[asterisk-dev] Asterisk CLI permissions

[Eliel Sardanons]

Hello,
          There is a patch uploaded to the bugtracker:
http://bugs.digium.com/view.php?id=11123  that was done to implement
permissions in the asterisk console (cli), I am trying to get some feedback
about the usage, the configuration, and also testers if you think this is a
good approach (architecture) to implement permissions.
What I though when I implement this was the "best" way of checking
permissions with the less code changes.
1) Why I didn't implement permissions check in the autocompletion or in the
help command?
         This was because in many CLI commands, autocompletion is done
inside the CLI command, so it is a big change to start checking permissions
on every CLI command and I think will bring many bugs.
2) Why I didn't change the help command to let you see only allowed command?
          This was because CLI commands don't know about permissions and I
didn't want to send the UID of the currently user that is running the
command to the command handler (in this case the 'help' command handler).
3) The configuration is simple enough and let you manage permissions in the
same way as codecs are allow and disallow.
With this patch you solved the problem of sudoers. Because asterisk like
other Unix commands let you jump to the shell (! command), so a sudoer could
do somthing like this:
sudo /usr/sbin/asterisk -r
then run: ! /bin/bash
and get the same permissions of the asterisk running process, so, thats way
I start doing this patch. The only needed change is to allow reading and
writing permissions to everyone in the asterisk.ctl socket this is done with
the asterisk.conf parameter.
All the other things are explained in the permissions.conf.

Thanks in advanced.
And waiting for your recomendations, feedback and improvements.

-- 
Eliel Sardañons
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-dev/attachments/20071206/ed0d011d/attachment.htm