<p>Benjamin Keith Ford <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/19646">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span></span><br></pre><div style="white-space:pre-wrap">Approvals:
  Benjamin Keith Ford: Looks good to me, approved; Approved for Submit
  Friendly Automation: Verified

</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">manager: prevent file access outside of config dir<br><br>Add live_dangerously flag to manager and use this flag to<br>determine if a configuation file outside of AST_CONFIG_DIR<br>should be read.<br><br>ASTERISK-30176<br><br>Change-Id: I46b26af4047433b49ae5c8a85cb8cda806a07404<br>---<br>M configs/samples/asterisk.conf.sample<br>A doc/UPGRADE-staging/manager_config_live_dangerously.txt<br>M include/asterisk/manager.h<br>M main/manager.c<br>M main/options.c<br>5 files changed, 85 insertions(+), 4 deletions(-)<br><br></pre>
<pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/configs/samples/asterisk.conf.sample b/configs/samples/asterisk.conf.sample</span><br><span>index efb3386..97f1e77 100644</span><br><span>--- a/configs/samples/asterisk.conf.sample</span><br><span>+++ b/configs/samples/asterisk.conf.sample</span><br><span>@@ -95,10 +95,13 @@</span><br><span>                           ;         documented in extensions.conf.sample.</span><br><span>                              ; Default gosub.</span><br><span> ;live_dangerously = no              ; Enable the execution of 'dangerous' dialplan</span><br><span style="color: hsl(0, 100%, 40%);">-                          ; functions from external sources (AMI,</span><br><span style="color: hsl(0, 100%, 40%);">-                         ; etc.) These functions (such as SHELL) are</span><br><span style="color: hsl(0, 100%, 40%);">-                             ; considered dangerous because they can allow</span><br><span style="color: hsl(0, 100%, 40%);">-                           ; privilege escalation.</span><br><span style="color: hsl(120, 100%, 40%);">+                               ; functions and configuration file access from</span><br><span style="color: hsl(120, 100%, 40%);">+                                ; external sources (AMI, etc.) These functions</span><br><span style="color: hsl(120, 100%, 40%);">+                                ; (such as SHELL) are considered dangerous</span><br><span style="color: hsl(120, 100%, 40%);">+                            ; because they can allow privilege escalation.</span><br><span style="color: hsl(120, 100%, 40%);">+                                ; Configuration files are considered dangerous</span><br><span style="color: hsl(120, 100%, 40%);">+                                ; if they exist outside of the Asterisk</span><br><span style="color: hsl(120, 100%, 40%);">+                               ; configuration directory.</span><br><span>                           ; Default no</span><br><span> ;entityid=00:11:22:33:44:55     ; Entity ID.</span><br><span>                                 ; This is in the form of a MAC address.</span><br><span>diff --git a/doc/UPGRADE-staging/manager_config_live_dangerously.txt b/doc/UPGRADE-staging/manager_config_live_dangerously.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..56f39f9</span><br><span>--- /dev/null</span><br><span>+++ b/doc/UPGRADE-staging/manager_config_live_dangerously.txt</span><br><span>@@ -0,0 +1,8 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: AMI (Asterisk Manager Interface)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Previously, GetConfig and UpdateConfig were able to access files outside of</span><br><span style="color: hsl(120, 100%, 40%);">+the Asterisk configuration directory. Now this access is put behind the</span><br><span style="color: hsl(120, 100%, 40%);">+live_dangerously configuration option in asterisk.conf, which is disabled by</span><br><span style="color: hsl(120, 100%, 40%);">+default. If access to configuration files outside of the Asterisk configuation</span><br><span style="color: hsl(120, 100%, 40%);">+directory is required via AMI, then the live_dangerously configuration option</span><br><span style="color: hsl(120, 100%, 40%);">+must be set to yes.</span><br><span>diff --git a/include/asterisk/manager.h b/include/asterisk/manager.h</span><br><span>index 1f68cd1..6d860d8 100644</span><br><span>--- a/include/asterisk/manager.h</span><br><span>+++ b/include/asterisk/manager.h</span><br><span>@@ -356,6 +356,18 @@</span><br><span>  */</span><br><span> void astman_send_list_complete_end(struct mansession *s);</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/*!</span><br><span style="color: hsl(120, 100%, 40%);">+ * \brief Enable/disable the inclusion of 'dangerous' configurations outside</span><br><span style="color: hsl(120, 100%, 40%);">+ * of the ast_config_AST_CONFIG_DIR</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * This function can globally enable/disable the loading of configuration files</span><br><span style="color: hsl(120, 100%, 40%);">+ * outside of ast_config_AST_CONFIG_DIR.</span><br><span style="color: hsl(120, 100%, 40%);">+ *</span><br><span style="color: hsl(120, 100%, 40%);">+ * \param new_live_dangerously If true, enable the access of files outside</span><br><span style="color: hsl(120, 100%, 40%);">+ * ast_config_AST_CONFIG_DIR from astman.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+void astman_live_dangerously(int new_live_dangerously);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> void __attribute__((format(printf, 2, 3))) astman_append(struct mansession *s, const char *fmt, ...);</span><br><span> </span><br><span> /*! \brief Determine if a manager session ident is authenticated */</span><br><span>diff --git a/main/manager.c b/main/manager.c</span><br><span>index a895e3f..d2ec703 100644</span><br><span>--- a/main/manager.c</span><br><span>+++ b/main/manager.c</span><br><span>@@ -1498,6 +1498,11 @@</span><br><span> /*! \brief The \ref stasis_subscription for forwarding the Security topic to the AMI topic */</span><br><span> static struct stasis_forward *security_topic_forwarder;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/*!