Introduce CLI permissions.

Based on cli_permissions.conf configuration file, we are able to permit or deny
cli commands based on some patterns and the local user and group running rasterisk.

(Sorry if I missed some of the testers).

Reviewboard: http://reviewboard.digium.com/r/11/

(closes issue #11123)
Reported by: eliel
Tested by: eliel, IgorG, Laureano, otherwiseguy, mvanbaak



git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@160062 65c4cc65-6c06-0410-ace0-fbb531ad65f3

3 files changed, 23 insertions, 3 deletions

diff --git a/include/asterisk/_private.h b/include/asterisk/_private.h
index 83ae166de..98857025c 100644
--- a/include/asterisk/_private.h
+++ b/include/asterisk/_private.h
@@ -24,6 +24,7 @@ int ast_term_init(void);		/*!< Provided by term.c */
 int astdb_init(void);			/*!< Provided by db.c */
 void ast_channels_init(void);		/*!< Provided by channel.c */
 void ast_builtins_init(void);		/*!< Provided by cli.c */
+int ast_cli_perms_init(int reload);	/*!< Provided by cli.c */
 int dnsmgr_init(void);			/*!< Provided by dnsmgr.c */ 
 void dnsmgr_start_refresh(void);	/*!< Provided by dnsmgr.c */
 int dnsmgr_reload(void);		/*!< Provided by dnsmgr.c */
diff --git a/include/asterisk/autoconfig.h.in b/include/asterisk/autoconfig.h.in
index d6b3f8971..c058291df 100644
--- a/include/asterisk/autoconfig.h.in
+++ b/include/asterisk/autoconfig.h.in
@@ -322,6 +322,9 @@
 /* Define to 1 if you have the `getpagesize' function. */
 #undef HAVE_GETPAGESIZE
 
+/* Define to 1 if you have the `getpeereid' function. */
+#undef HAVE_GETPEEREID
+
 /* Define to 1 if you have the `gettimeofday' function. */
 #undef HAVE_GETTIMEOFDAY
 
diff --git a/include/asterisk/cli.h b/include/asterisk/cli.h
index 535b4e6af..a02764dfa 100644
--- a/include/asterisk/cli.h
+++ b/include/asterisk/cli.h
@@ -32,6 +32,10 @@ extern "C" {
 void ast_cli(int fd, const char *fmt, ...)
 	__attribute__((format(printf, 2, 3)));
 
+/* dont check permissions while passing this option as a 'uid'
+ * to the cli_has_permissions() function. */
+#define CLI_NO_PERMS		-1
+
 #define RESULT_SUCCESS		0
 #define RESULT_SHOWUSAGE	1
 #define RESULT_FAILURE		2
@@ -191,23 +195,35 @@ char *ast_cli_complete(const char *word, char *const choices[], int pos);
 
 /*! 
  * \brief Interprets a command
- * Interpret a command s, sending output to fd
+ * Interpret a command s, sending output to fd if uid:gid has permissions
+ * to run this command. uid = CLI_NO_PERMS to avoid checking user permissions
+ * gid = CLI_NO_PERMS to avoid checking group permissions.
+ * \param uid User ID that is trying to run the command.
+ * \param gid Group ID that is trying to run the command.
  * \param fd pipe
  * \param s incoming string
  * \retval 0 on success
  * \retval -1 on failure
  */
-int ast_cli_command(int fd, const char *s);
+int ast_cli_command_full(int uid, int gid, int fd, const char *s);
+
+#define ast_cli_command(fd,s) ast_cli_command_full(CLI_NO_PERMS, CLI_NO_PERMS, fd, s) 
 
 /*! 
  * \brief Executes multiple CLI commands
  * Interpret strings separated by NULL and execute each one, sending output to fd
+ * if uid has permissions, uid = CLI_NO_PERMS to avoid checking users permissions.
+ * gid = CLI_NO_PERMS to avoid checking group permissions.
+ * \param uid User ID that is trying to run the command.
+ * \param gid Group ID that is trying to run the command.
  * \param fd pipe
  * \param size is the total size of the string
  * \param s incoming string
  * \retval number of commands executed
  */
-int ast_cli_command_multiple(int fd, size_t size, const char *s);
+int ast_cli_command_multiple_full(int uid, int gid, int fd, size_t size, const char *s);
+
+#define ast_cli_command_multiple(fd,size,s) ast_cli_command_multiple_full(CLI_NO_PERMS, CLI_NO_PERMS, fd, size, s)
 
 /*! \brief Registers a command or an array of commands
  * \param e which cli entry to register.