[asterisk-users] giving a user asterisk CLI access: how bad could it get

[Ruddy Gbaguidi]

Did you know that any commandyou type in asterisk cli starting with 
exclamation point (!) is execute in the shell by asterisk ??
Example :
running
!ls
will run 'ls' in your current directory

So, be aware because your user can do whatever we want then.

Dima wrote:
>> On Sat, Nov 01, 2008 at 12:38:52AM +0100, Dima wrote:
>>     
>>> Setting the user's shell to /usr/sbin/rasterisk works. On login user
>>> gets into asterisk CLI if asterisk is running (user just has to have
>>> write permission to /var/lib/asterisk.*).
>>>       
>> How does that user "login"?
>>
>>     
>
> client$ ssh asteriskcli at asterisk.machine
> password:
>
> Asterisk SVN-branch-1.4-r137138, Copyright (C) 1999 - 2008 Digium, Inc.
> and others.
> .......
> Verbosity is at least 9
> asterisk.machine*CLI>
>
>
>   
>> CLI has the ability to create extensions, extensions which could execute the
>> System application, pick up his phone, dial the extension, execute the
>> command, and even cover his tracks by putting NoCDR in the extension path
>> and removing the incriminating extension afterwards (again with the CLI).  In
>> 1.4, it's even easier:  he can originate a call from the command line, perhaps
>> even to a phone of a person he wanted to take the fall for his exploit.
>>     
>
> The person I'm giving the access to is an admin of that asterisk. It's
> up to him to do evil stuff with asterisk itself. as long as he can't get
> a shell and do "rm -rf /" I'm safe.
>
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> ------------------------------------------------------------------------
>
>
> Internal Virus Database is out of date.
> Checked by AVG. 
> Version: 8.0.100 / Virus Database: 269.23.16/1448 - Release Date: 5/16/2008 7:42 PM
>