Discussion:
[asterisk-users] giving a user asterisk CLI access: how bad could it get
fadey
2008-10-31 10:11:08 UTC
Permalink
Hi, everyone

I'm investigating if I could give asterisk CLI access to one of our
clients.
If I add that user to asterisk group and set his shell
to /usr/sbin/rasterisk, is there a possibility for a user to brake our
of asterisk CLI to normal shell?

Thanks in advance
Julien Claassen
2008-10-31 10:16:58 UTC
Permalink
Hi!
I think I saw a command "!", which would escape to a shell. But I'm not
sure. Unfortunitely I can't look it up at the moment, because I compiled my
asterisk for full debug. Just enter your CLI and type <TAB><TAB> at the
prompt. I think I only saw this in the latest SVN.
But your client could do anything with asterisk, even shutting it down.
Kindest regards
Julien

--------
Music was my first love and it will be my last (John Miles)

======== FIND MY WEB-PROJECT AT: ========
http://ltsb.sourceforge.net
the Linux TextBased Studio guide
======= AND MY PERSONAL PAGES AT: =======
http://www.juliencoder.de
Tzafrir Cohen
2008-10-31 11:28:02 UTC
Permalink
Post by fadey
Hi, everyone
I'm investigating if I could give asterisk CLI access to one of our
clients.
If I add that user to asterisk group and set his shell
to /usr/sbin/rasterisk, is there a possibility for a user to brake our
of asterisk CLI to normal shell?
The shell is something that should be run at login time. Asterisk is not
such a program. It will not be run directly anyway. Set the shell to
either /bin/sh (/bin/bash , /bin/dash , whatever) if you want to allow
that user to login, or to /bin/false if you don't .
--
Tzafrir Cohen
icq#16849755 jabber:***@xorcom.com
+972-50-7952406 mailto:***@xorcom.com
http://www.xorcom.com iax:***@local.xorcom.com/tzafrir
Dima
2008-10-31 23:38:52 UTC
Permalink
Setting the user's shell to /usr/sbin/rasterisk works. On login user
gets into asterisk CLI if asterisk is running (user just has to have
write permission to /var/lib/asterisk.*).
Post by Tzafrir Cohen
Post by fadey
Hi, everyone
I'm investigating if I could give asterisk CLI access to one of our
clients.
If I add that user to asterisk group and set his shell
to /usr/sbin/rasterisk, is there a possibility for a user to brake our
of asterisk CLI to normal shell?
The shell is something that should be run at login time. Asterisk is not
such a program. It will not be run directly anyway. Set the shell to
either /bin/sh (/bin/bash , /bin/dash , whatever) if you want to allow
that user to login, or to /bin/false if you don't .
Tzafrir Cohen
2008-10-31 23:49:07 UTC
Permalink
Post by Dima
Setting the user's shell to /usr/sbin/rasterisk works. On login user
gets into asterisk CLI if asterisk is running (user just has to have
write permission to /var/lib/asterisk.*).
How does that user "login"?
--
Tzafrir Cohen
icq#16849755 jabber:***@xorcom.com
+972-50-7952406 mailto:***@xorcom.com
http://www.xorcom.com iax:***@local.xorcom.com/tzafrir
Jeff LaCoursiere
2008-11-01 01:52:16 UTC
Permalink
I think everyone is missing the point of the question. He wants to know
if the user's shell is set to rasterisk, can they then use the CLI to get
a command shell.

The answer is "yes, they can", and in that case it may not be such a
good idea. As someone else suggested, you can run a shell with "!". I
imagine this could be compiled out of the CLI if you were so inclined.

j
Post by Tzafrir Cohen
Post by Dima
Setting the user's shell to /usr/sbin/rasterisk works. On login user
gets into asterisk CLI if asterisk is running (user just has to have
write permission to /var/lib/asterisk.*).
How does that user "login"?
--
Tzafrir Cohen
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
*** Handled by Will's new toy ***
Alexander Lopez
2008-11-01 23:52:41 UTC
Permalink
No need to compile "!" out of asterisk source....

Just put SHELL=/bin/false in your login script....

The ! command will not work...

