* Florian Weimer:
> * Kilian Krause:
>
>> yes, that's due to the fact that some other users complained about the
>> -U and -G not working effectively enough for their needs. The dilemma is
>> that either we let asterisk drop privileges *AFTER* setting realtime
>> prio (launching as root and being limited to one group), or we switch to
>> that asterisk user *BEFORE* launching asterisk (and getting all the
>> groups, but asterisk user cannot set realtime-prio).
>>
>> Any solution that does address both issues is welcome.
>
> In the process of dropping privileges, you should call initgroups to
> set the supplemental groups list.
I've been asked to provide a patch, here is it (well, sort of,
completely untested, you know the drill):
Before the following code snippet in asterisk.c
if (setuid(pw->pw_uid)) {
ast_log(LOG_WARNING, "Unable to setuid to %d (%s)\n", pw->pw_uid,
runuser);
exit(1);
}
insert this code:
if (initgroups(runuser, pw->pw_gid)) {
ast_log(LOG_WARNING, "Unable to initialize supplementary group list for
%s\n", runuser);
exit(1);
}
if (setgid(pw->pw_gid)) {
ast_log(LOG_WARNING, "Unable to setgid to %d\n", pw->pw_gid);
exit(1);
}
You might want to guard the new if statements with
if (!rungroup) {
...
}
Otherwise the -G option is no longer effective if the -U option is
present.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
