Summary: | ASTERISK-09700: runasuser/runasgroup used even for -r means reconnecting users must be root | ||
Reporter: | Stuart Henderson (stuarth) | Labels: | |
Date Opened: | 2007-06-18 05:26:58 | Date Closed: | 2007-10-17 10:18:55 |
Priority: | Minor | Regression? | No |
Status: | Closed/Complete | Components: | Core/Configuration |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) 20070904__bug9999.diff.txt ( 1) can_drop_privs.diff | |
Description: | When runasuser/runasgroup are configured in asterisk.conf, they are used whenever Asterisk is started, including when reconnecting to a running instance. This means that it's not possible to just use filesystem permissions on asterisk.ctl to restrict access, since without being root the setuid/setgid calls will fail. Wrapping the setuid block in main/asterisk.c with "if(!ast_opt_remote) { ... }" would makes things easier. ****** ADDITIONAL INFORMATION ****** Workaround is to just use -U/-G on the command line when starting as a daemon, but using the facility to set this in asterisk.conf makes it less likely to be forgotten. | ||
Comments: | By: Tzafrir Cohen (tzafrir) 2007-08-31 16:01:02 The socket is indeed created by root. However, you can set the owner, group and/or permissoins of that file in the [files] section of asterisk.conf . See http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt . Alternatively, chown / chmod manually the socket to test that you can connect as any user. By: Stuart Henderson (stuarth) 2007-08-31 16:12:55 No, you misunderstand. The socket is already created with the relevant permissions; the problem is that when runasuser is set, asterisk always tries to setuid(). When you are a non-root user, this always fails. If you have set runasuser in asterisk.conf, you cannot use -r to reconnect to a running instance of Asterisk, even if you have permissions to access the socket, unless you are root (i.e. are able to setuid(_runasuser_)). By: Tilghman Lesher (tilghman) 2007-08-31 17:10:29 This should fix it. Please test and report back. By: Tzafrir Cohen (tzafrir) 2007-08-31 17:29:47 Took a slightly different approach here: the test here is the same test applied as in the case of is_child_of_nonroot. Thus I renamed is_child_of_nonroot to can_drop_privs (reversing its logic to avoid neegations). can_drop_privs will now be set by default, and reset in the following cases: * A remote console. No use dropping priviliges. * If we have already dropped privileges, and now we re-exec (through a restart command). By: Stuart Henderson (stuarth) 2007-08-31 17:36:39 Corydon76: yes, that works. tzafrir: I like this approach, though you have set can_drop_privs=1 in lines 2563 and 2671 where you mean =0. By: Tilghman Lesher (tilghman) 2007-09-04 11:41:01 Okay, let's change this up a bit more. By: Tzafrir Cohen (tzafrir) 2007-09-04 13:20:18 The tests for the user and from the group option behave differently. By: Digium Subversion (svnbot) 2007-10-17 10:04:32 Repository: asterisk Revision: 86066 U branches/1.4/main/asterisk.c ------------------------------------------------------------------------ r86066 | tilghman | 2007-10-17 10:23:51 -0500 (Wed, 17 Oct 2007) | 3 lines When runuser/rungroup is specified, a remote console could only be attained by root (Closes issue ASTERISK-9700) ------------------------------------------------------------------------ By: Digium Subversion (svnbot) 2007-10-17 10:18:55 Repository: asterisk Revision: 86079 _U trunk/ U trunk/main/asterisk.c ------------------------------------------------------------------------ r86079 | tilghman | 2007-10-17 10:18:54 -0500 (Wed, 17 Oct 2007) | 11 lines Merged revisions 86066 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r86066 | tilghman | 2007-10-17 10:23:51 -0500 (Wed, 17 Oct 2007) | 3 lines When runuser/rungroup is specified, a remote console could only be attained by root (Closes issue ASTERISK-9700) ........ ------------------------------------------------------------------------ |