[asterisk-users] giving a user asterisk CLI access: how bad could it get

Dima fadey at scancom.es
Tue Nov 4 10:14:16 CST 2008


> On Sat, Nov 01, 2008 at 12:38:52AM +0100, Dima wrote:
> > Setting the user's shell to /usr/sbin/rasterisk works. On login user
> > gets into asterisk CLI if asterisk is running (user just has to have
> > write permission to /var/lib/asterisk.*).
> 
> How does that user "login"?
> 

client$ ssh asteriskcli at asterisk.machine
password:

Asterisk SVN-branch-1.4-r137138, Copyright (C) 1999 - 2008 Digium, Inc.
and others.
.......
Verbosity is at least 9
asterisk.machine*CLI>


> CLI has the ability to create extensions, extensions which could execute the
> System application, pick up his phone, dial the extension, execute the
> command, and even cover his tracks by putting NoCDR in the extension path
> and removing the incriminating extension afterwards (again with the CLI).  In
> 1.4, it's even easier:  he can originate a call from the command line, perhaps
> even to a phone of a person he wanted to take the fall for his exploit.

The person I'm giving the access to is an admin of that asterisk. It's
up to him to do evil stuff with asterisk itself. as long as he can't get
a shell and do "rm -rf /" I'm safe.





More information about the asterisk-users mailing list