[asterisk-dev] security model of the manager interface

Tim Panton tim at mexuar.com
Sat Apr 21 00:28:39 MST 2007

On 21 Apr 2007, at 02:22, Tzafrir Cohen wrote:

> On Sat, Apr 21, 2007 at 03:03:14AM +0200, Stefan Reuter wrote:
>> Tzafrir Cohen wrote:
>>> I was trying to think about the security model of the asterisk- 
>>> gui, and
>>> quickly realised that it generally gives any user who has been  
>>> granted
>>> manager interface access full control of Asterisk.
>>> Then I realised that with the current granularity of permissions  
>>> in the
>>> manager interface, whoever has either the "config" permission or the
>>> "call" write permission has practically full control of Asterisk.
>> [...]
>>> Either we need to take a good look at the permissions to manager
>>> interface operations, or we need to move this to a separate proxy.
>> I've discussed this kind of domain-object security (i.e. access to  
>> calls
>> but only if channel matches some pattern) with the AstManProxy guy a
>> year ago or so but without any result.
>> If you thing things through implementing something like this in a
>> generic proxy is a very tough challenge (think of Local channels,
>> channel renaming, forwarding of calls and so on).
> I'm not really afraid of breaking the manager interface if that is  
> what
> it takes. It better have a good reason, but still...
>> My conclusion from that discussion was simply to never directly  
>> expose
>> the Manager API to any application you don't have full control  
>> over or
>> that is run in an untrusted environment or by an untrusted user.
>> My solution for day-to-day projects is to use a special  
>> application that
>> exposed "business" services with proper access control through a
>> remoting API (JMS for Java applications, XML over HTTP and plain HTTP
>> POST/GET for other types of application).
>> That special application does not offer the full range of features  
>> the
>> Manager API has to offer but a useful abstract subset for things like
>> "place call", "get status", etc.
> So we end up with a set of such application-specific wrappers. Half of
> them at least would be implemented badly.

Mark said a few words about this at astricon last year.

At the moment you have to use a proxy - say apache
and then do the permissioning there.

I asked about centralizing such a proxy, but Mark felt there
are better ways to solve the problem.

He was talking about the idea of granting permissions to template
manger actions.
	So you would create a LongDistanceToLocalUserOriginate
action which would take 2 phone numbers (local and remote) validate
them (perhaps against the invoking userid too), then if all was well
apply the template transform and create a suitable manager action.

(I'm probably not doing this justice, but it's months ago).

Tim Panton


More information about the asterisk-dev mailing list