diff options
| author | David M. Lee <dlee@digium.com> | 2013-12-16 19:11:51 +0000 |
|---|---|---|
| committer | David M. Lee <dlee@digium.com> | 2013-12-16 19:11:51 +0000 |
| commit | 744556c01d6e28d4ae46c347f77edfb71778d924 (patch) | |
| tree | bc90f83b4ec9ef0eafb3d952076bf9ea24406366 /README-SERIOUSLY.bestpractices.txt | |
| parent | 00dcee2a640394ac0aae294396d96985c6c1aba1 (diff) | |
security: Inhibit execution of privilege escalating functions
This patch allows individual dialplan functions to be marked as
'dangerous', to inhibit their execution from external sources.
A 'dangerous' function is one which results in a privilege escalation.
For example, if one were to read the channel variable SHELL(rm -rf /)
Bad Things(TM) could happen; even if the external source has only read
permissions.
Execution from external sources may be enabled by setting
'live_dangerously' to 'yes' in the [options] section of asterisk.conf.
Although doing so is not recommended.
Also, the ABI was changed to something more reasonable, since Asterisk
12 does not yet have a public release.
(closes issue ASTERISK-22905)
Review: http://reviewboard.digium.internal/r/432/
........
Merged revisions 403913 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 403917 from http://svn.asterisk.org/svn/asterisk/branches/11
........
Merged revisions 403959 from http://svn.asterisk.org/svn/asterisk/branches/12
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@403960 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'README-SERIOUSLY.bestpractices.txt')
| -rw-r--r-- | README-SERIOUSLY.bestpractices.txt | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/README-SERIOUSLY.bestpractices.txt b/README-SERIOUSLY.bestpractices.txt index b470fd66c..108adce8f 100644 --- a/README-SERIOUSLY.bestpractices.txt +++ b/README-SERIOUSLY.bestpractices.txt @@ -26,6 +26,9 @@ Sections * Manager Class Authorizations: Recognizing potential issues with certain classes of authorization +* Avoid Privilege Escalations: + Disable the ability to execute functions that may escalate privileges + ---------------- Additional Links ---------------- @@ -344,3 +347,23 @@ same as the class authorization "system". Good system configuration, such as not running Asterisk as root, can prevent serious problems from arising when allowing external connections to originate calls into Asterisk. +=========================== +Avoid Privilege Escalations +=========================== + +External control protocols, such as Manager, often have the ability to get and +set channel variables; which allows the execution of dialplan functions. + +Dialplan functions within Asterisk are incredibly powerful, which is wonderful +for building applications using Asterisk. But during the read or write +execution, certain diaplan functions do much more. For example, reading the +SHELL() function can execute arbitrary commands on the system Asterisk is +running on. Writing to the FILE() function can change any file that Asterisk has +write access to. + +When these functions are executed from an external protocol, that execution +could result in a privilege escalation. Asterisk can inhibit the execution of +these functions, if live_dangerously in the [options] section of asterisk.conf +is set to no. + +In Asterisk 12 and later, live_dangerously defaults to no. |