Index: build_tools/menuselect-deps.in
===================================================================
--- build_tools/menuselect-deps.in	(revision 166949)
+++ build_tools/menuselect-deps.in	(working copy)
@@ -39,3 +39,4 @@
 MISDN=@PBX_MISDN@
 SUPPSERV=@PBX_SUPPSERV@
 GNU_LD=@GNU_LD@
+WORKING_FORK=@PBX_WORKING_FORK@
Index: configure
===================================================================
--- configure	(revision 166949)
+++ configure	(working copy)
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.ac Revision: 159808 .
+# From configure.ac Revision: 164343 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.61 for asterisk 1.4.
 #
@@ -883,6 +883,7 @@
 PBX_ZAPTEL
 ALLOCA
 LIBOBJS
+PBX_WORKING_FORK
 POW_LIB
 GC_CFLAGS
 GC_LDFLAGS
@@ -12114,6 +12115,8 @@
 #define HAVE_WORKING_FORK 1
 _ACEOF
 
+  PBX_WORKING_FORK=1
+
 fi
 
 { echo "$as_me:$LINENO: checking for _LARGEFILE_SOURCE value needed for large files" >&5
@@ -32546,6 +32549,7 @@
 PBX_ZAPTEL!$PBX_ZAPTEL$ac_delim
 ALLOCA!$ALLOCA$ac_delim
 LIBOBJS!$LIBOBJS$ac_delim
+PBX_WORKING_FORK!$PBX_WORKING_FORK$ac_delim
 POW_LIB!$POW_LIB$ac_delim
 GC_CFLAGS!$GC_CFLAGS$ac_delim
 GC_LDFLAGS!$GC_LDFLAGS$ac_delim
@@ -32572,7 +32576,6 @@
 PBX_ZAPTEL_VLDTMF!$PBX_ZAPTEL_VLDTMF$ac_delim
 EDITLINE_LIB!$EDITLINE_LIB$ac_delim
 PBX_H323!$PBX_H323$ac_delim
-PBX_IXJUSER!$PBX_IXJUSER$ac_delim
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -32614,6 +32617,7 @@
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
   cat >conf$$subs.sed <<_ACEOF
+PBX_IXJUSER!$PBX_IXJUSER$ac_delim
 GTKCONFIG!$GTKCONFIG$ac_delim
 PBX_GTK!$PBX_GTK$ac_delim
 GTK_INCLUDE!$GTK_INCLUDE$ac_delim
@@ -32626,7 +32630,7 @@
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 10; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 11; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
Index: apps/app_festival.c
===================================================================
--- apps/app_festival.c	(revision 166949)
+++ apps/app_festival.c	(working copy)
@@ -25,6 +25,10 @@
  * \ingroup applications
  */
 
+/*** MODULEINFO
+	<depend>working_fork</depend>
+ ***/
+
 #include "asterisk.h"
 
 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -46,6 +50,9 @@
 #include <fcntl.h>
 #include <ctype.h>
 #include <errno.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
 
 #include "asterisk/file.h"
 #include "asterisk/logger.h"
@@ -132,21 +139,33 @@
 	char c;
 #endif
 	sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+	cap_t cap;
+#endif
 
 	sigfillset(&fullset);
 	pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
 
-        res = fork();
-        if (res < 0)
-                ast_log(LOG_WARNING, "Fork failed\n");
-        if (res) {
+	res = fork();
+	if (res < 0)
+		ast_log(LOG_WARNING, "Fork failed\n");
+	if (res) {
 		pthread_sigmask(SIG_SETMASK, &oldset, NULL);
-                return res;
+		return res;
 	}
-        for (x=0;x<256;x++) {
-                if (x != fd)
-                        close(x);
-        }
+#ifdef HAVE_CAP
+	cap = cap_from_text("cap_net_admin-eip");
+
+	if (cap_set_proc(cap)) {
+		/* Careful with order! Logging cannot happen after we close FDs */
+		ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+	}
+	cap_free(cap);
+#endif
+	for (x=0;x<256;x++) {
+		if (x != fd)
+			close(x);
+	}
 	if (ast_opt_high_priority)
 		ast_set_priority(0);
 	signal(SIGPIPE, SIG_DFL);
Index: apps/app_mp3.c
===================================================================
--- apps/app_mp3.c	(revision 166949)
+++ apps/app_mp3.c	(working copy)
@@ -25,6 +25,10 @@
  * \ingroup applications
  */
  
