[asterisk-dev] security model of the manager interface
Tim Panton
tim at mexuar.com
Sat Apr 21 00:28:39 MST 2007
On 21 Apr 2007, at 02:22, Tzafrir Cohen wrote:
> On Sat, Apr 21, 2007 at 03:03:14AM +0200, Stefan Reuter wrote:
>> Tzafrir Cohen wrote:
>>> I was trying to think about the security model of the asterisk-
>>> gui, and
>>> quickly realised that it generally gives any user who has been
>>> granted
>>> manager interface access full control of Asterisk.
>>>
>>> Then I realised that with the current granularity of permissions
>>> in the
>>> manager interface, whoever has either the "config" permission or the
>>> "call" write permission has practically full control of Asterisk.
>> [...]
>>> Either we need to take a good look at the permissions to manager
>>> interface operations, or we need to move this to a separate proxy.
>>
>> I've discussed this kind of domain-object security (i.e. access to
>> calls
>> but only if channel matches some pattern) with the AstManProxy guy a
>> year ago or so but without any result.
>> If you thing things through implementing something like this in a
>> generic proxy is a very tough challenge (think of Local channels,
>> channel renaming, forwarding of calls and so on).
>
> I'm not really afraid of breaking the manager interface if that is
> what
> it takes. It better have a good reason, but still...
>
>>
>> My conclusion from that discussion was simply to never directly
>> expose
>> the Manager API to any application you don't have full control
>> over or
>> that is run in an untrusted environment or by an untrusted user.
>>
>> My solution for day-to-day projects is to use a special
>> application that
>> exposed "business" services with proper access control through a
>> remoting API (JMS for Java applications, XML over HTTP and plain HTTP
>> POST/GET for other types of application).
>> That special application does not offer the full range of features
>> the
>> Manager API has to offer but a useful abstract subset for things like
>> "place call", "get status", etc.
>
> So we end up with a set of such application-specific wrappers. Half of
> them at least would be implemented badly.
>
Mark said a few words about this at astricon last year.
At the moment you have to use a proxy - say apache
and then do the permissioning there.
I asked about centralizing such a proxy, but Mark felt there
are better ways to solve the problem.
He was talking about the idea of granting permissions to template
manger actions.
So you would create a LongDistanceToLocalUserOriginate
action which would take 2 phone numbers (local and remote) validate
them (perhaps against the invoking userid too), then if all was well
apply the template transform and create a suitable manager action.
(I'm probably not doing this justice, but it's months ago).
Tim Panton
www.mexuar.net
www.westhawk.co.uk/
More information about the asterisk-dev
mailing list