I noticed when installing the resulting package, I get a few warnings about differing permissions:
warning: directory permissions differ on /etc/asterisk/ filesystem: 750 package: 755 warning: directory permissions differ on /run/asterisk/ filesystem: 750 package: 755 warning: directory permissions differ on /tmp/ filesystem: 1777 package: 755 warning: directory permissions differ on /var/lib/asterisk/ filesystem: 750 package: 755 warning: directory permissions differ on /var/log/asterisk/ filesystem: 750 package: 755 warning: directory permissions differ on /var/spool/asterisk/ filesystem: 750 package: 755
It looks like the tmpfiles hook runs well after this, is there any way to avoid these warnings to begin with?
Fixes are in my package
]]>warning: directory permissions differ on /etc/asterisk/
filesystem: 750 package: 755
warning: directory permissions differ on /run/asterisk/
filesystem: 750 package: 755
warning: directory permissions differ on /tmp/
filesystem: 1777 package: 755
warning: directory permissions differ on /var/lib/asterisk/
filesystem: 750 package: 755
warning: directory permissions differ on /var/log/asterisk/
filesystem: 750 package: 755
warning: directory permissions differ on /var/spool/asterisk/
filesystem: 750 package: 755
It looks like the tmpfiles hook runs well after this, is there any way to avoid these warnings to begin with?
]]>man tmpfiles.d wrote:It is mostly commonly used for volatile and temporary files and directories (such as those located under /run/, /tmp/, /var/tmp/, the API file systems such as /sys/ or /proc/, as well as some other directories below /var/).
Are you two sure using tmpfiles for the asterisk folder in /etc is a good idea ?
If yes, did you ensure the age parameter is set correctly so the /etc/asterisk folder won't be cleaned (removed) ?
I believe so, that is what loqs suggested.
As you can see above, age is set to -.
]]>It is mostly commonly used for volatile and temporary files and directories (such as those located under /run/, /tmp/, /var/tmp/, the API file systems such as /sys/ or /proc/, as well as some other directories below /var/).
Are you two sure using tmpfiles for the asterisk folder in /etc is a good idea ?
If yes, did you ensure the age parameter is set correctly so the /etc/asterisk folder won't be cleaned (removed) ?
]]>Z /etc/asterisk - asterisk asterisk
d /etc/asterisk 0750 - - -
z /etc/asterisk/*.adsi 0640 - -
z /etc/asterisk/*.ael 0640 - -
z /etc/asterisk/*.conf 0640 - -
z /etc/asterisk/*.lua 0640 - -
z /etc/asterisk/*.timers 0640 - -
d /run/asterisk 0750 asterisk asterisk -
d /var/lib/asterisk 0750 asterisk asterisk -
d /var/log/asterisk 0750 asterisk asterisk -
d /var/spool/asterisk 0750 asterisk asterisk -
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/telcordia-1.adsi (owned by root) during canonicalization of /etc/asterisk/telcordia-1.adsi.
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/asterisk.adsi (owned by root) during canonicalization of /etc/asterisk/asterisk.adsi.
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/extensions.ael (owned by root) during canonicalization of /etc/asterisk/extensions.ael.
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/acl.conf (owned by root) during canonicalization of /etc/asterisk/acl.conf.
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/res_config_sqlite3.conf (owned by root) during canonicalization of /etc/asterisk/res_config_sqlite3.conf.
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/asterisk.conf (owned by root) during canonicalization of /etc/asterisk/asterisk.conf.
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/aeap.conf (owned by root) during canonicalization of /etc/asterisk/aeap.conf.
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/osp.conf (owned by root) during canonicalization of /etc/asterisk/osp.conf.
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/cdr_beanstalkd.conf (owned by root) during canonicalization of /etc/asterisk/cdr_beanstalkd.conf.
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/meetme.conf (owned by root) during canonicalization of /etc/asterisk/meetme.conf.
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/dundi.conf (owned by root) during canonicalization of /etc/asterisk/dundi.conf.
