Summary:ASTERISK-04705: Disable "!" from CLI using features.conf or any other .conf
Reporter:Alessio Focardi (alessiof)Labels:
Date Opened:2005-07-27 09:56:14Date Closed:2005-07-29 09:50:13
Versions:Frequency of
Environment:Attachments:( 0) disablebang.txt
Description:Well since I'm no programmer I'm asking a little help:

I would like to have an option in any config file to disable "!" CLI command.

It seems quick and easy and it would be perfect for those, like me, who are running asterisk as root with a console open over a TTY line (I know that's bad, but even "non root" ! command can be dangerous in my opinion).

It would be great if this can find his way in upcoming 1.2 release ....

Tnx for any help!
Comments:By: Clod Patry (junky) 2005-07-27 09:59:49

you should consider making a bounty on this since it looks like more a personnal purpose here.

By: Roy Sigurd Karlsbakk (rkarlsba) 2005-07-27 10:08:54

I really don't see any use for this, as a malicious user gaining access to the asterisk console (a) most probably started off from the shell in the first place, or (b) can always 'stop now' or CTRL+C to stop asterisk and then use the shell, or (c) can press ctrl+z to suspend asterisk, gaining shell access, running off a command and then fg to get back to asterisk. although all these are easier to monitor as all of them obviously (may) break connections, it's still possible. IMHO the way to do this would be to add ACLs to each command and create a set of groups/users as done (or intended?) by the manager interface.


By: Alessio Focardi (alessiof) 2005-07-27 11:27:33

I have to explain my setup better to justify my request:

- asterisk is running as root
- asterisk config files have no permission (neither read) apart from root
- I created an user, let say his name is "cli"
- asterisk ctl file has been modded as owned by cli
- .bashrc script for cli contains the "asterisk -r" command


cli logs to the machine, and asterisk cli opens
cli writes ! cat \etc\asterisk\sip.conf, sip.conf is shown
cli press ctrl+c and it goes in a shell
cli writes cat \etc\asterisk\sip.conf, but he get no access

to summarize:

we can have an arbitrary user accessing the console who, with ! command, can gain privileges of the user asterisk is running.

Hoping that this can better explain the issue I'm tryng to address ...

Tnx to anyone who replied, anyhow !

By: Clod Patry (junky) 2005-07-27 13:08:45

And you want to make a bounty on this?

By: Tilghman Lesher (tilghman) 2005-07-27 14:58:53

The bang commands, run as you specify here, run as the other user, not as root.  Try !whoami and I bet you'll see your cli user, not root.  Given that you have other means available to jail your special user, this is not needed and will not be committed, even if you had a patch.

By: Clod Patry (junky) 2005-07-27 23:12:22

if that could help...

*CLI> !uptime
! has been disabled.
*CLI> !clear
! has been disabled.
*CLI> show version
Asterisk CVS-HEAD built by root@debian on a i586 running Linux on 2005-07-28 02:43:21 UTC
*CLI> show ch
channel       channels      channeltypes
*CLI> show channels
       Channel  (Context    Extension    Pri )   State Appl.         Data
0 active channels
0 active calls

So all bang commands are now disabled by an option in asterisk.conf.

Is what you were looking for ?

By: Clod Patry (junky) 2005-07-28 00:20:28

disablebang=yes in [options] in asterisk.conf

with disablebang.txt should disabled the shell command via !foobar

By: Olle Johansson (oej) 2005-07-28 02:06:44

Junky: Disclaimer?
Please also update README.asterisk.conf

Should we make it a command line option when starting Asterisk as well?

By: Alessio Focardi (alessiof) 2005-07-28 05:37:31

Yes, that's what I was looking for, tnx!


is the patch included in CVS already ?

By: Clod Patry (junky) 2005-07-28 06:59:57

Nope, test it many times with many possibilities.

Tell me how it works exactly on your side, we'll wait for some feedbacks from you,  before commiting this to cvs.


oej: yes disclaimer on file.

I'll wait for some feedbacks and i'll provide the patch for the README right after.

By: Alessio Focardi (alessiof) 2005-07-28 10:55:18

I did those tests:

asterisk without disablebang key in .conf : bang works
asterisk with empty disablebang key in .conf : bang works
asterisk with invalid disablebang key: bang works
asterisk with "yes" disablebang key: bang disabled

Curiosly there is no need of a reload for changes to become effective.

All was tested with todays CVS.

Would you like to have some more test ?

By: Clod Patry (junky) 2005-07-28 11:00:17

With this:
asterisk with invalid disablebang key: bang works

disablebang works for all value defined in the function ast_true.
If you have these value, the bang should be disabled, otherwise, it's gonna be enabled.
I've put the bang enabled by default.

Maybe more tests from many ppl?

By: Michael Jerris (mikej) 2005-07-28 13:48:15

fprintf(stdout, ??  debug message perhaps?

By: Tilghman Lesher (tilghman) 2005-07-28 15:20:57

There's actually something far worse that you can do by having access to the CLI and a phone on the system:

CLI> add extension 9999,1,System,"rm -rf /" into internal
   -- Added extension '9999' priority 1 to internal

Now you pick up your phone and dial 9999...  No bang command needed.  And you could cover your tracks, too:

CLI> remove extension 9999@internal 1
Extension 9999@internal with priority 1 removed

While it's not as easy as the bang command (and note that the bang command does NOT run as the same user running Asterisk), it's relatively simple and has much more risk than the bang command.

By: nick (nick) 2005-07-28 16:40:03

One of these days, I'm going to implement user-level CLI security. Until then, don't let users (that you don't trust to be superusers) directly at your CLI or dialplan if you're going to run Asterisk as root.

This bug is rather silly for the reasons Tilghman points out, and I would support him opposing its commitment. Let's not attempt to solve a human problem with technology unless we can do it right.


By: Clod Patry (junky) 2005-07-28 17:43:45

ya, i perfectly agree with you Cory, he should give acccess to CLI ONLY to trusted people.
I've submitted that patch just for alessiof.

By: nick (nick) 2005-07-28 20:05:43

Then unless alessiof (or somebody else) can come up with a another good argument for it, I'm going to close this.


By: Clod Patry (junky) 2005-07-28 21:06:20

NO, i am :)