On Nov 1, 2008, at 5:15 PM, Tilghman Lesher wrote: > On Saturday 01 November 2008 18:52:41 Alexander Lopez wrote: >> No need to compile "!" out of asterisk source.... >> >> Just put SHELL=/bin/false in your login script.... >> >> The ! command will not work... > > That's not completely true. The only thing that will prevent is the > ability > to get a shell prompt from the command line. The user could still > type > '!' commands and get whatever he wanted. > > However, there are more indirect ways to get anything a user > desires: the > CLI has the ability to create extensions, extensions which could > execute the > System application, pick up his phone, dial the extension, execute the > command, and even cover his tracks by putting NoCDR in the extension > path > and removing the incriminating extension afterwards (again with the > CLI). In > 1.4, it's even easier: he can originate a call from the command > line, perhaps > even to a phone of a person he wanted to take the fall for his > exploit. > > So you can see, removing the '!' command can be done, but it will > lead to a > very false sense of security. It will stop only the extremely > casual user, > one who was unlikely to have been very much a threat in the first > place. > > -- > Tilghman
Alex - There is also an enhancement to Asterisk that is seeing some work which will allow CLI permissions applied to each command - Eliel Sardanons is the most active (only?) developer on this code. This will be undoubtedly some time before completion and inclusion into TRUNK, but perhaps you might be interested in helping with the debugging/development of that branch: http://svn.digium.com/view/asterisk/team/eliel/cli-permissions/ Example config file: http://svn.digium.com/view/asterisk/team/eliel/cli-permissions/configs/cli_permissions.conf.sample?revision=151904&view=markup JT --- John Todd [EMAIL PROTECTED] +1-256-428-6083 Asterisk Open Source Community Director _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