Detected unsafe path transition /etc/asterisk (owned by asterisk) → /etc/asterisk/cel.conf (owned by root) during canonicalization of /etc/asterisk/cel.conf.
...
Well, .pacnew wouldn't contain any secrets and as far as I can tell from the docs loqs shared, the .conf files are renamed which should preserve perms. I think we're good there.
If you're in agreement with the above, I can push that change with the update thats pending so long.
LGTM (Looks Good To Me). I'll make the change in my local copy.
]]>nkukard wrote:Here is what I was thinking...
d /etc/asterisk 0750 asterisk asterisk - z /etc/asterisk/*.adsi 0640 asterisk asterisk z /etc/asterisk/*.ael 0640 asterisk asterisk z /etc/asterisk/*.conf 0640 asterisk asterisk z /etc/asterisk/*.lua 0640 asterisk asterisk d /run/asterisk 0750 asterisk asterisk - d /var/lib/asterisk 0750 asterisk asterisk - d /var/log/asterisk 0750 asterisk asterisk - d /var/spool/asterisk 0750 asterisk asterisk -
Should we also include *.pacsave and *.pacnew? I'm not sure what happens to the permissions (if anything) when pacman creates these.
Well, .pacnew wouldn't contain any secrets and as far as I can tell from the docs loqs shared, the .conf files are renamed which should preserve perms. I think we're good there.
If you're in agreement with the above, I can push that change with the update thats pending so long.
]]>Here is what I was thinking...
d /etc/asterisk 0750 asterisk asterisk - z /etc/asterisk/*.adsi 0640 asterisk asterisk z /etc/asterisk/*.ael 0640 asterisk asterisk z /etc/asterisk/*.conf 0640 asterisk asterisk z /etc/asterisk/*.lua 0640 asterisk asterisk d /run/asterisk 0750 asterisk asterisk - d /var/lib/asterisk 0750 asterisk asterisk - d /var/log/asterisk 0750 asterisk asterisk - d /var/spool/asterisk 0750 asterisk asterisk -
Should we also include *.pacsave and *.pacnew? I'm not sure what happens to the permissions (if anything) when pacman creates these.
]]>nkukard wrote:@ectospasm I'm about to make the tmpfiles change on my end aswell, but one thing I noticed is all config files are globally readable ... we should probably decide if we're going to 0750 the /etc/asterisk directory, or if we're going to set 0640 on the config files.
Many of these config files can contain secrets and its probably not in the best interest of security that they be world readable.
Let me know what you think.
That sounds like a good idea to me. I don't think there is anything in there that needs the execute bit, so I was going to set the permissions to 0640 unless you're aware of something I am not. But my asterisk.tmpfiles doesn't have an entry for /etc/asterisk, could you provide the example? The directory itself should be 0750, but its contents should be 0640.
Here is what I was thinking...
d /etc/asterisk 0750 asterisk asterisk -
z /etc/asterisk/*.adsi 0640 asterisk asterisk
z /etc/asterisk/*.ael 0640 asterisk asterisk
z /etc/asterisk/*.conf 0640 asterisk asterisk
z /etc/asterisk/*.lua 0640 asterisk asterisk
d /run/asterisk 0750 asterisk asterisk -
d /var/lib/asterisk 0750 asterisk asterisk -
d /var/log/asterisk 0750 asterisk asterisk -
d /var/spool/asterisk 0750 asterisk asterisk -
@ectospasm I'm about to make the tmpfiles change on my end aswell, but one thing I noticed is all config files are globally readable ... we should probably decide if we're going to 0750 the /etc/asterisk directory, or if we're going to set 0640 on the config files.
Many of these config files can contain secrets and its probably not in the best interest of security that they be world readable.
Let me know what you think.
That sounds like a good idea to me. I don't think there is anything in there that needs the execute bit, so I was going to set the permissions to 0640 unless you're aware of something I am not. But my asterisk.tmpfiles doesn't have an entry for /etc/asterisk, could you provide the example? The directory itself should be 0750, but its contents should be 0640.
