Index: README-SERIOUSLY.bestpractices.txt
===================================================================
--- README-SERIOUSLY.bestpractices.txt (revision 403913)
+++ README-SERIOUSLY.bestpractices.txt (revision 403914)
@@ -26,6 +26,9 @@
* Manager Class Authorizations:
Recognizing potential issues with certain classes of authorization
+* Avoid Privilege Escalations:
+ Disable the ability to execute functions that may escalate privileges
+
----------------
Additional Links
----------------
@@ -344,3 +347,24 @@
not running Asterisk as root, can prevent serious problems from arising when
allowing external connections to originate calls into Asterisk.
+===========================
+Avoid Privilege Escalations
+===========================
+
+External control protocols, such as Manager, often have the ability to get and
+set channel variables; which allows the execution of dialplan functions.
+
+Dialplan functions within Asterisk are incredibly powerful, which is wonderful
+for building applications using Asterisk. But during the read or write
+execution, certain diaplan functions do much more. For example, reading the
+SHELL() function can execute arbitrary commands on the system Asterisk is
+running on. Writing to the FILE() function can change any file that Asterisk has
+write access to.
+
+When these functions are executed from an external protocol, that execution
+could result in a privilege escalation. Asterisk can inhibit the execution of
+these functions, if live_dangerously in the [options] section of asterisk.conf
+is set to no.
+
+For backwards compatibility, live_dangerously defaults to yes, and must be
+explicitly set to no to enable this privilege escalation protection.
Index: UPGRADE.txt
===================================================================
--- UPGRADE.txt (revision 403913)
+++ UPGRADE.txt (revision 403914)
@@ -18,6 +18,15 @@
===
===========================================================
+from 1.8.15-cert3 to 1.8.15-cert4
+* Certain dialplan functions have been marked as 'dangerous', and may only be
+ executed from the dialplan. Execution from extenal sources (AMI's GetVar and
+ SetVar actions; etc.) may be inhibited by setting live_dangerously in the
+ [options] section of asterisk.conf to no. SHELL(), channel locking, and direct
+ file read/write functions are marked as dangerous. DB_DELETE() and
+ REALTIME_DESTROY() are marked as dangerous for reads, but can now safely
+ accept writes (which ignore the provided value).
+
from 1.8.15-cert1 to 1.8.15-cert2
* Added the 'n' option to MeetMe to prevent application of the DENOISE function
to a channel joining a conference. Some channel drivers that vary the number
Index: funcs/func_env.c
===================================================================
--- funcs/func_env.c (revision 403913)
+++ funcs/func_env.c (revision 403914)
@@ -71,6 +71,11 @@
+
+ If live_dangerously in asterisk.conf
+ is set to no, this function can only be executed from the
+ dialplan, and not directly from external protocols.
+
@@ -167,6 +172,11 @@
Set(FILE(/tmp/foo.txt,-1,,l)=bar)
; Append "bar" to the file with a newline
Set(FILE(/tmp/foo.txt,,,al)=bar)
+
+ If live_dangerously in asterisk.conf
+ is set to no, this function can only be executed from the
+ dialplan, and not directly from external protocols.
+
[FILE_COUNT_LINE]
@@ -197,6 +207,11 @@
Returns the number of lines, or -1 on error.
+
+ If live_dangerously in asterisk.conf
+ is set to no, this function can only be executed from the
+ dialplan, and not directly from external protocols.
+
[FILE]
@@ -216,6 +231,11 @@
'd' - DOS "\r\n" format
'm' - Macintosh "\r" format
'x' - Cannot be determined
+
+ If live_dangerously in asterisk.conf
+ is set to no, this function can only be executed from the
+ dialplan, and not directly from external protocols.
