From 033bffd32fcff44d94292c31108722d1a03c0714 Mon Sep 17 00:00:00 2001 From: "Eliel C. Sardanons" Date: Mon, 1 Dec 2008 18:52:14 +0000 Subject: Introduce CLI permissions. Based on cli_permissions.conf configuration file, we are able to permit or deny cli commands based on some patterns and the local user and group running rasterisk. (Sorry if I missed some of the testers). Reviewboard: http://reviewboard.digium.com/r/11/ (closes issue #11123) Reported by: eliel Tested by: eliel, IgorG, Laureano, otherwiseguy, mvanbaak git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@160062 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- include/asterisk/_private.h | 1 + include/asterisk/autoconfig.h.in | 3 +++ include/asterisk/cli.h | 22 +++++++++++++++++++--- 3 files changed, 23 insertions(+), 3 deletions(-) (limited to 'include/asterisk') diff --git a/include/asterisk/_private.h b/include/asterisk/_private.h index 83ae166de..98857025c 100644 --- a/include/asterisk/_private.h +++ b/include/asterisk/_private.h @@ -24,6 +24,7 @@ int ast_term_init(void); /*!< Provided by term.c */ int astdb_init(void); /*!< Provided by db.c */ void ast_channels_init(void); /*!< Provided by channel.c */ void ast_builtins_init(void); /*!< Provided by cli.c */ +int ast_cli_perms_init(int reload); /*!< Provided by cli.c */ int dnsmgr_init(void); /*!< Provided by dnsmgr.c */ void dnsmgr_start_refresh(void); /*!< Provided by dnsmgr.c */ int dnsmgr_reload(void); /*!< Provided by dnsmgr.c */ diff --git a/include/asterisk/autoconfig.h.in b/include/asterisk/autoconfig.h.in index d6b3f8971..c058291df 100644 --- a/include/asterisk/autoconfig.h.in +++ b/include/asterisk/autoconfig.h.in @@ -322,6 +322,9 @@ /* Define to 1 if you have the `getpagesize' function. */ #undef HAVE_GETPAGESIZE +/* Define to 1 if you have the `getpeereid' function. */ +#undef HAVE_GETPEEREID + /* Define to 1 if you have the `gettimeofday' function. */ #undef HAVE_GETTIMEOFDAY diff --git a/include/asterisk/cli.h b/include/asterisk/cli.h index 535b4e6af..a02764dfa 100644 --- a/include/asterisk/cli.h +++ b/include/asterisk/cli.h @@ -32,6 +32,10 @@ extern "C" { void ast_cli(int fd, const char *fmt, ...) __attribute__((format(printf, 2, 3))); +/* dont check permissions while passing this option as a 'uid' + * to the cli_has_permissions() function. */ +#define CLI_NO_PERMS -1 + #define RESULT_SUCCESS 0 #define RESULT_SHOWUSAGE 1 #define RESULT_FAILURE 2 @@ -191,23 +195,35 @@ char *ast_cli_complete(const char *word, char *const choices[], int pos); /*! * \brief Interprets a command - * Interpret a command s, sending output to fd + * Interpret a command s, sending output to fd if uid:gid has permissions + * to run this command. uid = CLI_NO_PERMS to avoid checking user permissions + * gid = CLI_NO_PERMS to avoid checking group permissions. + * \param uid User ID that is trying to run the command. + * \param gid Group ID that is trying to run the command. * \param fd pipe * \param s incoming string * \retval 0 on success * \retval -1 on failure */ -int ast_cli_command(int fd, const char *s); +int ast_cli_command_full(int uid, int gid, int fd, const char *s); + +#define ast_cli_command(fd,s) ast_cli_command_full(CLI_NO_PERMS, CLI_NO_PERMS, fd, s) /*! * \brief Executes multiple CLI commands * Interpret strings separated by NULL and execute each one, sending output to fd + * if uid has permissions, uid = CLI_NO_PERMS to avoid checking users permissions. + * gid = CLI_NO_PERMS to avoid checking group permissions. + * \param uid User ID that is trying to run the command. + * \param gid Group ID that is trying to run the command. * \param fd pipe * \param size is the total size of the string * \param s incoming string * \retval number of commands executed */ -int ast_cli_command_multiple(int fd, size_t size, const char *s); +int ast_cli_command_multiple_full(int uid, int gid, int fd, size_t size, const char *s); + +#define ast_cli_command_multiple(fd,size,s) ast_cli_command_multiple_full(CLI_NO_PERMS, CLI_NO_PERMS, fd, size, s) /*! \brief Registers a command or an array of commands * \param e which cli entry to register. -- cgit v1.2.3