[asterisk-gui] "Asterisk GUI" and security suggestions

voiceroute mailing voiceroutelist at gmail.com
Fri Jun 8 19:26:37 MST 2007


Security related stuff for Asterisk Manager

---------- Forwarded message ----------
From: Brandon Kruse <bkruse at digium.com>
Date: May 30, 2007 11:27 PM
Subject: Re: [asterisk-gui] "Asterisk GUI" and security suggestions
To: Asterisk GUI project discussion <asterisk-gui at lists.digium.com>

First of,

If it can be done through the GUI, it can be done through manager.

With manager, you can build contexts like the following pari posted
and do an action: originate on port 5038.


If you give manager logins to people you are not supposed to, or do not
practice normal and safe security measurements in doing so ( passwords
longer
than 4 characters is a start. If asterisk is running as root, only let
root open and view and edit manager.conf )


The basis is, the context can be built anyways, and then execute
is the potential penetrator is smart enough.


My two cents, im open for suggestions! Mine was, lets work and figure
out the different permissions available to manager.conf. For example the
read, write, execute, command, etc etc.

-bkruse
----- Original Message -----
From: "Pari Nannapaneni" <pari at digium.com>
To: "Asterisk GUI project discussion" <asterisk-gui at lists.digium.com>
Sent: Wednesday, May 30, 2007 1:24:55 PM (GMT-0800) America/Tijuana
Subject: [asterisk-gui] "Asterisk GUI" and security suggestions

Hi everyone,

I got comments from a couple of people saying that the way GUI
executes system scripts is going to be a security concern.

The AsteriskGUI automatically adds the following context if it's not found
in extensions.conf

   [asterisk_guitools]
   exten = executecommand,1,System(${command})
   exten = executecommand,n,Hangup()


and the GUI executes commands/scripts on the local machine by sending a GET
command like
   action = originate &
   channel = Local/executecommand at asterisk_guitools &
   Variable = "command=sh whatever.sh" & ....

So, I am thinking of  - adding this context on login into the GUI
and removing it onLogout. This is definitely not the solution for the actual
problem, but it will prevent the security problems once the system is
configured.

are there any other ways to improve/replace this in the GUI ?

-Pari
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-gui mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-gui

_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-gui mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-gui
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-gui/attachments/20070608/44c0bb7a/attachment.htm


More information about the asterisk-gui mailing list