+
[FILE]
@@ -1258,10 +1278,10 @@
int res = 0;
res |= ast_custom_function_register(&env_function);
- res |= ast_custom_function_register(&stat_function);
- res |= ast_custom_function_register(&file_function);
- res |= ast_custom_function_register(&file_count_line_function);
- res |= ast_custom_function_register(&file_format_function);
+ res |= ast_custom_function_register_escalating(&stat_function, AST_CFE_READ);
+ res |= ast_custom_function_register_escalating(&file_function, AST_CFE_BOTH);
+ res |= ast_custom_function_register_escalating(&file_count_line_function, AST_CFE_READ);
+ res |= ast_custom_function_register_escalating(&file_format_function, AST_CFE_READ);
return res;
}
Index: funcs/func_shell.c
===================================================================
--- funcs/func_shell.c (revision 403913)
+++ funcs/func_shell.c (revision 403914)
@@ -94,6 +94,17 @@
platform. Also keep in mind that if you are using a common path, you should
be mindful of race conditions that could result from two calls running
SHELL() simultaneously.
+ Example: Set(foo=${SHELL(echo bar)})
+
+ The command supplied to this function will be executed by the
+ system's shell, typically specified in the SHELL environment variable. There
+ are many different system shells available with somewhat different behaviors,
+ so the output generated by this function may vary between platforms.
+
+ If live_dangerously in asterisk.conf
+ is set to no, this function can only be executed from the
+ dialplan, and not directly from external protocols.
+
@@ -110,7 +121,7 @@
static int load_module(void)
{
- return ast_custom_function_register(&shell_function);
+ return ast_custom_function_register_escalating(&shell_function, AST_CFE_READ);
}
AST_MODULE_INFO_STANDARD(ASTERISK_GPL_KEY, "Returns the output of a shell command");
Index: funcs/func_db.c
===================================================================
--- funcs/func_db.c (revision 403913)
+++ funcs/func_db.c (revision 403914)
@@ -97,6 +97,12 @@
This function will retrieve a value from the Asterisk database
and then remove that key from the database. DB_RESULT
will be set to the key's value if it exists.
+
+ If live_dangerously in asterisk.conf
+ is set to no, this function can only be read from the
+ dialplan, and not directly from external protocols. It can, however, be
+ executed as a write operation (DB_DELETE(family, key)=ignored)
+
[DBdel]
@@ -243,10 +249,22 @@
return 0;
}
+/*!
+ * \brief Wrapper to execute DB_DELETE from a write operation. Allows execution
+ * even if live_dangerously is disabled.
+ */
+static int function_db_delete_write(struct ast_channel *chan, const char *cmd, char *parse,
+ const char *value)
+{
+ /* Throwaway to hold the result from the read */
+ char buf[128];
+ return function_db_delete(chan, cmd, parse, buf, sizeof(buf));
+}
static struct ast_custom_function db_delete_function = {
.name = "DB_DELETE",
.read = function_db_delete,
+ .write = function_db_delete_write,
};
static int unload_module(void)
@@ -266,7 +284,7 @@
res |= ast_custom_function_register(&db_function);
res |= ast_custom_function_register(&db_exists_function);
- res |= ast_custom_function_register(&db_delete_function);
+ res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ);
return res;
}
Index: funcs/func_lock.c
===================================================================
--- funcs/func_lock.c (revision 403913)
+++ funcs/func_lock.c (revision 403914)
@@ -59,6 +59,11 @@
Returns 1 if the lock was obtained or 0 on error.
To avoid the possibility of a deadlock, LOCK will only attempt to
obtain the lock for 3 seconds if the channel already has another lock.
+
+ If live_dangerously in asterisk.conf
+ is set to no, this function can only be executed from the
+ dialplan, and not directly from external protocols.
+
@@ -72,6 +77,11 @@
Attempts to grab a named lock exclusively, and prevents other channels
from obtaining the same lock. Returns 1 if the lock was
available or 0 otherwise.
+
+ If live_dangerously in asterisk.conf
+ is set to no, this function can only be executed from the
+ dialplan, and not directly from external protocols.
+
@@ -86,6 +96,11 @@
had a lock or 0 otherwise.
It is generally unnecessary to unlock in a hangup routine, as any locks
held are automatically freed when the channel is destroyed.
+
+ If live_dangerously in asterisk.conf
+ is set to no, this function can only be executed from the
+ dialplan, and not directly from external protocols.
