asterisk CLI permissions

Kilian Krause kilian at debian.org
Sat Sep 12 17:02:47 UTC 2009 

Hi Tzafrir,

On Fri, Sep 11, 2009 at 11:44:41PM +0300, Tzafrir Cohen wrote:
> One of the new features in Asterisk 1.6.2 is CLI permissions. That is:
> Asterisk checks the ID of a process that connects to the asterisk.ctl
> socket and may allow it only subset of the commands.
> 
> The default /etc/asterisk/cli_permissions.conf has default_perm=permit.
> This preserves older behaviour: all users are able to run all commands
> and access control is done only through the file permissions on
> asterisk.ctl .
> 
> IIRC this is also the case if /etc/asterisk/cli_permissions.conf does
> not exist (which may happen on an upgrade or merely starting a
> configuration from scratch).
> 
> At first glance I thought that it would be nice to grant all users of
> group 'asterisk' write permission to asterisk.ctl . But then I
> remembered that those users are likely to also have write permission to
> cli_permissions.conf itself.
> 
> Any other thoughts regarding a useful default?


the sensible Debian default would be to not allow anything unless the
sysadmin allows it. Thus we may be inclined to drop a note to the sysadmin
who may be a useful set of users (like group asteriskuser) that is not
neccessarily asterisk-admin (as in your asterisk group example above).
Whether or not we should already add this group I'm not so sure as I'm not
really aware of how many asterisk installations use the CLI rather than AGI
scripts which are the more scalable and flexible alternative. 

The upgrade path may possibly be to use interactive debconf prompting or to
not touch it at all (with a somewhat verbatim display in the postinst
scripts) - yet for any new installation we should shut this down due to
obvious security impact which was obviously fixed with the new behaviour.

-- 
Best regards,
Kilian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20090912/84908aec/attachment.pgp>

More information about the Pkg-voip-maintainers mailing list