]]>Many of these config files can contain secrets and its probably not in the best interest of security that they be world readable.
Let me know what you think.
]]># Maintainer: Trey Blancher <trey@blancher.net>
# Contributor: Nigel Kukard <nkukard@lbsd.net>
# Contributor: Caleb Maclennan <caleb@alerque.com>
# Contributor: Maxim Kurnosenko <asusx2@mail.ru>
# Contributor: Xavier Devlamynck <magicrhesus@ouranos.be>
# Contributor: Alessio Biancalana <dottorblaster@gmail.com>
# Contributor: Maik Broemme <mbroemme@libmpq.org>
# Contributor: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
_pkg=asterisk
pkgname=${_pkg}-lts-18
pkgver=18.13.0
pkgrel=1
pkgdesc='A complete open source PBX toolkit - Long Term Support release 18'
arch=(x86_64 i686 aarch64 armv7h)
url=https://www.asterisk.org
license=(GPL)
provides=("${_pkg}=${pkgver}")
conflicts=(${_pkg})
depends=(alsa-lib
curl
gsm
imap
jansson
libedit
libsrtp
libvorbis
libxml2
libvpx
libx11
libxslt
lua53
opus
popt
postgresql-libs
python
speex)
makedepends=(gsm
sqlite3)
optdepends=(dahdi
libpri
libss7
openr2
postgresql
sqlite3
unixodbc)
_confs=(acl.conf
adsi.conf
aeap.conf
agents.conf
alarmreceiver.conf
alsa.conf
amd.conf
app_mysql.conf
app_skel.conf
ari.conf
ast_debug_tools.conf
asterisk.adsi
asterisk.conf
calendar.conf
ccss.conf
cdr_adaptive_odbc.conf
cdr_beanstalkd.conf
cdr.conf
cdr_custom.conf
cdr_manager.conf
cdr_mysql.conf
cdr_odbc.conf
cdr_pgsql.conf
cdr_sqlite3_custom.conf
cdr_syslog.conf
cdr_tds.conf
cel_beanstalkd.conf
cel.conf
cel_custom.conf
cel_odbc.conf
cel_pgsql.conf
cel_sqlite3_custom.conf
cel_tds.conf
chan_dahdi.conf
chan_mobile.conf
cli_aliases.conf
cli.conf
cli_permissions.conf
codecs.conf
confbridge.conf
config_test.conf
console.conf
dbsep.conf
dnsmgr.conf
dsp.conf
dundi.conf
enum.conf
extconfig.conf
extensions.ael
extensions.conf
extensions.lua
extensions_minivm.conf
features.conf
festival.conf
followme.conf
func_odbc.conf
hep.conf
http.conf
iax.conf
iaxprov.conf
indications.conf
logger.conf
manager.conf
meetme.conf
mgcp.conf
minivm.conf
misdn.conf
modules.conf
motif.conf
musiconhold.conf
muted.conf
ooh323.conf
osp.conf
oss.conf
phone.conf
phoneprov.conf
pjproject.conf
pjsip.conf
pjsip_notify.conf
pjsip_wizard.conf
prometheus.conf
queuerules.conf
queues.conf
res_config_mysql.conf
res_config_sqlite3.conf
res_config_sqlite.conf
res_corosync.conf
res_curl.conf
res_fax.conf
res_ldap.conf
res_odbc.conf
resolver_unbound.conf
res_parking.conf
res_pgsql.conf
res_pktccops.conf
res_snmp.conf
res_stun_monitor.conf
rtp.conf
say.conf
sip.conf
sip_notify.conf
skinny.conf
sla.conf
smdi.conf
sorcery.conf
ss7.timers
stasis.conf
statsd.conf
stir_shaken.conf
telcordia-1.adsi
test_sorcery.conf
udptl.conf
unistim.conf
users.conf
voicemail.conf
vpb.conf
xmpp.conf)
backup=("${_confs[@]/#/etc/$_pkg/}")
install=${_pkg}.install
_archive="${_pkg}-$pkgver"
source=("https://downloads.asterisk.org/pub/telephony/${_pkg}/releases/$_archive.tar.gz"
