Move Originate to a separate privilege and require the additional System privilege...

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@104039 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/CHANGES b/CHANGES
index d9059c8..21ea3c2 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -48,6 +48,9 @@ AMI - The manager (TCP/TLS/HTTP)
   * Updated action newcat to allow new category to be inserted in file above another
     existing category.
   * Added new event "JitterBufStats" in the IAX2 channel
   * Updated action newcat to allow new category to be inserted in file above another
     existing category.
   * Added new event "JitterBufStats" in the IAX2 channel

+  * Originate now requires the Originate privilege and, if you want to call out
+    to a subshell, it requires the System privilege, as well.  This was done to
+    enhance manager security.

 
 Dialplan functions
 ------------------
 
 Dialplan functions
 ------------------

diff --git a/UPGRADE.txt b/UPGRADE.txt
index 46ab23d..588bccc 100644 (file)
--- a/UPGRADE.txt
+++ b/UPGRADE.txt
@@ -178,3 +178,6 @@ Manager:
    change your manager.conf to add the level to existing AMI users, if they
    want to see the CDR events generated.
 
    change your manager.conf to add the level to existing AMI users, if they
    want to see the CDR events generated.
 

+* The Originate command now requires the Originate write permission.  For
+   Originate with the Application parameter, you need the additional System
+   privilege if you want to do anything that calls out to a subshell.

diff --git a/doc/manager_1_1.txt b/doc/manager_1_1.txt
index b2a0ba0..2708b37 100644 (file)
--- a/doc/manager_1_1.txt
+++ b/doc/manager_1_1.txt
@@ -114,6 +114,11 @@ Changes to manager version 1.1:
        Added new headers for SayEnvelope, SayCID, AttachMessage, CanReview
         and CallOperator voicemail configuration settings.
 
        Added new headers for SayEnvelope, SayCID, AttachMessage, CanReview
         and CallOperator voicemail configuration settings.
 

+- Action Originate
+       Now requires the new Originate privilege.
+       If you call out to a subshell in Originate with the Application parameter,
+               you now also need the System privilege.
+

 * NEW ACTIONS
 -------------
 - Action: ModuleLoad
 * NEW ACTIONS
 -------------
 - Action: ModuleLoad

diff --git a/include/asterisk/manager.h b/include/asterisk/manager.h
index 327f674..45f2b51 100644 (file)
--- a/include/asterisk/manager.h
+++ b/include/asterisk/manager.h
@@ -69,6 +69,7 @@
 #define EVENT_FLAG_REPORTING           (1 << 9) /* Reporting events such as rtcp sent */
 #define EVENT_FLAG_CDR                 (1 << 10) /* CDR events */
 #define EVENT_FLAG_DIALPLAN            (1 << 11) /* Dialplan events (VarSet, NewExten) */
 #define EVENT_FLAG_REPORTING           (1 << 9) /* Reporting events such as rtcp sent */
 #define EVENT_FLAG_CDR                 (1 << 10) /* CDR events */
 #define EVENT_FLAG_DIALPLAN            (1 << 11) /* Dialplan events (VarSet, NewExten) */

+#define EVENT_FLAG_ORIGINATE   (1 << 12) /* Originate a call to an extension */

 /*@} */
 
 /*! \brief Export manager structures */
 /*@} */
 
 /*! \brief Export manager structures */

diff --git a/main/manager.c b/main/manager.c
index d4ba834..da44577 100644 (file)
--- a/main/manager.c
+++ b/main/manager.c
@@ -328,6 +328,7 @@ static struct permalias {
        { EVENT_FLAG_REPORTING, "reporting" },
        { EVENT_FLAG_CDR, "cdr" },
        { EVENT_FLAG_DIALPLAN, "dialplan" },
        { EVENT_FLAG_REPORTING, "reporting" },
        { EVENT_FLAG_CDR, "cdr" },
        { EVENT_FLAG_DIALPLAN, "dialplan" },

