[asterisk-gui] "Asterisk GUI" and security suggestions

Brandon Kruse bkruse at digium.com
Wed May 30 20:27:40 MST 2007


First of,

If it can be done through the GUI, it can be done through manager.

With manager, you can build contexts like the following pari posted
and do an action: originate on port 5038.


If you give manager logins to people you are not supposed to, or do not
practice normal and safe security measurements in doing so ( passwords longer
than 4 characters is a start. If asterisk is running as root, only let 
root open and view and edit manager.conf )


The basis is, the context can be built anyways, and then execute
is the potential penetrator is smart enough.


My two cents, im open for suggestions! Mine was, lets work and figure
out the different permissions available to manager.conf. For example the
read, write, execute, command, etc etc.

-bkruse 
----- Original Message -----
From: "Pari Nannapaneni" <pari at digium.com>
To: "Asterisk GUI project discussion" <asterisk-gui at lists.digium.com>
Sent: Wednesday, May 30, 2007 1:24:55 PM (GMT-0800) America/Tijuana
Subject: [asterisk-gui] "Asterisk GUI" and security suggestions

Hi everyone,

I got comments from a couple of people saying that the way GUI
executes system scripts is going to be a security concern.

The AsteriskGUI automatically adds the following context if it's not found in extensions.conf

   [asterisk_guitools]
   exten = executecommand,1,System(${command})
   exten = executecommand,n,Hangup()


and the GUI executes commands/scripts on the local machine by sending a GET command like
   action = originate &
   channel = Local/executecommand at asterisk_guitools &
   Variable = "command=sh whatever.sh" & ....

So, I am thinking of  - adding this context on login into the GUI
and removing it onLogout. This is definitely not the solution for the actual
problem, but it will prevent the security problems once the system is configured.

are there any other ways to improve/replace this in the GUI ?

-Pari
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-gui mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-gui



More information about the asterisk-gui mailing list