[asterisk-users] ! Command from -rx?

Tzafrir Cohen tzafrir.cohen at xorcom.com
Sun Aug 5 23:14:52 CDT 2007 

On Mon, Aug 06, 2007 at 10:44:47AM +1200, Matt Riddell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tzafrir Cohen wrote:
> > 
> > What do you need that for?
> > 
> > '!' is pointless with asterisk -rx: with asterisk -r, '!' runs a local
> > command in a subshell (or starts a new subshell) by the local cleint
> > asterisk. It does nothing by the server.
> > 
> > So you might as well just run:
> > 
> >   ls
> 
> Unless somehow he has access to the Asterisk console from a non root
> account and Asterisk is running as root and he wants to execute
> something as root.
> 
> I would have thought though that if Asterisk is running as root, he'd
> need to be root to access the console.

To gain acces to the terminal the asterisk console is running in, all
you need is physical access there.


If you want to be able to open a remote asterisk terminal, you should be
able to write to the asterisk.ctl socket. If asterisk is run as root (as
it should be normally be - it will drop unnecessary permissions right at
startup), then the permissions on that file are set by configuration
items for [file] in /etc/asterisk/asterisk.conf -

;astctlpermissions = 0660
;astctlowner = root
;astctlgroup = asterisk
;astctl = asterisk.ctl

(See asterisk-conf.txt in the doc/ directory)


But then again, the '!' command in the CLI means something that has
nothing to do with executing commands by the main asterisk process.
It is a "shell escaple":

When you work on a remote program you sometimes want to execute a simple
local shell command. There's not much securty breach here because it is
done locally. The '!' is done purly locally and the asterisk server
doesn't even hear about this. So even if asterisk is root and you're
nobody, the '!' here is no security breach - all you can do with '!' is
run commands as 'nobody' .

(Don't get me wrong: the situation described above *is* a security
breach. Mr. nobody can, say, originate a call to the application System)

-- 
               Tzafrir Cohen       
icq#16849755                    jabber:tzafrir at jabber.org
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com       
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-users mailing list