[asterisk-users] giving a user asterisk CLI access: how bad could it get

Tilghman Lesher tilghman at mail.jeffandtilghman.com
Sat Nov 1 19:15:02 CDT 2008


On Saturday 01 November 2008 18:52:41 Alexander Lopez wrote:
> No need to compile "!" out of asterisk source....
>
> Just put SHELL=/bin/false in your login script....
>
> The ! command will not work...

That's not completely true.  The only thing that will prevent is the ability
to get a shell prompt from the command line.  The user could still type
'!' commands and get whatever he wanted.

However, there are more indirect ways to get anything a user desires:  the
CLI has the ability to create extensions, extensions which could execute the
System application, pick up his phone, dial the extension, execute the
command, and even cover his tracks by putting NoCDR in the extension path
and removing the incriminating extension afterwards (again with the CLI).  In
1.4, it's even easier:  he can originate a call from the command line, perhaps
even to a phone of a person he wanted to take the fall for his exploit.

So you can see, removing the '!' command can be done, but it will lead to a
very false sense of security.  It will stop only the extremely casual user,
one who was unlikely to have been very much a threat in the first place.

-- 
Tilghman



More information about the asterisk-users mailing list