<p>Friendly Automation <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/19644">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span></span><br></pre><div style="white-space:pre-wrap">Approvals:
Friendly Automation: Looks good to me, approved; Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">manager: prevent file access outside of config dir<br><br>Add live_dangerously flag to manager and use this flag to<br>determine if a configuation file outside of AST_CONFIG_DIR<br>should be read.<br><br>ASTERISK-30176<br><br>Change-Id: I46b26af4047433b49ae5c8a85cb8cda806a07404<br>---<br>M configs/samples/asterisk.conf.sample<br>A doc/UPGRADE-staging/manager_config_live_dangerously.txt<br>M include/asterisk/manager.h<br>M main/manager.c<br>M main/options.c<br>5 files changed, 85 insertions(+), 4 deletions(-)<br><br></pre>
<pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/configs/samples/asterisk.conf.sample b/configs/samples/asterisk.conf.sample</span><br><span>index b2a4da8..0d0d2a0 100644</span><br><span>--- a/configs/samples/asterisk.conf.sample</span><br><span>+++ b/configs/samples/asterisk.conf.sample</span><br><span>@@ -95,10 +95,13 @@</span><br><span> ; documented in extensions.conf.sample.</span><br><span> ; Default gosub.</span><br><span> ;live_dangerously = no ; Enable the execution of 'dangerous' dialplan</span><br><span style="color: hsl(0, 100%, 40%);">- ; functions from external sources (AMI,</span><br><span style="color: hsl(0, 100%, 40%);">- ; etc.) These functions (such as SHELL) are</span><br><span style="color: hsl(0, 100%, 40%);">- ; considered dangerous because they can allow</span><br><span style="color: hsl(0, 100%, 40%);">- ; privilege escalation.</span><br><span style="color: hsl(120, 100%, 40%);">+ ; functions and configuration file access from</span><br><span style="color: hsl(120, 100%, 40%);">+ ; external sources (AMI, etc.) These functions</span><br><span style="color: hsl(120, 100%, 40%);">+ ; (such as SHELL) are considered dangerous</span><br><span style="color: hsl(120, 100%, 40%);">+ ; because they can allow privilege escalation.</span><br><span style="color: hsl(120, 100%, 40%);">+ ; Configuration files are considered dangerous</span><br><span style="color: hsl(120, 100%, 40%);">+ ; if they exist outside of the Asterisk</span><br><span style="color: hsl(120, 100%, 40%);">+ ; configuration directory.</span><br><span> ; Default no</span><br><span> ;entityid=00:11:22:33:44:55 ; Entity ID.</span><br><span> ; This is in the form of a MAC address.</span><br><span>diff --git a/doc/UPGRADE-staging/manager_config_live_dangerously.txt b/doc/UPGRADE-staging/manager_config_live_dangerously.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..56f39f9</span><br><span>--- /dev/null</span><br><span>+++ b/doc/UPGRADE-staging/manager_config_live_dangerously.txt</span><br><span>@@ -0,0 +1,8 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: AMI (Asterisk Manager Interface)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Previously, GetConfig and UpdateConfig were able to access files outside of</span><br><span style="color: hsl(120, 100%, 40%);">+the Asterisk configuration directory. Now this access is put behind the</span><br><span style="color: hsl(120, 100%, 40%);">+live_dangerously configuration option in asterisk.conf, which is disabled by</span><br><span style="color: hsl(120, 100%, 40%);">+default. If access to configuration files outside of the Asterisk configuation</span><br><span style="color: hsl(120, 100%, 40%);">+directory is required via AMI, then the live_dangerously configuration option</span><br><span style="color: hsl(120, 100%, 40%);">+must be set to yes.</span><br><span>diff --git a/include/asterisk/manager.h b/include/asterisk/manager.h</span><br><span>index 72aab5e..5e791bf 100644</span><br><span>--- a/include/asterisk/manager.h</span><br><span>+++ b/include/asterisk/manager.h</span><br><span>@@ -350,6 +350,18 @@</span><br><span> */</span><br><span> void astman_send_list_complete_end(struct mansession *s);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/*!</span><br><span style="color: hsl(120, 100%, 40%);">+ * \brief Enable/disable the inclusion of 'dangerous' configurations outside</span><br><span style="color: hsl(120, 100%, 40%);">+ * of the ast_config_AST_CONFIG_DIR</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This function can globally enable/disable the loading of configuration files</span><br><span style="color: hsl(120, 100%, 40%);">+ * outside of ast_config_AST_CONFIG_DIR.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * \param new_live_dangerously If true, enable the access of files outside</span><br><span style="color: hsl(120, 100%, 40%);">+ * ast_config_AST_CONFIG_DIR from astman.