Alex


 Kindly consider the environment before printing this e-mail.
-----Original Message-----
Sent: Friday, October 31, 2008 9:52 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] giving a user asterisk CLI access: how bad
could it get
I think everyone is missing the point of the question. He wants to know
if the user's shell is set to rasterisk, can they then use the CLI to get
a command shell.
The answer is "yes, they can", and in that case it may not be such a
good idea. As someone else suggested, you can run a shell with "!". I
imagine this could be compiled out of the CLI if you were so inclined.
j
Post by Tzafrir Cohen
Post by Dima
Setting the user's shell to /usr/sbin/rasterisk works. On login user
gets into asterisk CLI if asterisk is running (user just has to have
write permission to /var/lib/asterisk.*).
How does that user "login"?
--
Tzafrir Cohen
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
*** Handled by Will's new toy ***
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-
Tilghman Lesher
2008-11-02 00:15:02 UTC
Permalink
Post by Alexander Lopez
No need to compile "!" out of asterisk source....
Just put SHELL=/bin/false in your login script....
The ! command will not work...
That's not completely true. The only thing that will prevent is the ability
to get a shell prompt from the command line. The user could still type
'!' commands and get whatever he wanted.

However, there are more indirect ways to get anything a user desires: the
CLI has the ability to create extensions, extensions which could execute the
System application, pick up his phone, dial the extension, execute the
command, and even cover his tracks by putting NoCDR in the extension path
and removing the incriminating extension afterwards (again with the CLI). In
1.4, it's even easier: he can originate a call from the command line, perhaps
even to a phone of a person he wanted to take the fall for his exploit.

So you can see, removing the '!' command can be done, but it will lead to a
very false sense of security. It will stop only the extremely casual user,
one who was unlikely to have been very much a threat in the first place.
--
Tilghman
John Todd
2008-11-03 17:23:32 UTC
Permalink
Post by Tilghman Lesher
Post by Alexander Lopez
No need to compile "!" out of asterisk source....
Just put SHELL=/bin/false in your login script....
The ! command will not work...
That's not completely true. The only thing that will prevent is the ability
to get a shell prompt from the command line. The user could still type
'!' commands and get whatever he wanted.
However, there are more indirect ways to get anything a user
desires: the
CLI has the ability to create extensions, extensions which could execute the
System application, pick up his phone, dial the extension, execute the
command, and even cover his tracks by putting NoCDR in the extension path
and removing the incriminating extension afterwards (again with the CLI). In
1.4, it's even easier: he can originate a call from the command line, perhaps
even to a phone of a person he wanted to take the fall for his
exploit.
So you can see, removing the '!' command can be done, but it will lead to a
very false sense of security. It will stop only the extremely
casual user,
one who was unlikely to have been very much a threat in the first place.
--
Tilghman
Alex -
There is also an enhancement to Asterisk that is seeing some work
which will allow CLI permissions applied to each command - Eliel
Sardanons is the most active (only?) developer on this code. This
will be undoubtedly some time before completion and inclusion into
TRUNK, but perhaps you might be interested in helping with the
debugging/development of that branch:

http://svn.digium.com/view/asterisk/team/eliel/cli-permissions/

Example config file:

http://svn.digium.com/view/asterisk/team/eliel/cli-permissions/configs/cli_permissions.conf.sample?revision=151904&view=markup

JT

---
John Todd
***@digium.com +1-256-428-6083
Asterisk Open Source Community Director
Dima
2008-11-04 16:14:16 UTC
Permalink
Post by Tzafrir Cohen
Post by Dima
Setting the user's shell to /usr/sbin/rasterisk works. On login user
gets into asterisk CLI if asterisk is running (user just has to have
write permission to /var/lib/asterisk.*).
How does that user "login"?
client$ ssh ***@asterisk.machine
password:

