[asterisk-users] giving a user asterisk CLI access: how bad could it get

[Tilghman Lesher]

On Tuesday 04 November 2008 16:02:40 Jeff LaCoursiere wrote:
> On Tue, 4 Nov 2008, Dima wrote:
> > The person I'm giving the access to is an admin of that asterisk. It's
> > up to him to do evil stuff with asterisk itself. as long as he can't get
> > a shell and do "rm -rf /" I'm safe.
>
> Hmm, I wonder if you could run asterisk in a jail?  Anyone done that on
> FreeBSD for example?  That would solve your issues I think.  It would
> certainly be difficult for your admin to "admin" asterisk without the CLI.
> Depending on your flavor of GUI it may be difficult for him to admin
> asterisk with shell access.
>
> Without a jail, however, if you give him CLI access you are basically
> giving him the machine, which seems to be the general consensus.

Even with a jail, you are giving a user complete control of the capabilities
of the user that Asterisk is running as.  Period.  There is no way around
this.  If Asterisk is running as root, then giving CLI access is the same as
giving complete control of your machine over to anybody with CLI access.

> Has anyone ever tried to compile "!" out of the CLI?

As I stated before, this does not improve your security one iota.

-- 
Tilghman