</span><br><span style="color: hsl(120, 100%, 40%);">+ * \brief Set to true (non-zero) to globally allow all dangerous AMI actions to run</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+static int live_dangerously;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> #ifdef TEST_FRAMEWORK</span><br><span> /*! \brief The \ref stasis_subscription for forwarding the Test topic to the AMI topic */</span><br><span> static struct stasis_forward *test_suite_forwarder;</span><br><span>@@ -3617,6 +3622,29 @@</span><br><span>         return 0;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+void astman_live_dangerously(int new_live_dangerously)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ if (new_live_dangerously && !live_dangerously)</span><br><span style="color: hsl(120, 100%, 40%);">+        {</span><br><span style="color: hsl(120, 100%, 40%);">+             ast_log(LOG_WARNING, "Manager Configuration load protection disabled.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+  }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+   if (!new_live_dangerously && live_dangerously)</span><br><span style="color: hsl(120, 100%, 40%);">+        {</span><br><span style="color: hsl(120, 100%, 40%);">+             ast_log(LOG_NOTICE, "Manager Configuration load protection enabled.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+    }</span><br><span style="color: hsl(120, 100%, 40%);">+     live_dangerously = new_live_dangerously;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+static int restrictedFile(const char *filename)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+     if (!live_dangerously && !strncasecmp(filename, "/", 1) &&</span><br><span style="color: hsl(120, 100%, 40%);">+           strncasecmp(filename, ast_config_AST_CONFIG_DIR, strlen(ast_config_AST_CONFIG_DIR))) {</span><br><span style="color: hsl(120, 100%, 40%);">+               return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+     }</span><br><span style="color: hsl(120, 100%, 40%);">+     return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static int action_getconfig(struct mansession *s, const struct message *m)</span><br><span> {</span><br><span>    struct ast_config *cfg;</span><br><span>@@ -3635,6 +3663,11 @@</span><br><span>             return 0;</span><br><span>    }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (restrictedFile(fn)) {</span><br><span style="color: hsl(120, 100%, 40%);">+             astman_send_error(s, m, "File requires escalated priveledges");</span><br><span style="color: hsl(120, 100%, 40%);">+             return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+     }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>  cfg = ast_config_load2(fn, "manager", config_flags);</span><br><span>       if (cfg == CONFIG_STATUS_FILEMISSING) {</span><br><span>              astman_send_error(s, m, "Config file not found");</span><br><span>@@ -3764,6 +3797,11 @@</span><br><span>                 return 0;</span><br><span>    }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (restrictedFile(fn)) {</span><br><span style="color: hsl(120, 100%, 40%);">+             astman_send_error(s, m, "File requires escalated priveledges");</span><br><span style="color: hsl(120, 100%, 40%);">+             return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+     }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>  if (!(cfg = ast_config_load2(fn, "manager", config_flags))) {</span><br><span>              astman_send_error(s, m, "Config file not found");</span><br><span>          return 0;</span><br><span>@@ -4115,6 +4153,10 @@</span><br><span>           astman_send_error(s, m, "Filename not specified");</span><br><span>                 return 0;</span><br><span>    }</span><br><span style="color: hsl(120, 100%, 40%);">+     if (restrictedFile(sfn) || restrictedFile(dfn)) {</span><br><span style="color: hsl(120, 100%, 40%);">+             astman_send_error(s, m, "File requires escalated priveledges");</span><br><span style="color: hsl(120, 100%, 40%);">+             return 0;</span><br><span style="color: hsl(120, 100%, 40%);">+     }</span><br><span>    if (!(cfg = ast_config_load2(sfn, "manager", config_flags))) {</span><br><span>             astman_send_error(s, m, "Config file not found");</span><br><span>          return 0;</span><br><span>diff --git a/main/options.c b/main/options.c</span><br><span>index f46aa74..15fd704 100644</span><br><span>--- a/main/options.c</span><br><span>+++ b/main/options.c</span><br><span>@@ -476,6 +476,7 @@</span><br><span>         }</span><br><span>    if (!ast_opt_remote) {</span><br><span>               pbx_live_dangerously(live_dangerously);</span><br><span style="color: hsl(120, 100%, 40%);">+               astman_live_dangerously(live_dangerously);</span><br><span>   }</span><br><span> </span><br><span>        option_debug += option_debug_new;</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/19646">change 19646</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/19646"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: certified/18.9 </div>
<div style="display:none"> Gerrit-Change-Id: I46b26af4047433b49ae5c8a85cb8cda806a07404 </div>
<div style="display:none"> Gerrit-Change-Number: 19646 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-CC: Michael Bradeen <mbradeen@sangoma.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>