[asterisk-dev] [Code Review] 3969: Manager: FullyBooted events are sent to AMI users that log in even if they don't have system level read permission.

Corey Farrell reviewboard at asterisk.org
Wed Sep 3 18:47:59 CDT 2014


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/3969/#review13228
-----------------------------------------------------------


I don't think FullyBooted should be a security restricted event.  This will not effect me personally since I use read=all, but the FullyBooted event is used by AMI clients to determine that Asterisk is ready to receive actions (that's how I use it).  Changing the security level on released branches seems to me like a breaking change.  The idea that any user logged into AMI can know when the system is fully booted does not seem like any security risk to me.  As for the inconsistancy, my vote would be to change the security flag in main/asterisk.c to 0 for this event, that way all AMI users receive the event so they know Asterisk is ready to do stuff.

- Corey Farrell


On Sept. 3, 2014, 6:15 p.m., Jonathan Rose wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/3969/
> -----------------------------------------------------------
> 
> (Updated Sept. 3, 2014, 6:15 p.m.)
> 
> 
> Review request for Asterisk Developers and Matt Jordan.
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> Apparently instead of using the readperm mask, it was using the send_events mask... which is somewhat weird.  It's initialized to -1 (which will return true when used with bitwise and on EVENT_FLAG_SYSTEM) and this is where the odd behavior came from.
> 
> I think this was just a mistake and switching to the readperm mask appears to have fixed it.
> 
> 
> Diffs
> -----
> 
>   /branches/1.8/main/manager.c 422543 
> 
> Diff: https://reviewboard.asterisk.org/r/3969/diff/
> 
> 
> Testing
> -------
> 
> Ran through the login process with and without the system read permission.  With it, I got the FullyBootted event. Without it, I did not.
> 
> 
> Thanks,
> 
> Jonathan Rose
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20140903/66f3de26/attachment.html>


More information about the asterisk-dev mailing list