[asterisk-bugs] [AsteriskNOW 0013004]: Default install gives root access without password
noreply at bugs.digium.com
noreply at bugs.digium.com
Tue Jul 8 15:14:23 CDT 2008
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=13004
======================================================================
Reported By: kactus
Assigned To:
======================================================================
Project: AsteriskNOW
Issue ID: 13004
Category: Base OS
Reproducibility: always
Severity: feature
Priority: normal
Status: new
======================================================================
Date Submitted: 07-06-2008 20:01 CDT
Last Modified: 07-08-2008 15:14 CDT
======================================================================
Summary: Default install gives root access without password
Description:
Hi everyone, been playing around with asterisk now, one thing I noticed is
that the default install sets the system to boot straight into console
menu. Since this is desirable from the aspect of allowing an end user to
reboot the system if required, it’s understandable.
However from here you can jump straight into the asterisk console running
as root. This allows you to execute system commands (using the !) on the
baseOS to stop and start services, overwrite files, and generally run
amuck.
Creating a folder and checking the permissions confirms that the owner is
root.
Can we see in a future release the ability possibly mimic su behaviour so
that using the ! requires the password or better still run the system in
something akin to a freebsd jail?
I know it probably isn't too high a priority but unfortunately since we
support many clients who "like to tinker" the last thing we would want is
for them to create more work for us. We run an all you can eat, per seat
monthly fee, support model so it being able to lock users out of where they
don't need to be is beneficial.
Thanks - Kactus
======================================================================
----------------------------------------------------------------------
j4m3s - 07-08-08 15:14
----------------------------------------------------------------------
Unfortunately, if you are running asterisk as root, then you are providing
anyone with root level access, due to the asterisk console running on
terminal 9. We could prevent asterisk from running on terminal 9 (requires
change to the asterisk service init scripts)
Additionally, if you have physical access to the machine there's little
you can do to prevent someone from getting root level access to the system.
Issue History
Date Modified Username Field Change
======================================================================
07-08-08 15:14 j4m3s Note Added: 0089904
======================================================================
More information about the asterisk-bugs
mailing list