Olivier
2018-Aug-14 14:41 UTC
[asterisk-users] Is there a way to remove launching shell command from Asterisk CLI
Hello, Is there a way to let someone access to Asterisk CLI and type whatever command (s)he likes but the shell command (the ones started by !) ? Ideally, it could be an argument to rasterisk: rasterisk --no-shell When done, a session could be like this:> pjsip show endpoints...> core reload...> !rm /etc/foobarForbidden Suggestions ? Best regards -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180814/d3fc6a0b/attachment.html>
John Kiniston
2018-Aug-14 17:50 UTC
[asterisk-users] Is there a way to remove launching shell command from Asterisk CLI
I use sudo to limit this. Cmnd_Alias CAPTAGENT = /sbin/service captagent stop, /sbin/service captagent start, /sbin/service captagent restart Cmnd_Alias ASTERISK = /sbin/service asterisk stop, /sbin/service asterisk start, /sbin/service asterisk restart, /usr/sbin/rasterisk, /usr/sbin/asterisk, /usr/sbin/tcpdump Cmnd_Alias EDITORS = /bin/nano, /etc/asterisk/[A-z]*, /usr/bin/vim /etc/asterisk/[A-z]* %pbxadmin ALL = (root) NOEXEC: EDITORS, ASTERISK, CAPTAGENT This prevents my admin users from being able to spawn a shell or subprocess from vim, nano, and the asterisk console. On Tue, Aug 14, 2018 at 7:43 AM Olivier <oza.4h07 at gmail.com> wrote:> Hello, > > Is there a way to let someone access to Asterisk CLI and type whatever > command (s)he likes but the shell command (the ones started by !) ? > > Ideally, it could be an argument to rasterisk: > > rasterisk --no-shell > > When done, a session could be like this: > > > pjsip show endpoints > ... > > core reload > ... > > !rm /etc/foobar > Forbidden > > Suggestions ? > > Best regards > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects. ---Heinlein -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180814/bf39e6b9/attachment.html>
Olivier
2018-Aug-16 07:27 UTC
[asterisk-users] Is there a way to remove launching shell command from Asterisk CLI
Yes: I never thought of using sudo to also forbid access some apps. Using it for that is very smart ! Thank you for sharing it here. I'll experiment with this and report here my findings. Thanks again 2018-08-14 19:50 GMT+02:00 John Kiniston <johnkiniston at gmail.com>:> I use sudo to limit this. > > Cmnd_Alias CAPTAGENT = /sbin/service captagent stop, /sbin/service > captagent start, /sbin/service captagent restart > Cmnd_Alias ASTERISK = /sbin/service asterisk stop, /sbin/service asterisk > start, /sbin/service asterisk restart, /usr/sbin/rasterisk, > /usr/sbin/asterisk, /usr/sbin/tcpdump > Cmnd_Alias EDITORS = /bin/nano, /etc/asterisk/[A-z]*, /usr/bin/vim > /etc/asterisk/[A-z]* > > %pbxadmin ALL = (root) NOEXEC: EDITORS, ASTERISK, CAPTAGENT > > This prevents my admin users from being able to spawn a shell or > subprocess from vim, nano, and the asterisk console. > > On Tue, Aug 14, 2018 at 7:43 AM Olivier <oza.4h07 at gmail.com> wrote: > >> Hello, >> >> Is there a way to let someone access to Asterisk CLI and type whatever >> command (s)he likes but the shell command (the ones started by !) ? >> >> Ideally, it could be an argument to rasterisk: >> >> rasterisk --no-shell >> >> When done, a session could be like this: >> >> > pjsip show endpoints >> ... >> > core reload >> ... >> > !rm /etc/foobar >> Forbidden >> >> Suggestions ? >> >> Best regards >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users > > > > -- > A human being should be able to change a diaper, plan an invasion, butcher > a hog, conn a ship, design a building, write a sonnet, balance accounts, > build a wall, set a bone, comfort the dying, take orders, give orders, > cooperate, act alone, solve equations, analyze a new problem, pitch manure, > program a computer, cook a tasty meal, fight efficiently, die gallantly. > Specialization is for insects. > ---Heinlein > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: https://community.asterisk. > org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180816/eb06a6b1/attachment.html>