+
***/
@@ -502,9 +517,9 @@
static int load_module(void)
{
- int res = ast_custom_function_register(&lock_function);
- res |= ast_custom_function_register(&trylock_function);
- res |= ast_custom_function_register(&unlock_function);
+ int res = ast_custom_function_register_escalating(&lock_function, AST_CFE_READ);
+ res |= ast_custom_function_register_escalating(&trylock_function, AST_CFE_READ);
+ res |= ast_custom_function_register_escalating(&unlock_function, AST_CFE_READ);
if (ast_pthread_create_background(&broker_tid, NULL, lock_broker, NULL)) {
ast_log(LOG_ERROR, "Failed to start lock broker thread. Unloading func_lock module.\n");
Index: funcs/func_realtime.c
===================================================================
--- funcs/func_realtime.c (revision 403913)
+++ funcs/func_realtime.c (revision 403914)
@@ -115,6 +115,12 @@
This function acts in the same way as REALTIME(....) does, except that
it destroys the matched record in the RT engine.
+
+ If live_dangerously in asterisk.conf
+ is set to no, this function can only be read from the
+ dialplan, and not directly from external protocols. It can, however, be
+ executed as a write operation (REALTIME_DESTROY(family, fieldmatch)=ignored)
+
[REALTIME]
@@ -425,18 +431,32 @@
return -1;
}
- resultslen = 0;
- n = 0;
- for (var = head; var; n++, var = var->next)
- resultslen += strlen(var->name) + strlen(var->value);
- /* add space for delimiters and final '\0' */
- resultslen += n * (strlen(args.delim1) + strlen(args.delim2)) + 1;
+ if (len > 0) {
+ resultslen = 0;
+ n = 0;
+ for (var = head; var; n++, var = var->next) {
+ resultslen += strlen(var->name) + strlen(var->value);
+ }
+ /* add space for delimiters and final '\0' */
+ resultslen += n * (strlen(args.delim1) + strlen(args.delim2)) + 1;
- out = ast_str_alloca(resultslen);
- for (var = head; var; var = var->next) {
- ast_str_append(&out, 0, "%s%s%s%s", var->name, args.delim2, var->value, args.delim1);
+ if (resultslen > len) {
+ /* Unfortunately this does mean that we cannot destroy
+ * the row anymore. But OTOH, we're not destroying
+ * someones data without giving him the chance to look
+ * at it. */
+ ast_log(LOG_WARNING, "Failed to fetch/destroy. Realtime data is too large: need %zu, have %zu.\n", resultslen, len);
+ return -1;
+ }
+
+ /* len is going to be sensible, so we don't need to check for
+ * stack overflows here. */
+ out = ast_str_alloca(resultslen);
+ for (var = head; var; var = var->next) {
+ ast_str_append(&out, 0, "%s%s%s%s", var->name, args.delim2, var->value, args.delim1);
+ }
+ ast_copy_string(buf, ast_str_buffer(out), len);
}
- ast_copy_string(buf, ast_str_buffer(out), len);
ast_destroy_realtime(args.family, args.fieldmatch, args.value, SENTINEL);
ast_variables_destroy(head);
@@ -447,6 +467,15 @@
return 0;
}
+/*!
+ * \brief Wrapper to execute REALTIME_DESTROY from a write operation. Allows
+ * execution even if live_dangerously is disabled.
+ */
+static int function_realtime_writedestroy(struct ast_channel *chan, const char *cmd, char *data, const char *value)
+{
+ return function_realtime_readdestroy(chan, cmd, data, NULL, 0);
+}
+
static struct ast_custom_function realtime_function = {
.name = "REALTIME",
.read = function_realtime_read,
@@ -472,6 +501,7 @@
static struct ast_custom_function realtime_destroy_function = {
.name = "REALTIME_DESTROY",
.read = function_realtime_readdestroy,
+ .write = function_realtime_writedestroy,
};
static int unload_module(void)
@@ -490,7 +520,7 @@
int res = 0;
res |= ast_custom_function_register(&realtime_function);
res |= ast_custom_function_register(&realtime_store_function);
- res |= ast_custom_function_register(&realtime_destroy_function);
+ res |= ast_custom_function_register_escalating(&realtime_destroy_function, AST_CFE_READ);
res |= ast_custom_function_register(&realtimefield_function);
res |= ast_custom_function_register(&realtimehash_function);
return res;
Index: include/asterisk/pbx.h
===================================================================
--- include/asterisk/pbx.h (revision 403913)
+++ include/asterisk/pbx.h (revision 403914)
@@ -1181,16 +1181,44 @@
int ast_custom_function_unregister(struct ast_custom_function *acf);
/*!
