[Asterisk-Dev] Security of Asterisk shell out (Was: is this a bug?)

Aaron S. Joyner asjoyner at intrex.net
Wed Jan 26 10:27:43 MST 2005 

Josh Roberson wrote:

> Matt Gibson wrote:
>
>> ...
>> This way if someone was in asterisk, and wanted to access a shell 
>> (and not another vtty) they could type 'shell' or something similar, 
>> and be presented with a shell, then type 'exit' in the shell to be 
>> returned to the asterisk CLI.
>> ...
>
> Or for that matter, just a simple ! will give you a shell.
> *CLI> ! <enter>
> [root at localhost:~]# exit
> *CLI>
>
 From a security-minded standpoint, is there a way to disable this 
functionality, either from the config file or startup arguments?  I 
don't personally think it's a good idea, but it's not beyond the realm 
of possibility that someone might consider providing the Asterisk CLI as 
a user's shell, in order to allow them limited administrative access.  A 
hypothetical example might be a manager or tech support representative 
being allowed CLI access to be able to execute "sip show peers", or the 
like.  The ability to turn off direct access to a shell might be 
desirable, to limit their ability to easily affect the rest of the 
system, or at least require more complicated abuse to get shell-level 
access.

Note: Yes, I'm fully aware that with Asterisk CLI access you're quite 
able to run system calls, even through non-obvious means, such as going 
so far as to create a dial plan entry that would call a command, and 
then dialing in to execute that extension.  I'm not suggesting it as a 
way to deter the truly determined and educated, just as a way to prevent 
casual abuse.  All things considered, in my opinion you shouldn't 
provide Asterisk CLI access to anyone who isn't educated, so preventing 
a direct shell out, or direct command execution, would naturally be of 
limited use.  The obvious counter to the above example is that "limited 
view" access like that should be provided via the manager interface 
(perhaps a CGI that queries the manager interface to return the desired 
information), and even having such an option (to prevent shelling out) 
would potentially encourage bad security practices.

Feedback is welcome.

-- 
Aaron S. Joyner
System Administrator
Intrex.net Internet Services
(919) 573-5488 x102

More information about the asterisk-dev mailing list