diff options
author | David M. Lee <dlee@digium.com> | 2013-12-16 19:11:51 +0000 |
---|---|---|
committer | David M. Lee <dlee@digium.com> | 2013-12-16 19:11:51 +0000 |
commit | 744556c01d6e28d4ae46c347f77edfb71778d924 (patch) | |
tree | bc90f83b4ec9ef0eafb3d952076bf9ea24406366 /include | |
parent | 00dcee2a640394ac0aae294396d96985c6c1aba1 (diff) |
security: Inhibit execution of privilege escalating functions
This patch allows individual dialplan functions to be marked as
'dangerous', to inhibit their execution from external sources.
A 'dangerous' function is one which results in a privilege escalation.
For example, if one were to read the channel variable SHELL(rm -rf /)
Bad Things(TM) could happen; even if the external source has only read
permissions.
Execution from external sources may be enabled by setting
'live_dangerously' to 'yes' in the [options] section of asterisk.conf.
Although doing so is not recommended.
Also, the ABI was changed to something more reasonable, since Asterisk
12 does not yet have a public release.
(closes issue ASTERISK-22905)
Review: http://reviewboard.digium.internal/r/432/
........
Merged revisions 403913 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 403917 from http://svn.asterisk.org/svn/asterisk/branches/11
........
Merged revisions 403959 from http://svn.asterisk.org/svn/asterisk/branches/12
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@403960 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'include')
-rw-r--r-- | include/asterisk/pbx.h | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/include/asterisk/pbx.h b/include/asterisk/pbx.h index dfdb23f80..77694a54c 100644 --- a/include/asterisk/pbx.h +++ b/include/asterisk/pbx.h @@ -140,6 +140,15 @@ struct ast_custom_function { /*! Write function, if write is supported */ ast_acf_write_fn_t write; /*!< Write function, if write is supported */ struct ast_module *mod; /*!< Module this custom function belongs to */ + unsigned int read_escalates:1; /*!< The read function is to be considered + * 'dangerous', and should not be run directly + * from external interfaces (AMI, ARI, etc.) + * \since 12 */ + unsigned int write_escalates:1; /*!< The write function is to be considerd + * 'dangerous', and should not be run directly + * from external interfaces (AMI, ARI, etc.) + * \since 12 */ + AST_RWLIST_ENTRY(ast_custom_function) acflist; }; @@ -1367,16 +1376,44 @@ struct ast_custom_function* ast_custom_function_find(const char *name); int ast_custom_function_unregister(struct ast_custom_function *acf); /*! + * \brief Description of the ways in which a function may escalate privileges. + */ +enum ast_custom_function_escalation { + AST_CFE_NONE, + AST_CFE_READ, + AST_CFE_WRITE, + AST_CFE_BOTH, +}; + +/*! * \brief Register a custom function */ #define ast_custom_function_register(acf) __ast_custom_function_register(acf, ast_module_info->self) /*! + * \brief Register a custom function which requires escalated privileges. + * + * Examples would be SHELL() (for which a read needs permission to execute + * arbitrary code) or FILE() (for which write needs permission to change files + * on the filesystem). + */ +#define ast_custom_function_register_escalating(acf, escalation) __ast_custom_function_register_escalating(acf, escalation, ast_module_info->self) + +/*! * \brief Register a custom function */ int __ast_custom_function_register(struct ast_custom_function *acf, struct ast_module *mod); /*! + * \brief Register a custom function which requires escalated privileges. + * + * Examples would be SHELL() (for which a read needs permission to execute + * arbitrary code) or FILE() (for which write needs permission to change files + * on the filesystem). + */ +int __ast_custom_function_register_escalating(struct ast_custom_function *acf, enum ast_custom_function_escalation escalation, struct ast_module *mod); + +/*! * \brief Retrieve the number of active calls */ int ast_active_calls(void); @@ -1489,6 +1526,32 @@ unsigned int ast_hashtab_hash_contexts(const void *obj); */ char *ast_complete_applications(const char *line, const char *word, int state); +/*! + * \brief Enable/disable the execution of 'dangerous' functions from external + * protocols (AMI, etc.). + * + * These dialplan functions (such as \c SHELL) provide an opportunity for + * privilege escalation. They are okay to invoke from the dialplan, but external + * protocols with permission controls should not normally invoke them. + * + * This function can globally enable/disable the execution of dangerous + * functions from external protocols. + * + * \param new_live_dangerously If true, enable the execution of escalating + * functions from external protocols. + */ +void pbx_live_dangerously(int new_live_dangerously); + +/*! + * \brief Inhibit (in the current thread) the execution of dialplan functions + * which cause privilege escalations. If pbx_live_dangerously() has been + * called, this function has no effect. + * + * \return 0 if successfuly marked current thread. + * \return Non-zero if marking current thread failed. + */ +int ast_thread_inhibit_escalations(void); + #if defined(__cplusplus) || defined(c_plusplus) } #endif |