+ * \brief Description of the ways in which a function may escalate privileges.
+ */
+enum ast_custom_function_escalation {
+ AST_CFE_NONE,
+ AST_CFE_READ,
+ AST_CFE_WRITE,
+ AST_CFE_BOTH,
+};
+
+/*!
* \brief Register a custom function
*/
#define ast_custom_function_register(acf) __ast_custom_function_register(acf, ast_module_info->self)
/*!
+ * \brief Register a custom function which requires escalated privileges.
+ *
+ * Examples would be SHELL() (for which a read needs permission to execute
+ * arbitrary code) or FILE() (for which write needs permission to change files
+ * on the filesystem).
+ */
+#define ast_custom_function_register_escalating(acf, escalation) __ast_custom_function_register_escalating(acf, escalation, ast_module_info->self)
+
+/*!
* \brief Register a custom function
*/
int __ast_custom_function_register(struct ast_custom_function *acf, struct ast_module *mod);
/*!
+ * \brief Register a custom function which requires escalated privileges.
+ *
+ * Examples would be SHELL() (for which a read needs permission to execute
+ * arbitrary code) or FILE() (for which write needs permission to change files
+ * on the filesystem).
+ */
+int __ast_custom_function_register_escalating(struct ast_custom_function *acf, enum ast_custom_function_escalation escalation, struct ast_module *mod);
+
+/*!
* \brief Retrieve the number of active calls
*/
int ast_active_calls(void);
@@ -1303,6 +1331,32 @@
*/
char *ast_complete_applications(const char *line, const char *word, int state);
+/*!
+ * \brief Enable/disable the execution of 'dangerous' functions from external
+ * protocols (AMI, etc.).
+ *
+ * These dialplan functions (such as \c SHELL) provide an opportunity for
+ * privilege escalation. They are okay to invoke from the dialplan, but external
+ * protocols with permission controls should not normally invoke them.
+ *
+ * This function can globally enable/disable the execution of dangerous
+ * functions from external protocols.
+ *
+ * \param new_live_dangerously If true, enable the execution of escalating
+ * functions from external protocols.
+ */
+void pbx_live_dangerously(int new_live_dangerously);
+
+/*!
+ * \brief Inhibit (in the current thread) the execution of dialplan functions
+ * which cause privilege escalations. If pbx_live_dangerously() has been
+ * called, this function has no effect.
+ *
+ * \return 0 if successfuly marked current thread.
+ * \return Non-zero if marking current thread failed.
+ */
+int ast_thread_inhibit_escalations(void);
+
#if defined(__cplusplus) || defined(c_plusplus)
}
#endif
Index: main/asterisk.c
===================================================================
--- main/asterisk.c (revision 403913)
+++ main/asterisk.c (revision 403914)
@@ -2969,6 +2969,8 @@
unsigned int dbdir:1;
unsigned int keydir:1;
} found = { 0, 0 };
+ /* Default to true for backward compatibility */
+ int live_dangerously = 1;
if (ast_opt_override_config) {
cfg = ast_config_load2(ast_config_AST_CONFIG_FILE, "" /* core, can't reload */, config_flags);
@@ -3176,8 +3178,11 @@
ast_set2_flag(&ast_options, ast_true(v->value), AST_OPT_FLAG_HIDE_CONSOLE_CONNECT);
} else if (!strcasecmp(v->name, "lockconfdir")) {
ast_set2_flag(&ast_options, ast_true(v->value), AST_OPT_FLAG_LOCK_CONFIG_DIR);
+ } else if (!strcasecmp(v->name, "live_dangerously")) {
+ live_dangerously = ast_true(v->value);
}
}
+ pbx_live_dangerously(live_dangerously);
for (v = ast_variable_browse(cfg, "compat"); v; v = v->next) {
float version;
if (sscanf(v->value, "%30f", &version) != 1) {
Index: main/pbx.c
===================================================================
--- main/pbx.c (revision 403913)
+++ main/pbx.c (revision 403914)
@@ -822,8 +822,19 @@
AST_THREADSTORAGE(switch_data);
AST_THREADSTORAGE(extensionstate_buf);
+/*!
