| Summary: | ASTERISK-10521: [patch] safe/limited Originate manager action | ||
| Reporter: | Tzafrir Cohen (tzafrir) | Labels: | |
| Date Opened: | 2007-10-13 19:29:08 | Date Closed: | 2008-04-18 15:18:06 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Core/NewFeature |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) 20080220__bug10972__2.diff.txt ( 1) 20080226__bug10972.diff.txt ( 2) safe_originate.diff | |
| Description: | The manager action of date allows someone with a "call" write permission to run an arbitrary command with the Asterisk user (using e.g. the System application). It also allows the originator to generate a call to just about anywhere in the dialplan. This patch is attempts to be a first step towards providing a safer Originate action. It adds a new permission type, "safe_call". And then goes to add a new meaning to the Originate action if the caller has only "safe_call" write permissions but not "call" write permissions: * The originator cannot use the "Application" form. It must originate a cal to an extension. * The Context set by the originaator is ignored, and replaced by the context set for it in the managers.conf . * A Local channel is not allowed, as it would allow using an arbitrary context. This still allows the originator to generate a call from an arbitrary channel, which is probably not safe. But gets rid of most of the issues. It is currently a proof of concept code - tested to build but not to run. | ||
| Comments: | By: Tzafrir Cohen (tzafrir) 2007-12-06 04:59:02.000-0600 Looking at this now: "context" is a bad name for the extra config option if users.conf is to be used. I figure a name such as "context_allowed" should be used. Need to update patch... By: Olle Johansson (oej) 2007-12-06 05:07:31.000-0600 Interesting. This needs some thought... By: Brandon Kruse (bkruse) 2007-12-06 09:07:07.000-0600 I agree with OEJ. In that also, manager is being used in so many applications, that a class of privileges is almost a must. This does need some thought, but is a step in the right direction :) By: jmls (jmls) 2008-02-06 04:09:13.000-0600 oej: have you had any thoughts ? By: Tilghman Lesher (tilghman) 2008-02-20 17:13:02.000-0600 What do you envision as a possible bad thing someone could do by originating an arbitrary extension... other than making a telephone call? By: Stefan Reuter (srt) 2008-02-20 19:21:02.000-0600 Bad things include originate to an application like "System" By: Tilghman Lesher (tilghman) 2008-02-20 19:25:19.000-0600 srt: arbitrary extension, not application. Yes, which applications you can execute should be restricted; that's obvious. But extension? By: Tilghman Lesher (tilghman) 2008-04-18 15:18:06 Given that we've done something here already, even though it doesn't include everything, I'm going to close this one out. | ||