On Thursday 15 December 2005 23:10, Matteo Brancaleoni wrote: > Hi, > > here's attached a small patch againts asterisk 1.2.0 (ok with 1.2.1 > also) that allows asterisk, when running as non-root, to get > access to visdn sockets.
Let me explain what your patch does and why it is needed: I hope everyone agrees that transmitting q931 packets should be a privileged operation, otherwise, every user on the system could place calls or disrupt q931 operations. The privilege (capability) I request to the socket opener is CAP_NET_BIND_SERVICE. Processes with that capability may bind to tcp/udp ports under 1024. Every process running as uid 0 has all the capabilities, including CAP_NET_BIND_SERVICE. Running Asterisk with all the capabilities is, of course, not desiderable, so, that patch permits to: 1- Run asterisk with just that capability. If someone exploits a vulnerability in asterisk the additional threats posed by that capability are minimal, unless you are running rsh and trusting that box :) 2- Run asterisk with an uid != 0 so that files accessed or created can be owned by a specific user for asterisk. We chose to not drop the capability after having opened the socket since we would have lost the possibility of dynamically configure new interfaces. I've yet to test that patch but it's something I will do soon. My long-term idea on how capabilities should be handled by asterisk is that asterisk should: 1- be started as root 2- load the modules (maybe a subset marked as privileged) 3- call a privileged initialization function which would either preallocate privileged resources or return a set of needed capabilities. 4- switch uid and drop all the capabilities except the one requested by the modules Maybe I will provide a patch to asterisk people... maybe not :) Bye, -- Daniele Orlandi _______________________________________________ Visdn-hackers mailing list [email protected] https://mailman.uli.it/mailman/listinfo/visdn-hackers