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+void astman_live_dangerously(int new_live_dangerously);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> void __attribute__((format(printf, 2, 3))) astman_append(struct mansession *s, const char *fmt, ...);</span><br><span> </span><br><span> /*! \brief Determine if a manager session ident is authenticated */</span><br><span>diff --git a/main/manager.c b/main/manager.c</span><br><span>index 496e5c1..fc65a33 100644</span><br><span>--- a/main/manager.c</span><br><span>+++ b/main/manager.c</span><br><span>@@ -1491,6 +1491,11 @@</span><br><span> /*! \brief The \ref stasis_subscription for forwarding the Security topic to the AMI topic */</span><br><span> static struct stasis_forward *security_topic_forwarder;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/*!</span><br><span style="color: hsl(120, 100%, 40%);">+ * \brief Set to true (non-zero) to globally allow all dangerous AMI actions to run</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+static int live_dangerously;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> #ifdef TEST_FRAMEWORK</span><br><span> /*! \brief The \ref stasis_subscription for forwarding the Test topic to the AMI topic */</span><br><span> static struct stasis_forward *test_suite_forwarder;</span><br><span>@@ -3610,6 +3615,29 @@</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+void astman_live_dangerously(int new_live_dangerously)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ if (new_live_dangerously && !live_dangerously)</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_WARNING, "Manager Configuration load protection disabled.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!new_live_dangerously && live_dangerously)</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_log(LOG_NOTICE, "Manager Configuration load protection enabled.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ live_dangerously = new_live_dangerously;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static int restrictedFile(const char *filename)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!live_dangerously && !strncasecmp(filename, "/", 1) &&</span><br><span style="color: hsl(120, 100%, 40%);">+ strncasecmp(filename, ast_config_AST_CONFIG_DIR, strlen(ast_config_AST_CONFIG_DIR))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static int action_getconfig(struct mansession *s, const struct message *m)</span><br><span> {</span><br><span> struct ast_config *cfg;</span><br><span>@@ -3628,6 +3656,11 @@</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (restrictedFile(fn)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ astman_send_error(s, m, "File requires escalated priveledges");</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> cfg = ast_config_load2(fn, "manager", config_flags);</span><br><span> if (cfg == CONFIG_STATUS_FILEMISSING) {</span><br><span> astman_send_error(s, m, "Config file not found");</span><br><span>@@ -3755,6 +3788,11 @@</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (restrictedFile(fn)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ astman_send_error(s, m, "File requires escalated priveledges");</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> if (!(cfg = ast_config_load2(fn, "manager", config_flags))) {</span><br><span> astman_send_error(s, m, "Config file not found");</span><br><span> return 0;</span><br><span>@@ -4106,6 +4144,10 @@</span><br><span> astman_send_error(s, m, "Filename not specified");</span><br><span> return 0;</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+ if (restrictedFile(sfn) || restrictedFile(dfn)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ astman_send_error(s, m, "File requires escalated priveledges");</span><br><span style="color: hsl(120, 100%, 40%);">+ return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> if (!(cfg = ast_config_load2(sfn, "manager", config_flags))) {</span><br><span> astman_send_error(s, m, "Config file not found");</span><br><span> return 0;</span><br><span>diff --git a/main/options.c b/main/options.c</span><br><span>index 07afd79..1507bc6 100644</span><br><span>--- a/main/options.c</span><br><span>+++ b/main/options.c</span><br><span>@@ -476,6 +476,7 @@</span><br><span> }</span><br><span> if (!ast_opt_remote) {</span><br><span> pbx_live_dangerously(live_dangerously);</span><br><span style="color: hsl(120, 100%, 40%);">+ astman_live_dangerously(live_dangerously);</span><br><span> }</span><br><span> </span><br><span> option_debug += option_debug_new;</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/19644">change 19644</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/19644"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 20 </div>
<div style="display:none"> Gerrit-Change-Id: I46b26af4047433b49ae5c8a85cb8cda806a07404 </div>
<div style="display:none"> Gerrit-Change-Number: 19644 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-CC: Michael Bradeen <mbradeen@sangoma.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>