+/*** MODULEINFO
+	<depend>working_fork</depend>
+ ***/
+
 #include "asterisk.h"
 
 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -36,6 +40,9 @@
 #include <unistd.h>
 #include <fcntl.h>
 #include <sys/time.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
 
 #include "asterisk/lock.h"
 #include "asterisk/file.h"
@@ -65,6 +72,9 @@
 	int res;
 	int x;
 	sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+	cap_t cap;
+#endif
 
 	sigfillset(&fullset);
 	pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -76,6 +86,15 @@
 		pthread_sigmask(SIG_SETMASK, &oldset, NULL);
 		return res;
 	}
+#ifdef HAVE_CAP
+	cap = cap_from_text("cap_net_admin-eip");
+
+	if (cap_set_proc(cap)) {
+		/* Careful with order! Logging cannot happen after we close FDs */
+		ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+	}
+	cap_free(cap);
+#endif
 	if (ast_opt_high_priority)
 		ast_set_priority(0);
 	signal(SIGPIPE, SIG_DFL);
@@ -83,8 +102,7 @@
 
 	dup2(fd, STDOUT_FILENO);
 	for (x=STDERR_FILENO + 1;x<256;x++) {
-		if (x != STDOUT_FILENO)
-			close(x);
+		close(x);
 	}
 	/* Execute mpg123, but buffer if it's a net connection */
 	if (!strncasecmp(filename, "http://", 7)) {
Index: apps/app_ices.c
===================================================================
--- apps/app_ices.c	(revision 166949)
+++ apps/app_ices.c	(working copy)
@@ -25,6 +25,10 @@
  * \ingroup applications
  */
  
+/*** MODULEINFO
+	<depend>working_fork</depend>
+ ***/
+
 #include "asterisk.h"
 
 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -37,6 +41,9 @@
 #include <fcntl.h>
 #include <sys/time.h>
 #include <errno.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
 
 #include "asterisk/lock.h"
 #include "asterisk/file.h"
@@ -65,6 +72,9 @@
 	int res;
 	int x;
 	sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+	cap_t cap;
+#endif
 
 	sigfillset(&fullset);
 	pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -81,6 +91,16 @@
 	signal(SIGPIPE, SIG_DFL);
 	pthread_sigmask(SIG_UNBLOCK, &fullset, NULL);
 
+#ifdef HAVE_CAP
+	cap = cap_from_text("cap_net_admin-eip");
+
+	if (cap_set_proc(cap)) {
+		/* Careful with order! Logging cannot happen after we close FDs */
+		ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+	}
+	cap_free(cap);
+#endif
+
 	if (ast_opt_high_priority)
 		ast_set_priority(0);
 	dup2(fd, STDIN_FILENO);
Index: apps/app_nbscat.c
===================================================================
--- apps/app_nbscat.c	(revision 166949)
+++ apps/app_nbscat.c	(working copy)
@@ -25,6 +25,10 @@
  * \ingroup applications
  */
  
+/*** MODULEINFO
+	<depend>working_fork</depend>
+ ***/
+
 #include "asterisk.h"
 
 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -37,6 +41,9 @@
 #include <fcntl.h>
 #include <sys/time.h>
 #include <sys/socket.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
 
 #include "asterisk/lock.h"
 #include "asterisk/file.h"
@@ -69,6 +76,9 @@
 	int res;
 	int x;
 	sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+	cap_t cap;
+#endif
 
 	sigfillset(&fullset);
 	pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -83,6 +93,15 @@
 	signal(SIGPIPE, SIG_DFL);
 	pthread_sigmask(SIG_UNBLOCK, &fullset, NULL);
 
