Bug#293124: asterisk does not start from init script with high priority

Wed, 02 Feb 2005 23:57:45 +0100

* Florian Weimer:

> * Kilian Krause:
>
>> yes, that's due to the fact that some other users complained about the
>> -U and -G not working effectively enough for their needs. The dilemma is
>> that either we let asterisk drop privileges *AFTER* setting realtime
>> prio (launching as root and being limited to one group), or we switch to
>> that asterisk user *BEFORE* launching asterisk (and getting all the
>> groups, but asterisk user cannot set realtime-prio).
>>
>> Any solution that does address both issues is welcome.
>
> In the process of dropping privileges, you should call initgroups to
> set the supplemental groups list.

I've been asked to provide a patch, here is it (well, sort of,
completely untested, you know the drill):

Before the following code snippet in asterisk.c

  if (setuid(pw->pw_uid)) {
  	ast_log(LOG_WARNING, "Unable to setuid to %d (%s)\n", pw->pw_uid, runuser);
  	exit(1);
  }

insert this code:

  if (initgroups(runuser, pw->pw_gid)) {
  	ast_log(LOG_WARNING, "Unable to initialize supplementary group list for %s\n", runuser);
  	exit(1);
  }
  if (setgid(pw->pw_gid)) {
  	ast_log(LOG_WARNING, "Unable to setgid to %d\n", pw->pw_gid);
  	exit(1);
  }

You might want to guard the new if statements with

  if (!rungroup) {
    ...
  }

Otherwise the -G option is no longer effective if the -U option is
present.