+ * \brief A thread local indicating whether the current thread can run
+ * 'dangerous' dialplan functions.
+ */
+AST_THREADSTORAGE(thread_inhibit_escalations_tl);
/*!
+ * \brief Set to true (non-zero) to globally allow all dangerous dialplan
+ * functions to run.
+ */
+static int live_dangerously;
+
+/*!
\brief ast_exten: An extension
The dialplan is saved as a linked list with each context
having it's own linked list of extensions - one item per
@@ -1193,6 +1204,19 @@
static AST_RWLIST_HEAD_STATIC(acf_root, ast_custom_function);
+/*!
+ * \brief Extra information for an \ref ast_custom_function holding privilege
+ * escalation information. Kept in a separate structure for ABI compatibility.
+ */
+struct ast_custom_escalating_function {
+ AST_RWLIST_ENTRY(ast_custom_escalating_function) list;
+ const struct ast_custom_function *acf;
+ unsigned int read_escalates:1;
+ unsigned int write_escalates:1;
+};
+
+static AST_RWLIST_HEAD_STATIC(escalation_root, ast_custom_escalating_function);
+
/*! \brief Declaration of builtin applications */
static struct pbx_builtin {
char name[AST_MAX_APP];
@@ -3543,6 +3567,7 @@
int ast_custom_function_unregister(struct ast_custom_function *acf)
{
struct ast_custom_function *cur;
+ struct ast_custom_escalating_function *cur_escalation;
if (!acf) {
return -1;
@@ -3559,9 +3584,64 @@
}
AST_RWLIST_UNLOCK(&acf_root);
+ /* Remove from the escalation list */
+ AST_RWLIST_WRLOCK(&escalation_root);
+ AST_RWLIST_TRAVERSE_SAFE_BEGIN(&escalation_root, cur_escalation, list) {
+ if (cur_escalation->acf == acf) {
+ AST_RWLIST_REMOVE_CURRENT(list);
+ break;
+ }
+ }
+ AST_RWLIST_TRAVERSE_SAFE_END;
+ AST_RWLIST_UNLOCK(&escalation_root);
+
return cur ? 0 : -1;
}
+/*!
+ * \brief Returns true if given custom function escalates privileges on read.
+ *
+ * \param acf Custom function to query.
+ * \return True (non-zero) if reads escalate privileges.
+ * \return False (zero) if reads just read.
+ */
+static int read_escalates(const struct ast_custom_function *acf) {
+ int res = 0;
+ struct ast_custom_escalating_function *cur_escalation;
+
+ AST_RWLIST_RDLOCK(&escalation_root);
+ AST_RWLIST_TRAVERSE(&escalation_root, cur_escalation, list) {
+ if (cur_escalation->acf == acf) {
+ res = cur_escalation->read_escalates;
+ break;
+ }
+ }
+ AST_RWLIST_UNLOCK(&escalation_root);
+ return res;
+}
+
+/*!
+ * \brief Returns true if given custom function escalates privileges on write.
+ *
+ * \param acf Custom function to query.
+ * \return True (non-zero) if writes escalate privileges.
+ * \return False (zero) if writes just write.
+ */
+static int write_escalates(const struct ast_custom_function *acf) {
+ int res = 0;
+ struct ast_custom_escalating_function *cur_escalation;
+
+ AST_RWLIST_RDLOCK(&escalation_root);
+ AST_RWLIST_TRAVERSE(&escalation_root, cur_escalation, list) {
+ if (cur_escalation->acf == acf) {
+ res = cur_escalation->write_escalates;
+ break;
+ }
+ }
+ AST_RWLIST_UNLOCK(&escalation_root);
+ return res;
+}
+
/*! \internal
* \brief Retrieve the XML documentation of a specified ast_custom_function,
* and populate ast_custom_function string fields.