+#ifdef HAVE_CAP
+	cap = cap_from_text("cap_net_admin-eip");
+
+	if (cap_set_proc(cap)) {
+		/* Careful with order! Logging cannot happen after we close FDs */
+		ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+	}
+	cap_free(cap);
+#endif
 	if (ast_opt_high_priority)
 		ast_set_priority(0);
 
Index: apps/app_dahdiras.c
===================================================================
--- apps/app_dahdiras.c	(revision 166949)
+++ apps/app_dahdiras.c	(working copy)
@@ -27,6 +27,7 @@
 
 /*** MODULEINFO
 	<depend>dahdi</depend>
+	<depend>working_fork</depend>
  ***/
 
 #include "asterisk.h"
@@ -48,6 +49,9 @@
 #include <errno.h>
 #include <stdio.h>
 #include <fcntl.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
 
 #include "asterisk/lock.h"
 #include "asterisk/file.h"
@@ -92,6 +96,9 @@
 	int argc = 0;
 	char *stringp=NULL;
 	sigset_t fullset, oldset;
+#ifdef HAVE_CAP
+	cap_t cap;
+#endif
 
 	sigfillset(&fullset);
 	pthread_sigmask(SIG_BLOCK, &fullset, &oldset);
@@ -103,6 +110,16 @@
 		return pid;
 	}
 
+#ifdef HAVE_CAP
+	cap = cap_from_text("cap_net_admin-eip");
+
+	if (cap_set_proc(cap)) {
+		/* Careful with order! Logging cannot happen after we close FDs */
+		ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+	}
+	cap_free(cap);
+#endif
+
 	/* Restore original signal handlers */
 	for (x=0;x<NSIG;x++)
 		signal(x, SIG_DFL);
Index: apps/app_externalivr.c
===================================================================
--- apps/app_externalivr.c	(revision 166949)
+++ apps/app_externalivr.c	(working copy)
@@ -31,6 +31,10 @@
  * \ingroup applications
  */
 
+/*** MODULEINFO
+	<depend>working_fork</depend>
+ ***/
+
 #include "asterisk.h"
 
 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -41,6 +45,9 @@
 #include <unistd.h>
 #include <errno.h>
 #include <signal.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
 
 #include "asterisk/lock.h"
 #include "asterisk/file.h"
@@ -317,7 +324,16 @@
 	if (!pid) {
 		/* child process */
 		int i;
+#ifdef HAVE_CAP
+		cap_t cap = cap_from_text("cap_net_admin-eip");
 
+		if (cap_set_proc(cap)) {
+			/* Careful with order! Logging cannot happen after we close FDs */
+			ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+		}
+		cap_free(cap);
+#endif
+
 		signal(SIGPIPE, SIG_DFL);
 		pthread_sigmask(SIG_UNBLOCK, &fullset, NULL);
 
Index: autoconf/ast_func_fork.m4
===================================================================
--- autoconf/ast_func_fork.m4	(revision 166949)
+++ autoconf/ast_func_fork.m4	(working copy)
@@ -39,6 +39,8 @@
 fi
 if test "x$ac_cv_func_fork_works" = xyes; then
   AC_DEFINE(HAVE_WORKING_FORK, 1, [Define to 1 if `fork' works.])
+  PBX_WORKING_FORK=1
+  AC_SUBST(PBX_WORKING_FORK)
 fi
 ])# AST_FUNC_FORK
 
Index: main/asterisk.c
===================================================================
--- main/asterisk.c	(revision 166949)
+++ main/asterisk.c	(working copy)
@@ -818,6 +818,15 @@
 #endif	
 
 	if (pid == 0) {
+#ifdef HAVE_CAP
+		cap_t cap = cap_from_text("cap_net_admin-eip");
+
+		if (cap_set_proc(cap)) {
+			/* Careful with order! Logging cannot happen after we close FDs */
+			ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+		}
+		cap_free(cap);
+#endif
 #ifdef HAVE_WORKING_FORK
 		if (ast_opt_high_priority)
 			ast_set_priority(0);
@@ -842,7 +851,7 @@
 	}
 
 	ast_unreplace_sigchld();
-#else
+#else /* !defined(HAVE_WORKING_FORK) && !defined(HAVE_WORKING_VFORK) */
 	res = -1;
 #endif
 