Asterisk SVN-branch-1.4-r137138, Copyright (C) 1999 - 2008 Digium, Inc.
and others.
.......
Verbosity is at least 9
asterisk.machine*CLI>
Post by Tzafrir Cohen
CLI has the ability to create extensions, extensions which could execute the
System application, pick up his phone, dial the extension, execute the
command, and even cover his tracks by putting NoCDR in the extension path
and removing the incriminating extension afterwards (again with the CLI). In
1.4, it's even easier: he can originate a call from the command line, perhaps
even to a phone of a person he wanted to take the fall for his exploit.
The person I'm giving the access to is an admin of that asterisk. It's
up to him to do evil stuff with asterisk itself. as long as he can't get
a shell and do "rm -rf /" I'm safe.
Ruddy Gbaguidi
2008-11-04 21:52:10 UTC
Permalink
Did you know that any commandyou type in asterisk cli starting with
exclamation point (!) is execute in the shell by asterisk ??
Example :
running
!ls
will run 'ls' in your current directory

So, be aware because your user can do whatever we want then.
Post by Dima
Post by Tzafrir Cohen
Post by Dima
Setting the user's shell to /usr/sbin/rasterisk works. On login user
gets into asterisk CLI if asterisk is running (user just has to have
write permission to /var/lib/asterisk.*).
How does that user "login"?
Asterisk SVN-branch-1.4-r137138, Copyright (C) 1999 - 2008 Digium, Inc.
and others.
.......
Verbosity is at least 9
asterisk.machine*CLI>
Post by Tzafrir Cohen
CLI has the ability to create extensions, extensions which could execute the
System application, pick up his phone, dial the extension, execute the
command, and even cover his tracks by putting NoCDR in the extension path
and removing the incriminating extension afterwards (again with the CLI). In
1.4, it's even easier: he can originate a call from the command line, perhaps
even to a phone of a person he wanted to take the fall for his exploit.
The person I'm giving the access to is an admin of that asterisk. It's
up to him to do evil stuff with asterisk itself. as long as he can't get
a shell and do "rm -rf /" I'm safe.
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
http://lists.digium.com/mailman/listinfo/asterisk-users
------------------------------------------------------------------------
Internal Virus Database is out of date.
Checked by AVG.
Version: 8.0.100 / Virus Database: 269.23.16/1448 - Release Date: 5/16/2008 7:42 PM
Tilghman Lesher
2008-11-04 22:31:58 UTC
Permalink
Post by Ruddy Gbaguidi
Did you know that any commandyou type in asterisk cli starting with
exclamation point (!) is execute in the shell by asterisk ??
running
!ls
will run 'ls' in your current directory
So, be aware because your user can do whatever we want then.
Yes, but remote commands are executed as whatever user is running the
remote command, which is NOT necessarily the same as root. You can open
up the permissions of the asterisk.ctl pipe file to allow another group to
connect.

That, however, still leaves the indirect method of executing commands, which
are still executed by the Asterisk process itself.
--
Tilghman
Tzafrir Cohen
2008-11-05 04:24:33 UTC
Permalink
Post by Tilghman Lesher
Post by Ruddy Gbaguidi
Did you know that any commandyou type in asterisk cli starting with
exclamation point (!) is execute in the shell by asterisk ??
running
!ls
will run 'ls' in your current directory
So, be aware because your user can do whatever we want then.
Yes, but remote commands are executed as whatever user is running the
remote command, which is NOT necessarily the same as root. You can open
up the permissions of the asterisk.ctl pipe file to allow another group to
connect.
'!' is not a remote command. If you login as asteriskcli and asterisk is
running as the user asteriskd, '!ls' and '!rm whatever' will be executed
through /bin/sh by the user asteriskcli . Anything you can cause
Asterisk to run through the dialplan, originate and such would be run by
asteriskd.

So it doesn't buy you much vs. creating a standard user account.
--
Tzafrir Cohen
icq#16849755 jabber:***@xorcom.com
+972-50-7952406 mailto:***@xorcom.com
http://www.xorcom.com iax:***@local.xorcom.com/tzafrir
Jeff LaCoursiere
2008-11-04 22:02:40 UTC
Permalink
Post by Dima
The person I'm giving the access to is an admin of that asterisk. It's
up to him to do evil stuff with asterisk itself. as long as he can't get
a shell and do "rm -rf /" I'm safe.
Hmm, I wonder if you could run asterisk in a jail? Anyone done that on
FreeBSD for example? That would solve your issues I think. It would
certainly be difficult for your admin to "admin" asterisk without the CLI.
Depending on your flavor of GUI it may be difficult for him to admin
asterisk with shell access.