+       { EVENT_FLAG_ORIGINATE, "originate" },

        { -1, "all" },
        { 0, "none" },
 };
        { -1, "all" },
        { 0, "none" },
 };

@@ -2156,8 +2157,23 @@ static int action_originate(struct mansession *s, const struct message *m)
                        }
                }
        } else if (!ast_strlen_zero(app)) {
                        }
                }
        } else if (!ast_strlen_zero(app)) {

+               /* To run the System application (or anything else that goes to shell), you must have the additional System privilege */
+               if (!(s->writeperm & EVENT_FLAG_SYSTEM)
+                       && (
+                               strcasestr(app, "system") == 0 || /* System(rm -rf /)
+                                                                    TrySystem(rm -rf /)       */
+                               strcasestr(app, "exec") ||        /* Exec(System(rm -rf /))
+                                                                    TryExec(System(rm -rf /)) */
+                               strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
+                                                                    EAGI(/bin/rm,-rf /)       */
+                               strstr(appdata, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */
+                               strstr(appdata, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+                               )) {
+                       astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
+                       return 0;
+               }

                res = ast_pbx_outgoing_app(tech, AST_FORMAT_SLINEAR, data, to, app, appdata, &reason, 1, l, n, vars, account, NULL);
                res = ast_pbx_outgoing_app(tech, AST_FORMAT_SLINEAR, data, to, app, appdata, &reason, 1, l, n, vars, account, NULL);

-       } else {
+       } else {

                if (exten && context && pi)
                        res = ast_pbx_outgoing_exten(tech, AST_FORMAT_SLINEAR, data, to, context, exten, pi, &reason, 1, l, n, vars, account, NULL);
                else {
                if (exten && context && pi)
                        res = ast_pbx_outgoing_exten(tech, AST_FORMAT_SLINEAR, data, to, context, exten, pi, &reason, 1, l, n, vars, account, NULL);
                else {

@@ -3641,7 +3657,7 @@ static int __init_manager(int reload)
                ast_manager_register2("CreateConfig", EVENT_FLAG_CONFIG, action_createconfig, "Creates an empty file in the configuration directory", mandescr_createconfig);
                ast_manager_register2("ListCategories", EVENT_FLAG_CONFIG, action_listcategories, "List categories in configuration file", mandescr_listcategories);
                ast_manager_register2("Redirect", EVENT_FLAG_CALL, action_redirect, "Redirect (transfer) a call", mandescr_redirect );
                ast_manager_register2("CreateConfig", EVENT_FLAG_CONFIG, action_createconfig, "Creates an empty file in the configuration directory", mandescr_createconfig);
                ast_manager_register2("ListCategories", EVENT_FLAG_CONFIG, action_listcategories, "List categories in configuration file", mandescr_listcategories);
                ast_manager_register2("Redirect", EVENT_FLAG_CALL, action_redirect, "Redirect (transfer) a call", mandescr_redirect );

-               ast_manager_register2("Originate", EVENT_FLAG_CALL, action_originate, "Originate Call", mandescr_originate);
+               ast_manager_register2("Originate", EVENT_FLAG_ORIGINATE, action_originate, "Originate Call", mandescr_originate);

                ast_manager_register2("Command", EVENT_FLAG_COMMAND, action_command, "Execute Asterisk CLI Command", mandescr_command );
                ast_manager_register2("ExtensionState", EVENT_FLAG_CALL | EVENT_FLAG_REPORTING, action_extensionstate, "Check Extension Status", mandescr_extensionstate );
                ast_manager_register2("AbsoluteTimeout", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, action_timeout, "Set Absolute Timeout", mandescr_timeout );
                ast_manager_register2("Command", EVENT_FLAG_COMMAND, action_command, "Execute Asterisk CLI Command", mandescr_command );
                ast_manager_register2("ExtensionState", EVENT_FLAG_CALL | EVENT_FLAG_REPORTING, action_extensionstate, "Check Extension Status", mandescr_extensionstate );
                ast_manager_register2("AbsoluteTimeout", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, action_timeout, "Set Absolute Timeout", mandescr_timeout );