[Asterisk-Users] HELP NEEDED! - Asterisk GUI

Hecken, Guido guido.hecken at gwsnettech.de
Fri Feb 25 09:55:13 MST 2005 

You 're  right, there are some security issues using using sudoers
and system commands.
If the asterisk server is reachable from the outside over http or other
unsecure protocols, it would be really dangerous.
But in a trusty intranet-environment, where firewalls block every attempt
to access the asterisk server from the outside, this "solution" should be
save enough, even if nothing is really save enough ;-) .
If administrative access to any remote asterisk server is need, one could
use
vpn etc. to achieve secure connections.
Wouldn't this be sufficient?

>Consider using su-exec (and php in cgi) to run the configuration
>interface as the user asterisk or a special user.
Another idea:
Why not giving apache the right to execute only one shell command in
sudoers?
Something like 
apache CMD=(asterisk -r -x 'restart now')
could do the job.

Guido Hecken


> -----Ursprüngliche Nachricht-----
> Von: Tzafrir Cohen [mailto:tzafrir at cohens.org.il]
> Gesendet: Freitag, 25. Februar 2005 16:25
> An: asterisk-users at lists.digium.com
> Betreff: Re: [Asterisk-Users] HELP NEEDED! - Asterisk GUI
> 
> Hi
> 
> On Thu, Feb 24, 2005 at 11:41:41AM +0100, Hecken, Guido wrote:
> > >Secondly, is the statement no.2 a line a need to change in a given
file?
> > You have to change/verify some settings in phpconfig_init.php .
> > Look for fakeuser=admin.
> > Set $reset_cmd = "./asterisk.reload";
> > Be shure, the script has write access in /etc/asterisk
> > Have something in your sudoers file (/etc/sudoers) like
> > apache ALL=(ALL)        NOPASSWD: ALL
> 
> Why not simply run apache as root and be done with that?
> 
> Adding the following line to sudoers makes apache root-equivalent. Any
> attacher that is able to compromise apache gets your whole server.
> 
> > to allow apache execute system commands like asterisk -r -x 'restart
now'
> >
> > Another important file is the manager.conf in /etc/asterisk
> > [general]
> > enabled = yes
> > port = 5038
> > bindaddr = 0.0.0.0
> >
> > [admin]
> > secret = secret
> > permit = 192.168.0.0/255.255.255.0
> > read = system,call,log,verbose,command,agent,user
> > write = system,call,log,verbose,command,agent,user
> >
> > With these settings enabled, it should work.
> > Be aware, this is not a secure solution since allowing apache to execute
> > system-commands, and using the asterisk-web-dir (/var/www/html/asterisk)
> > without any further security actions like .htaccess file should only be
used
> > in trusted  environments like intranets.
> 
> Furthermore: anyone who can add arbitrary entries to your dialplan can
> use System to make apache run an arbitrary command. If you run asterisk
> as root (which you shouldn't) this gives the attacker a convinent root
> shell access. If not: it will only give the attacker the opportunity to
> run an arbitrary command as the asterisk user.
> 
> If you want to edit an arbiterary config file, use ssh. It is a
> well-tested, well understood and well-supported environment. Either edit
> directoly from the shell (you can't really bit vim ;-) ), or use an
> external X server and a more comfortable editor, or simply edit files
> via sftp.
> 
> > We can live with these restrictions. In the meanwhile we 're testing and
> > evaluating the complete asterisk configuration from within mysql.
> 
> Not much better, security-wise. I figure that the password to a mysql
> account with ability to write to the config (and specifically to the
> dialplan) will be availble in a certain location. So apache still has
> the ability to change the dialplan.
> 
> Consider using su-exec (and php in cgi) to run the configuration
> interface as the user asterisk or a special user.
> 
> --
> Tzafrir Cohen         | New signature for new address and  |  VIM is
> http://tzafrir.org.il | new homepage                       | a Mutt's
> tzafrir at cohens.org.il |                                    |  best
> ICQ# 16849755         | Space reserved for other protocols | friend
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list