[asterisk-bugs] [Asterisk 0011123]: [patch] Implement asterisk CLI permissions.
noreply at bugs.digium.com
noreply at bugs.digium.com
Wed Oct 31 08:01:20 CDT 2007
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=11123
======================================================================
Reported By: eliel
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 11123
Category: Core-General
Reproducibility: always
Severity: feature
Priority: normal
Status: new
Asterisk Version: SVN
SVN Branch (only for SVN checkouts, not tarball releases): trunk
SVN Revision (number only!): 87627
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 10-30-2007 13:50 CDT
Last Modified: 10-31-2007 08:01 CDT
======================================================================
Summary: [patch] Implement asterisk CLI permissions.
Description:
Restrict users to run only a subset of commands allow (configured by an
administrator).
You need write access to the asterisk.ctl socket file.
This is useful when you need to allow run commands on the asterisk CLI to
some users for support purposes also is a secure manner to prevent commands
like 'restart now' or 'stop now' being executed by mistake.
======================================================================
----------------------------------------------------------------------
eliel - 10-31-07 08:01
----------------------------------------------------------------------
Login name: eliel
The 'cli permissions check <username>' command shows all the allowed
commands for this user. As you could see user 'eliel' does not has
permissions to run command 'stop now'. (Asterisk is running as root uid=0)
eliel*CLI> cli permissions check eliel
cli permissions check Try a permissions config for a user
cli permissions reload Reload CLI permissions config
cli permissions show Show CLI permissions
core set debug channel Enable/disable debugging on a channel
core set {debug|verbose} [off| Set level of debug/verbose chattiness
core set global Set global dialplan variable
sip show peer Show details on specific SIP peer
eliel*CLI> ! asterisk -rx "stop now"
You don't have permissions to run 'stop now' command
eliel*CLI> ! id
uid=1000(eliel) gid=1000(eliel)
groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(scanner),108(lpadmin),109(admin),115(netdev),117(powerdev),1000(eliel)
Then, I have enable command 'stop now' for user 'eliel' on the
permissions.conf file and:
eliel*CLI> cli permissions check eliel
cli permissions check Try a permissions config for a user
cli permissions reload Reload CLI permissions config
cli permissions show Show CLI permissions
core set debug channel Enable/disable debugging on a channel
core set {debug|verbose} [off| Set level of debug/verbose chattiness
core set global Set global dialplan variable
module reload Reload configuration
sip show peer Show details on specific SIP peer
stop now Shut down Asterisk immediately
eliel*CLI> ! asterisk -rx "stop now"
eliel*CLI>
Disconnected from Asterisk server
Issue History
Date Modified Username Field Change
======================================================================
10-31-07 08:01 eliel Note Added: 0072792
======================================================================
More information about the asterisk-bugs
mailing list