Summary:ASTERISK-10521: [patch] safe/limited Originate manager action
Reporter:Tzafrir Cohen (tzafrir)Labels:
Date Opened:2007-10-13 19:29:08Date Closed:2008-04-18 15:18:06
Versions:Frequency of
Environment:Attachments:( 0) 20080220__bug10972__2.diff.txt
( 1) 20080226__bug10972.diff.txt
( 2) safe_originate.diff
Description:The manager action of date allows someone with a "call" write permission to run an arbitrary command with the Asterisk user (using e.g. the System application). It also allows the originator to generate a call to just about anywhere in the dialplan.

This patch is attempts to be a first step towards providing a safer Originate action. It adds a new permission type, "safe_call". And then goes to add a new meaning to the Originate action if the caller has only "safe_call" write permissions but not "call" write permissions:

* The originator cannot use the "Application" form. It must originate a cal to an extension.

* The Context set by the originaator is ignored, and replaced by the context set for it in the managers.conf .

* A Local channel is not allowed, as it would allow using an arbitrary context.

This still allows the originator to generate a call from an arbitrary channel, which is probably not safe. But gets rid of most of the issues.

It is currently a proof of concept code - tested to build but not to run.
Comments:By: Tzafrir Cohen (tzafrir) 2007-12-06 04:59:02.000-0600

Looking at this now: "context" is a bad name for the extra config option if users.conf is to be used. I figure a name such as "context_allowed" should be used.

Need to update patch...

By: Olle Johansson (oej) 2007-12-06 05:07:31.000-0600

Interesting. This needs some thought...

By: Brandon Kruse (bkruse) 2007-12-06 09:07:07.000-0600

I agree with OEJ.

In that also, manager is being used in so many applications, that a class of privileges is almost a must.

This does need some thought, but is a step in the right direction :)

By: jmls (jmls) 2008-02-06 04:09:13.000-0600

oej: have you had any thoughts ?

By: Tilghman Lesher (tilghman) 2008-02-20 17:13:02.000-0600

What do you envision as a possible bad thing someone could do by originating an arbitrary extension... other than making a telephone call?

By: Stefan Reuter (srt) 2008-02-20 19:21:02.000-0600

Bad things include originate to an application like "System"

By: Tilghman Lesher (tilghman) 2008-02-20 19:25:19.000-0600

srt: arbitrary extension, not application.  Yes, which applications you can execute should be restricted; that's obvious.  But extension?

By: Tilghman Lesher (tilghman) 2008-04-18 15:18:06

Given that we've done something here already, even though it doesn't include everything, I'm going to close this one out.