Security related stuff for Asterisk Manager<br><br>---------- Forwarded message ----------<br><span class="gmail_quote">From: <b class="gmail_sendername">Brandon Kruse</b> <<a href="mailto:bkruse@digium.com">bkruse@digium.com
</a>><br>Date: May 30, 2007 11:27 PM<br>Subject: Re: [asterisk-gui] "Asterisk GUI" and security suggestions<br>To: Asterisk GUI project discussion <<a href="mailto:asterisk-gui@lists.digium.com">asterisk-gui@lists.digium.com
</a>><br><br></span>First of,<br><br>If it can be done through the GUI, it can be done through manager.<br><br>With manager, you can build contexts like the following pari posted<br>and do an action: originate on port 5038.
<br><br><br>If you give manager logins to people you are not supposed to, or do not<br>practice normal and safe security measurements in doing so ( passwords longer<br>than 4 characters is a start. If asterisk is running as root, only let
<br>root open and view and edit manager.conf )<br><br><br>The basis is, the context can be built anyways, and then execute<br>is the potential penetrator is smart enough.<br><br><br>My two cents, im open for suggestions! Mine was, lets work and figure
<br>out the different permissions available to manager.conf. For example the<br>read, write, execute, command, etc etc.<br><br>-bkruse<br>----- Original Message -----<br>From: "Pari Nannapaneni" <<a href="mailto:pari@digium.com">
pari@digium.com</a>><br>To: "Asterisk GUI project discussion" <<a href="mailto:asterisk-gui@lists.digium.com">asterisk-gui@lists.digium.com</a>><br>Sent: Wednesday, May 30, 2007 1:24:55 PM (GMT-0800) America/Tijuana
<br>Subject: [asterisk-gui] "Asterisk GUI" and security suggestions<br><br>Hi everyone,<br><br>I got comments from a couple of people saying that the way GUI<br>executes system scripts is going to be a security concern.
<br><br>The AsteriskGUI automatically adds the following context if it's not found in extensions.conf<br><br> [asterisk_guitools]<br> exten = executecommand,1,System(${command})<br> exten = executecommand,n,Hangup()
<br><br><br>and the GUI executes commands/scripts on the local machine by sending a GET command like<br> action = originate &<br> channel = Local/executecommand@asterisk_guitools &<br> Variable = "command=sh
whatever.sh" & ....<br><br>So, I am thinking of - adding this context on login into the GUI<br>and removing it onLogout. This is definitely not the solution for the actual<br>problem, but it will prevent the security problems once the system is configured.
<br><br>are there any other ways to improve/replace this in the GUI ?<br><br>-Pari<br>_______________________________________________<br>--Bandwidth and Colocation provided by <a href="http://Easynews.com">Easynews.com</a>
--<br><br>asterisk-gui mailing list<br>To UNSUBSCRIBE or update options visit:<br> <a href="http://lists.digium.com/mailman/listinfo/asterisk-gui">http://lists.digium.com/mailman/listinfo/asterisk-gui</a><br><br>_______________________________________________
<br>--Bandwidth and Colocation provided by <a href="http://Easynews.com">Easynews.com</a> --<br><br>asterisk-gui mailing list<br>To UNSUBSCRIBE or update options visit:<br> <a href="http://lists.digium.com/mailman/listinfo/asterisk-gui">
http://lists.digium.com/mailman/listinfo/asterisk-gui</a><br>