[asterisk-users] giving a user asterisk CLI access: how bad could it get

John Todd jtodd at digium.com
Mon Nov 3 11:23:32 CST 2008

On Nov 1, 2008, at 5:15 PM, Tilghman Lesher wrote:

> On Saturday 01 November 2008 18:52:41 Alexander Lopez wrote:
>> No need to compile "!" out of asterisk source....
>> Just put SHELL=/bin/false in your login script....
>> The ! command will not work...
> That's not completely true.  The only thing that will prevent is the  
> ability
> to get a shell prompt from the command line.  The user could still  
> type
> '!' commands and get whatever he wanted.
> However, there are more indirect ways to get anything a user  
> desires:  the
> CLI has the ability to create extensions, extensions which could  
> execute the
> System application, pick up his phone, dial the extension, execute the
> command, and even cover his tracks by putting NoCDR in the extension  
> path
> and removing the incriminating extension afterwards (again with the  
> CLI).  In
> 1.4, it's even easier:  he can originate a call from the command  
> line, perhaps
> even to a phone of a person he wanted to take the fall for his  
> exploit.
> So you can see, removing the '!' command can be done, but it will  
> lead to a
> very false sense of security.  It will stop only the extremely  
> casual user,
> one who was unlikely to have been very much a threat in the first  
> place.
> -- 
> Tilghman

Alex -
   There is also an enhancement to Asterisk that is seeing some work  
which will allow CLI permissions applied to each command - Eliel  
Sardanons is the most active (only?) developer on this code.  This  
will be undoubtedly some time before completion and inclusion into  
TRUNK, but perhaps you might be interested in helping with the  
debugging/development of that branch:


Example config file:



John Todd
jtodd at digium.com        +1-256-428-6083
Asterisk Open Source Community Director

More information about the asterisk-users mailing list