"${_pkg}.sysusers"
"${_pkg}.logrotated"
"${_pkg}.tmpfiles")
sha256sums=('92681b928b75309860ebfd192ad8d1db3df3cdaebab401a2abc666ffaea096bf'
'38a53911647fb2308482179cba605ebf12345df37eed23eb4ea67bf0bf041486'
'b97dc10a262621c95e4b75e024834712efd58561267b59b9171c959ecd9f7164'
'673c0c55bce8068c297f9cdd389402c2d5d5a25e2cf84732cb071198bd6fa78a')
build() {
cd "$_archive"
# Work around Cyrus bug #2629
# https://github.com/cyrusimap/cyrus-imapd/issues/2629
export LDFLAGS="${LDFLAGS/,--as-needed}"
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--sbindir=/usr/bin \
--with-imap=system
make MENUSELECT_CFLAGS= OPTIMIZE= DEBUG= ASTVARRUNDIR=/run/asterisk NOISY_BUILD=1
}
package(){
cd "$_archive"
make DESTDIR="$pkgdir" install
make DESTDIR="$pkgdir" install-headers
make DESTDIR="$pkgdir" samples
# Not entirely convinced this part is necessary, LTS releases shouldn't be
# adding features, so the _confs and backup arrays shouldn't change.
# Keeping here for posterity, need to go through a few pkgver and pkgrel
# bumps before we remove this. 2022-05-26 I was actually wrong about this,
# Asterisk 18.12 introduced a new config file, aeap.conf. New features could
# be added to Asterisk 18 until 2024-10-20, when it goes into Security Fix Only.
# From 'asterisk' PKGBUILD: Backup file list changes frequently and is hard
# to keep up to date. Check that our current meta data matches whatever just
# got packaged, else flunk with a helpful output of where the lists differ.
# We have to compare twice because cmp has a useful exit code, comm has
# useful output, neither both
local _backs=($(cd "$pkgdir/etc/${_pkg}" && echo *))
cmp -s \
<(IFS=$'\n'; echo "${_confs[*]}" | sort) \
<(IFS=$'\n'; echo "${_backs[*]}" | sort) ||
(comm -3 --nocheck-order \
<(IFS=$'\n'; echo "${_confs[*]}" | sort) \
<(IFS=$'\n'; echo "${_backs[*]}" | sort) &&
exit 1)
sed -i -e 's,/var/run,/run,' "$pkgdir/etc/asterisk/asterisk.conf"
install -Dm644 -t "$pkgdir/usr/share/doc/${_pkg}/examples" "$pkgdir/etc/asterisk/"*
mv "$pkgdir/var/run" "$pkgdir"
pushd contrib/systemd
install -Dm644 -t "$pkgdir/usr/lib/systemd/system/" "$pkname"*.{service,socket}
pushd "$srcdir"
install -Dm644 "${_pkg}.sysusers" "$pkgdir/usr/lib/sysusers.d/${_pkg}.conf"
install -Dm644 "${_pkg}.logrotated" "$pkgdir/etc/logrotate.d/${_pkg}"
install -Dm644 "${_pkg}.tmpfiles" "$pkgdir/usr/lib/tmpfiles.d/${_pkg}.conf"
}
I renamed asterisk.tmpfile to asterisk.tmpfiles:
d /run/asterisk 0755 asterisk asterisk -
Here's the updated asterisk.sysusers:
u asterisk /usr/bin/asterisk "Asterisk PBX and telephony" /run/asterisk
And asterisk.logrotated:
/var/log/asterisk/*_log /var/log/asterisk/messages.log {
create 640 asterisk asterisk
compress
missingok
notifempty
postrotate
/usr/sbin/asterisk -rx "logger reload" 1>/dev/null || true
endscript
}
asterisk.install is no longer referenced by the PKGBUILD, so I removed it. Let me know if there's anything more I can do for asterisk-lts-18.
]]>