[asterisk-users] giving a user asterisk CLI access: how bad could it get
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Tue Nov 4 22:24:33 CST 2008
On Tue, Nov 04, 2008 at 04:31:58PM -0600, Tilghman Lesher wrote:
> On Tuesday 04 November 2008 15:52:10 Ruddy Gbaguidi wrote:
> > Did you know that any commandyou type in asterisk cli starting with
> > exclamation point (!) is execute in the shell by asterisk ??
> > Example :
> > running
> > !ls
> > will run 'ls' in your current directory
> >
> > So, be aware because your user can do whatever we want then.
>
> Yes, but remote commands are executed as whatever user is running the
> remote command, which is NOT necessarily the same as root. You can open
> up the permissions of the asterisk.ctl pipe file to allow another group to
> connect.
'!' is not a remote command. If you login as asteriskcli and asterisk is
running as the user asteriskd, '!ls' and '!rm whatever' will be executed
through /bin/sh by the user asteriskcli . Anything you can cause
Asterisk to run through the dialplan, originate and such would be run by
asteriskd.
So it doesn't buy you much vs. creating a standard user account.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list