[asterisk-dev] Implementing asterisk CLI permissions, feedback needed

Eliel Sardañons eliels at gmail.com
Tue Jul 15 09:24:28 CDT 2008



Eliel

On 15/07/2008, at 03:58, Tzafrir Cohen <tzafrir.cohen at xorcom.com> wrote:

> Hi
>
> First off, thanks for that patch. Looks very interesting.
>
> On Tue, Jul 15, 2008 at 12:29:23AM -0300, Eliel Sardañons wrote:
>> Hello,
>>    I start coding a patch to add permissions to run certain CLI
>> commands and prevent others to being executed by particular
>> users/groups.
>> The credentials of the user/group that runs the CLI commands are  
>> being
>> passed via the local socket (using SCM_CREDENTIALS, POSIX  
>> compatible),
>> the user and group being passed to the asterisk server are the owners
>> of the rasterisk process. The configuration file is permissions.conf,
>> having a '[user]' for the user and a [@group] for the group defining
>> inside the 'sections' the permitted and denied commands. For example:
>>
>> [eliel]
>> deny=all
>> permit=sip
>> permit=iax
>>
>> With this permissions, the user 'eliel' will only be able to run
>> 'sip*' and 'iax*' commands, so 'sip show peers' will be allowed.
>
> What would happen if I ommited "deny=all"? Default is to allow all
> commands? (makes sense. Defualt is that the user is not listed in the
> file).
>
There is a general section with a default value. In the  
permissions.conf file

> You always allow completion commands. Hence every user in the system  
> can
> see the help messages. I guess this is normally OK, as they are also
> normally available with strings. But I don't understand the uid/gid
> check in that line:
>
>  if ((uid < 0 && gid < 0) || command[0] == '_') return 1;
>
This is only cause i wasn't sure that SCM_Credentials was available in  
every enviroment supported by asterisk, was for compatibility if no  
credentials were passed allow all. I think must be removed and on  
error denied every command. We could stay with this option and  
deprecate it in a next release to give some time to modify asterisk  
CLI clients. (??)

> What might cause such (invalid?) uid/gid?
>
> Are there plans to add other '_' commands?
I don't think so, at least at this
Moment..


Thanks!
>
> -- 
>               Tzafrir Cohen
> icq#16849755              jabber:tzafrir.cohen at xorcom.com
> +972-50-7952406           mailto:tzafrir.cohen at xorcom.com
> http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev



More information about the asterisk-dev mailing list