[asterisk-bugs] [AsteriskNOW 0013004]: Default install gives root access without password
noreply at bugs.digium.com
noreply at bugs.digium.com
Tue Jul 8 20:57:41 CDT 2008
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=13004
======================================================================
Reported By: kactus
Assigned To:
======================================================================
Project: AsteriskNOW
Issue ID: 13004
Category: Base OS
Reproducibility: always
Severity: feature
Priority: normal
Status: new
======================================================================
Date Submitted: 07-06-2008 20:01 CDT
Last Modified: 07-08-2008 20:57 CDT
======================================================================
Summary: Default install gives root access without password
Description:
Hi everyone, been playing around with asterisk now, one thing I noticed is
that the default install sets the system to boot straight into console
menu. Since this is desirable from the aspect of allowing an end user to
reboot the system if required, it’s understandable.
However from here you can jump straight into the asterisk console running
as root. This allows you to execute system commands (using the !) on the
baseOS to stop and start services, overwrite files, and generally run
amuck.
Creating a folder and checking the permissions confirms that the owner is
root.
Can we see in a future release the ability possibly mimic su behaviour so
that using the ! requires the password or better still run the system in
something akin to a freebsd jail?
I know it probably isn't too high a priority but unfortunately since we
support many clients who "like to tinker" the last thing we would want is
for them to create more work for us. We run an all you can eat, per seat
monthly fee, support model so it being able to lock users out of where they
don't need to be is beneficial.
Thanks - Kactus
======================================================================
----------------------------------------------------------------------
kactus - 07-08-08 20:57
----------------------------------------------------------------------
Hi J4m3s
Yeah I know if they have physical access that they could single boot it or
use a live cd to run amuck. That involves bringing the box down though and
users generally are not that malicious/brave.
Unfortunately they do sometimes think they know better than the tech
support they hire, and we have had issues with users opening up boxes to
the internet by installing things that should not be there and then not
conforming to basic password common sense. We unfortunatley get the blame
for this when thier box becomes compromised and turns into a webserver for
phishing sites/spam server etc.
Its a user education issue I know, but its always nice to lock the door to
a house even if theres a large window right next to it :)
It was just a thought. Cheers - Kactus
Issue History
Date Modified Username Field Change
======================================================================
07-08-08 20:57 kactus Note Added: 0089924
======================================================================
More information about the asterisk-bugs
mailing list