[asterisk-bugs] [AsteriskNOW 0013004]: Default install gives root access without password

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Jul 24 22:37:07 CDT 2008


The following issue has been ASSIGNED. 
====================================================================== 
http://bugs.digium.com/view.php?id=13004 
====================================================================== 
Reported By:                kactus
Assigned To:                bkruse
====================================================================== 
Project:                    AsteriskNOW
Issue ID:                   13004
Category:                   Base OS
Reproducibility:            always
Severity:                   feature
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             2008-07-06 20:01 CDT
Last Modified:              2008-07-24 22:37 CDT
====================================================================== 
Summary:                    Default install gives root access without password
Description: 
Hi everyone, been playing around with asterisk now, one thing I noticed is
that the default install sets the system to boot straight into console
menu. Since this is desirable from the aspect of allowing an end user to
reboot the system if required, it’s understandable.

However from here you can jump straight into the asterisk console running
as root. This allows you to execute system commands (using the !) on the
baseOS to stop and start services, overwrite files, and generally run
amuck. 

Creating a folder and checking the permissions confirms that the owner is
root.

Can we see in a future release the ability possibly mimic su behaviour so
that using the ! requires the password or better still run the system in
something akin to a freebsd jail?

I know it probably isn't too high a priority but unfortunately since we
support many clients who "like to tinker" the last thing we would want is
for them to create more work for us. We run an all you can eat, per seat
monthly fee, support model so it being able to lock users out of where they
don't need to be is beneficial.

Thanks - Kactus

====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-07-24 22:37 bkruse         Status                   new => assigned     
2008-07-24 22:37 bkruse         Assigned To               => bkruse          
======================================================================




More information about the asterisk-bugs mailing list