@@ -2913,7 +2922,7 @@
 		if (has_cap) {
 			cap_t cap;
 
-			cap = cap_from_text("cap_net_admin=ep");
+			cap = cap_from_text("cap_net_admin=eip");
 
 			if (cap_set_proc(cap))
 				ast_log(LOG_WARNING, "Unable to install capabilities.\n");
Index: res/res_agi.c
===================================================================
--- res/res_agi.c	(revision 166949)
+++ res/res_agi.c	(working copy)
@@ -23,6 +23,10 @@
  * \author Mark Spencer <markster@digium.com> 
  */
 
+/*** MODULEINFO
+	<depend>working_fork</depend>
+ ***/
+
 #include "asterisk.h"
 
 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
@@ -44,6 +48,9 @@
 #include <fcntl.h>
 #include <errno.h>
 #include <sys/wait.h>
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
 
 #include "asterisk/file.h"
 #include "asterisk/logger.h"
@@ -299,6 +306,16 @@
 		return AGI_RESULT_FAILURE;
 	}
 	if (!pid) {
+#ifdef HAVE_CAP
+		cap_t cap = cap_from_text("cap_net_admin-eip");
+
+		if (cap_set_proc(cap)) {
+			/* Careful with order! Logging cannot happen after we close FDs */
+			ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+		}
+		cap_free(cap);
+#endif
+
 		/* Pass paths to AGI via environmental variables */
 		setenv("AST_CONFIG_DIR", ast_config_AST_CONFIG_DIR, 1);
 		setenv("AST_CONFIG_FILE", ast_config_AST_CONFIG_FILE, 1);
Index: res/res_musiconhold.c
===================================================================
--- res/res_musiconhold.c	(revision 166949)
+++ res/res_musiconhold.c	(working copy)
@@ -28,6 +28,7 @@
 /*** MODULEINFO
 	<conflict>win32</conflict>
 	<use>dahdi</use>
+	<depend>working_fork</depend>
  ***/
 
 #include "asterisk.h"
@@ -51,6 +52,9 @@
 #ifdef SOLARIS
 #include <thread.h>
 #endif
+#ifdef HAVE_CAP
+#include <sys/capability.h>
+#endif /* HAVE_CAP */
 
 #include "asterisk/lock.h"
 #include "asterisk/file.h"
@@ -450,7 +454,15 @@
 		return -1;
 	}
 	if (!class->pid) {
+		/* Child */
 		int x;
+#ifdef HAVE_CAP
+		cap_t cap;
+#endif
+		if (strcasecmp(class->dir, "nodir") && chdir(class->dir) < 0) {
+			ast_log(LOG_WARNING, "chdir() failed: %s\n", strerror(errno));
+			_exit(1);
+		}
 
 		if (ast_opt_high_priority)
 			ast_set_priority(0);
@@ -459,6 +471,14 @@
 		signal(SIGPIPE, SIG_DFL);
 		pthread_sigmask(SIG_UNBLOCK, &signal_set, NULL);
 
+#ifdef HAVE_CAP
+		cap = cap_from_text("cap_net_admin-eip");
+
+		if (cap_set_proc(cap)) {
+			ast_log(LOG_WARNING, "Unable to remove capabilities.\n");
+		}
+		cap_free(cap);
+#endif
 		close(fds[0]);
 		/* Stdout goes to pipe */
 		dup2(fds[1], STDOUT_FILENO);
@@ -468,12 +488,8 @@
 				close(x);
 			}
 		}
-		/* Child */
-		if (strcasecmp(class->dir, "nodir") && chdir(class->dir) < 0) {
-			ast_log(LOG_WARNING, "chdir() failed: %s\n", strerror(errno));
-			_exit(1);
-		}
 		setpgid(0, getpid());
+
 		if (ast_test_flag(class, MOH_CUSTOM)) {
 			execv(argv[0], argv);
 		} else {