. I absolutely don't want to install it on the client LAN without this capability. If need be, I'll set the binary to run setuid root. But I'm looking for something more elegant. While googling, I found a suggestion to use iptables mangle rules to set TOS for all packets going out of the box on ports like 5060 and 1:2. Not a bad hack, but indiscriminate and this box will be handling other traffic besides the RTP. I'd like to do better. I thought of using POSIX access control to enable asterisk to do TOS setting without being root (would this be CAP_NET_RAW?), which sounds perfect, but so far I'm operating with stock ubuntu hardy, and I would like to avoid a kernel build to add this capability. Any other ideas? smime.p7s Description: S/MIME Cryptographic Signature ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TOS and security
On Friday 18 July 2008 14:21:14 Bill Michaelson wrote: I'm preparing for a client install of * by doing a fresh one in-house. Unlike my earlier installation that runs asterisk as superuser, my current experimental box runs without such privilege. This is causing it to moan that it can't set TOS. I absolutely don't want to install it on the client LAN without this capability. If need be, I'll set the binary to run setuid root. But I'm looking for something more elegant. While googling, I found a suggestion to use iptables mangle rules to set TOS for all packets going out of the box on ports like 5060 and 1:2. Not a bad hack, but indiscriminate and this box will be handling other traffic besides the RTP. I'd like to do better. I thought of using POSIX access control to enable asterisk to do TOS setting without being root (would this be CAP_NET_RAW?), which sounds perfect, but so far I'm operating with stock ubuntu hardy, and I would like to avoid a kernel build to add this capability. It's actually CAP_NET_ADMIN, and we already keep that privilege, if the configure script detects that the capabilities library is available. Simply set the runuser and rungroup in asterisk.conf, and Asterisk will automatically keep those privileges during startup. -- Tilghman ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TOS and security
I'm preparing for a client install of * by doing a fresh one in-house. Unlike my earlier installation that runs asterisk as superuser, my current experimental box runs without such privilege. This is causing it to moan that it can't set TOS. I absolutely don't want to install it on the client LAN without this capability. If need be, I'll set the binary to run setuid root. But I'm looking for something more elegant. While googling, I found a suggestion to use iptables mangle rules to set TOS for all packets going out of the box on ports like 5060 and 1:2. Not a bad hack, but indiscriminate and this box will be handling other traffic besides the RTP. I'd like to do better. It is possible for an iptables filter/rule to match packets in the OUTPUT chain based on the UID or GID of the process which created them, if you have the owner module loaded. You should be able to add a rule to the OUTPUT chain of the mangle table which will set the TOS properly for any and all outbound packets generated locally by the non-root user ID which you're using to run Asterisk. Come to think of it, I think I need to do this myself. I'm using the ultimate Linux traffic conditioning configuration (modified very slightly) to prioritize my system's outbound traffic into multiple queues by TOS, and it's probably mis-queueing the RTP traffic because my Debian install of Asterisk is running under a non-root UID. I thought of using POSIX access control to enable asterisk to do TOS setting without being root (would this be CAP_NET_RAW?), which sounds perfect, but so far I'm operating with stock ubuntu hardy, and I would like to avoid a kernel build to add this capability. Any other ideas? Seems like iptables -t mangle -A OUTPUT -m owner --uid-owner $ASTERISK would be along the lines of what you want? Mark the packets with the TOS you want... and then consider using the Linux traffic-shaping system to make sure that they really do get transmitted ahead of non-urgent packets: http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.ultimate-tc.html ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users