@@ -3663,6 +3743,50 @@
return 0;
}
+int __ast_custom_function_register_escalating(struct ast_custom_function *acf, enum ast_custom_function_escalation escalation, struct ast_module *mod)
+{
+ struct ast_custom_escalating_function *acf_escalation = NULL;
+ int res;
+
+ res = __ast_custom_function_register(acf, mod);
+ if (res != 0) {
+ return -1;
+ }
+
+ if (escalation == AST_CFE_NONE) {
+ /* No escalations; no need to do anything else */
+ return 0;
+ }
+
+ acf_escalation = ast_calloc(1, sizeof(*acf_escalation));
+ if (!acf_escalation) {
+ ast_custom_function_unregister(acf);
+ return -1;
+ }
+
+ acf_escalation->acf = acf;
+ switch (escalation) {
+ case AST_CFE_NONE:
+ break;
+ case AST_CFE_READ:
+ acf_escalation->read_escalates = 1;
+ break;
+ case AST_CFE_WRITE:
+ acf_escalation->write_escalates = 1;
+ break;
+ case AST_CFE_BOTH:
+ acf_escalation->read_escalates = 1;
+ acf_escalation->write_escalates = 1;
+ break;
+ }
+
+ AST_RWLIST_WRLOCK(&escalation_root);
+ AST_RWLIST_INSERT_TAIL(&escalation_root, acf_escalation, list);
+ AST_RWLIST_UNLOCK(&escalation_root);
+
+ return 0;
+}
+
/*! \brief return a pointer to the arguments of the function,
* and terminates the function name with '\\0'
*/
@@ -3684,6 +3808,124 @@
return args;
}
+void pbx_live_dangerously(int new_live_dangerously)
+{
+ if (new_live_dangerously && !live_dangerously) {
+ ast_log(LOG_WARNING, "Privilege escalation protection disabled!\n"
+ "See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details.\n");
+ }
+
+ if (!new_live_dangerously && live_dangerously) {
+ ast_log(LOG_NOTICE, "Privilege escalation protection enabled.\n");
+ }
+ live_dangerously = new_live_dangerously;
+}
+
+int ast_thread_inhibit_escalations(void)
+{
+ int *thread_inhibit_escalations;
+
+ thread_inhibit_escalations = ast_threadstorage_get(
+ &thread_inhibit_escalations_tl, sizeof(*thread_inhibit_escalations));
+
+ if (thread_inhibit_escalations == NULL) {
+ ast_log(LOG_ERROR, "Error inhibiting privilege escalations for current thread\n");
+ return -1;
+ }
+
+ *thread_inhibit_escalations = 1;
+ return 0;
+}
+
+/*!
+ * \brief Indicates whether the current thread inhibits the execution of
+ * dangerous functions.
+ *
+ * \return True (non-zero) if dangerous function execution is inhibited.
+ * \return False (zero) if dangerous function execution is allowed.
+ */
+static int thread_inhibits_escalations(void)
+{
+ int *thread_inhibit_escalations;
+
+ thread_inhibit_escalations = ast_threadstorage_get(
+ &thread_inhibit_escalations_tl, sizeof(*thread_inhibit_escalations));
+
+ if (thread_inhibit_escalations == NULL) {
+ ast_log(LOG_ERROR, "Error checking thread's ability to run dangerous functions\n");
+ /* On error, assume that we are inhibiting */
+ return 1;
+ }
+
+ return *thread_inhibit_escalations;
+}
+
+/*!
+ * \brief Determines whether execution of a custom function's read function
+ * is allowed.
+ *
+ * \param acfptr Custom function to check
+ * \return True (non-zero) if reading is allowed.
+ * \return False (zero) if reading is not allowed.
+ */
+static int is_read_allowed(struct ast_custom_function *acfptr)
+{
+ if (!acfptr) {
+ return 1;
+ }
+
+ if (!read_escalates(acfptr)) {
+ return 1;
+ }
+
+ if (!thread_inhibits_escalations()) {
+ return 1;
+ }
+
+ if (live_dangerously) {
+ /* Global setting overrides the thread's preference */
+ ast_debug(2, "Reading %s from a dangerous context\n",
+ acfptr->name);
+ return 1;
+ }
+
+ /* We have no reason to allow this function to execute */
+ return 0;
+}
+
+/*!
