[asterisk-dev] AMI 'originate' permission is broken [was: Re: AST-2012-012: Asterisk Manager User Unauthorized Shell Access]

[Matthew Jordan]

----- Original Message -----
> From: "Tilghman Lesher" <tilghman at meg.abyt.es>
> To: "Asterisk Developers Mailing List" <asterisk-dev at lists.digium.com>
> Sent: Monday, September 3, 2012 7:12:18 PM
> Subject: Re: [asterisk-dev] AMI 'originate' permission is broken [was: Re: AST-2012-012: Asterisk Manager User
> Unauthorized Shell Access]
> 
> Not sure why you'd think that.  When you originate with an
> application, the channel hangs up when that application exits.  Since
> all Goto really does is to set a few channel struct elements, it
> exits
> quickly and the channel hangs up.  For it to do more, it would need
> to
> follow a dialplan.

Momentary lapse of sanity on my part?

> > There is at least still one way I can think of to cause a
> > permission
> > escalation with a limited context.  I would guess that there are
> > more.  As
> > discussing specifics on a public mailing list would be a bad idea,
> > if people
> > are interested, I can create a restricted JIRA issue to discuss it
> > in further
> > depth.
> 
> I'm quite interested.  As I said in the other message, this is
> critical functionality for a lot of people so just resigning to the
> idea that originate needs system permission is not a good solution.
> 

Restricted access issue: ASTERISK-20358.

If you have commit access you should be able to see that issue.

--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org