From 744556c01d6e28d4ae46c347f77edfb71778d924 Mon Sep 17 00:00:00 2001 From: "David M. Lee" Date: Mon, 16 Dec 2013 19:11:51 +0000 Subject: security: Inhibit execution of privilege escalating functions This patch allows individual dialplan functions to be marked as 'dangerous', to inhibit their execution from external sources. A 'dangerous' function is one which results in a privilege escalation. For example, if one were to read the channel variable SHELL(rm -rf /) Bad Things(TM) could happen; even if the external source has only read permissions. Execution from external sources may be enabled by setting 'live_dangerously' to 'yes' in the [options] section of asterisk.conf. Although doing so is not recommended. Also, the ABI was changed to something more reasonable, since Asterisk 12 does not yet have a public release. (closes issue ASTERISK-22905) Review: http://reviewboard.digium.internal/r/432/ ........ Merged revisions 403913 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 403917 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 403959 from http://svn.asterisk.org/svn/asterisk/branches/12 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@403960 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- configs/asterisk.conf.sample | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'configs') diff --git a/configs/asterisk.conf.sample b/configs/asterisk.conf.sample index 404ea30de..f7cda268f 100644 --- a/configs/asterisk.conf.sample +++ b/configs/asterisk.conf.sample @@ -83,6 +83,12 @@ documentation_language = en_US ; Set the language you want documentation ; gosub - Invoke the stdexten using a gosub as ; documented in extensions.conf.sample. ; Default gosub. +;live_dangerously = no ; Enable the execution of 'dangerous' dialplan + ; functions from external sources (AMI, + ; etc.) These functions (such as SHELL) are + ; considered dangerous because they can allow + ; privilege escalation. + ; Default yes, for backward compatability. ; Changing the following lines may compromise your security. ;[files] -- cgit v1.2.3