+ * \brief Determines whether execution of a custom function's write function
+ * is allowed.
+ *
+ * \param acfptr Custom function to check
+ * \return True (non-zero) if writing is allowed.
+ * \return False (zero) if writing is not allowed.
+ */
+static int is_write_allowed(struct ast_custom_function *acfptr)
+{
+ if (!acfptr) {
+ return 1;
+ }
+
+ if (!write_escalates(acfptr)) {
+ return 1;
+ }
+
+ if (!thread_inhibits_escalations()) {
+ return 1;
+ }
+
+ if (live_dangerously) {
+ /* Global setting overrides the thread's preference */
+ ast_debug(2, "Writing %s from a dangerous context\n",
+ acfptr->name);
+ return 1;
+ }
+
+ /* We have no reason to allow this function to execute */
+ return 0;
+}
+
int ast_func_read(struct ast_channel *chan, const char *function, char *workspace, size_t len)
{
char *copy = ast_strdupa(function);
@@ -3696,6 +3938,8 @@
ast_log(LOG_ERROR, "Function %s not registered\n", copy);
} else if (!acfptr->read && !acfptr->read2) {
ast_log(LOG_ERROR, "Function %s cannot be read\n", copy);
+ } else if (!is_read_allowed(acfptr)) {
+ ast_log(LOG_ERROR, "Dangerous function %s read blocked\n", copy);
} else if (acfptr->read) {
if (acfptr->mod) {
u = __ast_module_user_add(acfptr->mod, chan);
@@ -3733,6 +3977,8 @@
ast_log(LOG_ERROR, "Function %s not registered\n", copy);
} else if (!acfptr->read && !acfptr->read2) {
ast_log(LOG_ERROR, "Function %s cannot be read\n", copy);
+ } else if (!is_read_allowed(acfptr)) {
+ ast_log(LOG_ERROR, "Dangerous function %s read blocked\n", copy);
} else {
if (acfptr->mod) {
u = __ast_module_user_add(acfptr->mod, chan);
@@ -3772,11 +4018,13 @@
char *args = func_args(copy);
struct ast_custom_function *acfptr = ast_custom_function_find(copy);
- if (acfptr == NULL)
+ if (acfptr == NULL) {
ast_log(LOG_ERROR, "Function %s not registered\n", copy);
- else if (!acfptr->write)
+ } else if (!acfptr->write) {
ast_log(LOG_ERROR, "Function %s cannot be written to\n", copy);
- else {
+ } else if (!is_write_allowed(acfptr)) {
+ ast_log(LOG_ERROR, "Dangerous function %s write blocked\n", copy);
+ } else {
int res;
struct ast_module_user *u = NULL;
if (acfptr->mod)
Index: main/tcptls.c
===================================================================
--- main/tcptls.c (revision 403913)
+++ main/tcptls.c (revision 403914)
@@ -48,6 +48,7 @@
#include "asterisk/options.h"
#include "asterisk/manager.h"
#include "asterisk/astobj2.h"
+#include "asterisk/pbx.h"
/*! \brief
* replacement read/write functions for SSL support.
@@ -160,6 +161,16 @@
char err[256];
#endif
+ /* TCP/TLS connections are associated with external protocols, and
+ * should not be allowed to execute 'dangerous' functions. This may
+ * need to be pushed down into the individual protocol handlers, but
+ * this seems like a good general policy.
+ */
+ if (ast_thread_inhibit_escalations()) {
+ ast_log(LOG_ERROR, "Failed to inhibit privilege escalations; killing connection\n");
+ return NULL;
+ }
+
/*
* open a FILE * as appropriate.
*/
Index: configs/asterisk.conf.sample
===================================================================
--- configs/asterisk.conf.sample (revision 403913)
+++ configs/asterisk.conf.sample (revision 403914)
@@ -73,6 +73,12 @@
;lockconfdir = no ; Protect the directory containing the
; configuration files (/etc/asterisk) with a
; lock.
