[asterisk-users] ! Command from -rx?
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Sun Aug 5 23:14:52 CDT 2007
On Mon, Aug 06, 2007 at 10:44:47AM +1200, Matt Riddell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tzafrir Cohen wrote:
> >
> > What do you need that for?
> >
> > '!' is pointless with asterisk -rx: with asterisk -r, '!' runs a local
> > command in a subshell (or starts a new subshell) by the local cleint
> > asterisk. It does nothing by the server.
> >
> > So you might as well just run:
> >
> > ls
>
> Unless somehow he has access to the Asterisk console from a non root
> account and Asterisk is running as root and he wants to execute
> something as root.
>
> I would have thought though that if Asterisk is running as root, he'd
> need to be root to access the console.
To gain acces to the terminal the asterisk console is running in, all
you need is physical access there.
If you want to be able to open a remote asterisk terminal, you should be
able to write to the asterisk.ctl socket. If asterisk is run as root (as
it should be normally be - it will drop unnecessary permissions right at
startup), then the permissions on that file are set by configuration
items for [file] in /etc/asterisk/asterisk.conf -
;astctlpermissions = 0660
;astctlowner = root
;astctlgroup = asterisk
;astctl = asterisk.ctl
(See asterisk-conf.txt in the doc/ directory)
But then again, the '!' command in the CLI means something that has
nothing to do with executing commands by the main asterisk process.
It is a "shell escaple":
When you work on a remote program you sometimes want to execute a simple
local shell command. There's not much securty breach here because it is
done locally. The '!' is done purly locally and the asterisk server
doesn't even hear about this. So even if asterisk is root and you're
nobody, the '!' here is no security breach - all you can do with '!' is
run commands as 'nobody' .
(Don't get me wrong: the situation described above *is* a security
breach. Mr. nobody can, say, originate a call to the application System)
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir at jabber.org
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list