pjkundert
commented
1 week ago I would vote that we should retain the capabilities assigned at start-up through the daemon fork, and then manually add CAP_NET_ADMIN to that pre-existing set. Perhaps we could limit the capabilities with a mask, to avoid completely unnecessary ones. However, CAP_NET_BIND_SERVICE should be part of the allowed set, IMHO.
Unfortunately, asterisk/main/asterisk.c ignores SecureBits=keep-caps and unilaterally drops all Capabilities granted by init (eg. systemd), and manually grants variously "cap_net_admin-eip" or "cap_net_admin=eip" in https://github.com/asterisk/asterisk/blob/f3e88d366c3392c03872271a758e364559c8e5cf/main/app.c#L3359, https://github.com/asterisk/asterisk/blob/f3e88d366c3392c03872271a758e364559c8e5cf/main/asterisk.c#L3978, and https://github.com/asterisk/asterisk/blob/f3e88d366c3392c03872271a758e364559c8e5cf/main/asterisk.c#L4059
None of this is really correct. If I grant SecureBits=keep-caps in asterisk.service, it indicates that I wish to retain the Capabilities designated for the Asterisk server; CAP _NET_BIND_SERVICE, for example, to allow binding to low ports. It could (and should) then retrieve my assigned Capabilities, add CAP_NET_ADMIN, and cap_set_proc the result. It could retain the implied dropping of Capabilities on fork if SecureBits isn't set, even though we're starting as a non-root user and it won't happen automatically.
Unilaterally discarding assigned Capabilities regardless of clear security configuration intent is a disturbing assumption of omniscience on the part of us Asterisk developers...
Originally posted by @pjkundert in https://github.com/asterisk/asterisk/issues/316#issuecomment-2166880335