+;live_dangerously = no ; Enable the execution of 'dangerous' dialplan
+ ; functions from external sources (AMI,
+ ; etc.) These functions (such as SHELL) are
+ ; considered dangerous because they can allow
+ ; privilege escalation.
+ ; Default yes, for backward compatability.
; Changing the following lines may compromise your security.
;[files]
Property changes on: .
___________________________________________________________________
Modified: branch-1.8-merged
- /branches/1.8:1-369936,369938-369969,369971-369992,369994-370013,370015-370016,370018-370080,370082-370130,370132-370182,370184-370251,370253-370382,370384-370427,370430-370493,370495-370641,370643-370665,370667-370696,370698-370769,370772-370796,370798-370855,370857-370899,370901-370922,370924-370951,370953-370984,370986-370987,370989-371010,371013-371059,371061-371088,371090-371197,371199-371269,371271-371305,371307-371391,371393-371543,371545-371589,371591-371661,371663-371689,371691-371717,371719-371823,371825-371887,371889-371918,371920-371960,371962-372047,372049-372088,372090-372157,372159-372211,372213-372238,372240-372267,372269-372336,372338,372340-372353,372355-372389,372391-372416,372418-372443,372445-372470,372472-372497,372499-372516,372518-372553,372555-372580,372582-372619,372621-372623,372625-372654,372656-372681,372683-372735,372737-372762,372764,372766-372803,372805-372839,372841-372901,372903-372931,372933-372958,372960-373023,373025-373089,373091-373130,373132-373235,373237-373241,373243-373297,373299-373341,373343-373423,373425-373437,373439-373466,373468-373499,373501-373503,373505-373549,373551-373577,373579-373616,373619-373639,373641-373665,373667-373701,373703-373704,373706-373734,373736-373772,373774-373814,373816-373847,373849-373877,373879-373908,373910-373988,373990-374031,374033-374107,374109-374176,374178-374229,374231-374315,374317-374334,374336-374364,374366-374383,374385-374425,374427-374474,374476-374478,374480-374536,374802,374843,375216-375243,375245-375271,375273-375324,375326-375361,375625,376950,378269,378303,378933,379001,382227,388425,396958,397710,397756,398235,400073,401445,401959,402468,403853
+ /branches/1.8:1-369936,369938-369969,369971-369992,369994-370013,370015-370016,370018-370080,370082-370130,370132-370182,370184-370251,370253-370382,370384-370427,370430-370493,370495-370641,370643-370665,370667-370696,370698-370769,370772-370796,370798-370855,370857-370899,370901-370922,370924-370951,370953-370984,370986-370987,370989-371010,371013-371059,371061-371088,371090-371197,371199-371269,371271-371305,371307-371391,371393-371543,371545-371589,371591-371661,371663-371689,371691-371717,371719-371823,371825-371887,371889-371918,371920-371960,371962-372047,372049-372088,372090-372157,372159-372211,372213-372238,372240-372267,372269-372336,372338,372340-372353,372355-372389,372391-372416,372418-372443,372445-372470,372472-372497,372499-372516,372518-372553,372555-372580,372582-372619,372621-372623,372625-372654,372656-372681,372683-372735,372737-372762,372764,372766-372803,372805-372839,372841-372901,372903-372931,372933-372958,372960-373023,373025-373089,373091-373130,373132-373235,373237-373241,373243-373297,373299-373341,373343-373423,373425-373437,373439-373466,373468-373499,373501-373503,373505-373549,373551-373577,373579-373616,373619-373639,373641-373665,373667-373701,373703-373704,373706-373734,373736-373772,373774-373814,373816-373847,373849-373877,373879-373908,373910-373988,373990-374031,374033-374107,374109-374176,374178-374229,374231-374315,374317-374334,374336-374364,374366-374383,374385-374425,374427-374474,374476-374478,374480-374536,374802,374843,375216-375243,375245-375271,375273-375324,375326-375361,375625,376950,378269,378303,378933,379001,382227,388425,396958,397710,397756,398235,400073,401445,401959,402468,403853,403913