Without a jail, however, if you give him CLI access you are basically
giving him the machine, which seems to be the general consensus.

Has anyone ever tried to compile "!" out of the CLI?

j
Tilghman Lesher
2008-11-04 22:35:28 UTC
Permalink
Post by Jeff LaCoursiere
Post by Dima
The person I'm giving the access to is an admin of that asterisk. It's
up to him to do evil stuff with asterisk itself. as long as he can't get
a shell and do "rm -rf /" I'm safe.
Hmm, I wonder if you could run asterisk in a jail? Anyone done that on
FreeBSD for example? That would solve your issues I think. It would
certainly be difficult for your admin to "admin" asterisk without the CLI.
Depending on your flavor of GUI it may be difficult for him to admin
asterisk with shell access.
Without a jail, however, if you give him CLI access you are basically
giving him the machine, which seems to be the general consensus.
Even with a jail, you are giving a user complete control of the capabilities
of the user that Asterisk is running as. Period. There is no way around
this. If Asterisk is running as root, then giving CLI access is the same as
giving complete control of your machine over to anybody with CLI access.
Post by Jeff LaCoursiere
Has anyone ever tried to compile "!" out of the CLI?
As I stated before, this does not improve your security one iota.
--
Tilghman
Tzafrir Cohen
2008-11-05 04:19:46 UTC
Permalink
Post by Jeff LaCoursiere
Hmm, I wonder if you could run asterisk in a jail? Anyone done that on
FreeBSD for example? That would solve your issues I think. It would
certainly be difficult for your admin to "admin" asterisk without the CLI.
Depending on your flavor of GUI it may be difficult for him to admin
asterisk with shell access.
I don't think Asterisk is a good candidate for chrooting. It re-reads
the config files in /etc on each reload. It will occasionally rotates
logs in /var/log/asterisk . Just to mention a few.
--
Tzafrir Cohen
icq#16849755 jabber:***@xorcom.com
+972-50-7952406 mailto:***@xorcom.com
http://www.xorcom.com iax:***@local.xorcom.com/tzafrir
Jeff LaCoursiere
2008-11-05 12:37:09 UTC
Permalink
Post by Tzafrir Cohen
Post by Jeff LaCoursiere
Hmm, I wonder if you could run asterisk in a jail? Anyone done that on
FreeBSD for example? That would solve your issues I think. It would
certainly be difficult for your admin to "admin" asterisk without the CLI.
Depending on your flavor of GUI it may be difficult for him to admin
asterisk with shell access.
I don't think Asterisk is a good candidate for chrooting. It re-reads
the config files in /etc on each reload. It will occasionally rotates
logs in /var/log/asterisk . Just to mention a few.
These are trivial issues that would be part of the jail setup. Things
like access to /proc or filesystem based pipes would worry me more.
FreeBSD provides for some of this - don't know about Linux.

j
Tzafrir Cohen
2008-11-05 13:50:02 UTC
Permalink
Post by Jeff LaCoursiere
Post by Tzafrir Cohen
Post by Jeff LaCoursiere
Hmm, I wonder if you could run asterisk in a jail? Anyone done that on
FreeBSD for example? That would solve your issues I think. It would
certainly be difficult for your admin to "admin" asterisk without the CLI.
Depending on your flavor of GUI it may be difficult for him to admin
asterisk with shell access.
I don't think Asterisk is a good candidate for chrooting. It re-reads
the config files in /etc on each reload. It will occasionally rotates
logs in /var/log/asterisk . Just to mention a few.
Not to mention loading modules dynamically, which also means that all
the dependent libraries need to be included in the relevant chroot
(unless you build Asterisk static)
Post by Jeff LaCoursiere
These are trivial issues that would be part of the jail setup. Things
like access to /proc or filesystem based pipes would worry me more.
/var/run/asterisk/asterisk.ctl ?

Though it is only open at startup.
Post by Jeff LaCoursiere
FreeBSD provides for some of this - don't know about Linux.
openvz / linux-vserver are quite similar.
--
Tzafrir Cohen
icq#16849755 jabber:***@xorcom.com
+972-50-7952406 mailto:***@xorcom.com
http://www.xorcom.com iax:***@local.xorcom.com/tzafrir
Loading...