Asterisk manager privileges being ignored

shawty · September 15, 2015, 2:48pm

Hi all,

Hoping someone can shed some light on this as it’s got me somewhat confused.

I have my copy of Asterisk 11.7.0 running on Ubuntu 14.4 set up to allow access to AMI via the usual manager TCP connection on 5038

My manager.conf looks as follows:


{general}
enabled         = yes
port            = 5038
bindaddr        = 0.0.0.0
displayconnects = yes
webenabled      = yes

; No access is allowed by default.
; To set a password, create a file in /etc/asterisk/manager.d
; use creative permission games to allow other serivces to create their own
; files
#include "manager.d/*.conf"

NOTE: I’ve changed the [ & ] to { & } in my listings so it doesn’t confuse the forum software

In the manager.d folder I have conf files with each users config in.

For now while I trouble shoot this issue, only mine ‘shawty.conf’ which looks like the following:


{shawty}
secret = *********
deny = 0.0.0.0/0.0.0.0
permit = 192.168.17.100/24
read = agent
write = agent

As far as I can tell, everything is fine and when I log in to my AMI connection, this user should be logged on with agent privileges only.

The problem is, it’s not.

In fact in doesn’t matter what I set the read/write settings in the user conf too, the user ALWAYS logs on with system,all as the following shows:

Asterisk Call Manager/1.3
Action: login
Username: shawty
Secret: **********

Response: Success
Message: Authentication accepted

Event: FullyBooted
Privilege: system,all
Status: Fully Booted

Action: logoff

Response: Goodbye
Message: Thanks for all the fish.

There’s another weird happening too.

I was under the impression that system is the highest available AMI privilege available, so being logged in as system and esp with all to, I would have expected to be able to use all the AMI commands.

However anything in the call, agent & command groups consistently tell me I’m not authorized to use them.

If anyone can shed any light on this, I’d be much appreciated as I’m trying to write a tool that allows a web page to get a list of waiting voicemail messages in a mailbox and displays them in a list for a user to download and listen too.

Cheers
Shawty

shawty · September 17, 2015, 9:26am

Bit of an update:

Since I posted this, I’ve added a second user to my system.

This user has

read = all
write = all

Yet when this new user logs in the same “system,all” privileges are displayed, but the user clearly has access to everything.

david55 · September 17, 2015, 8:29pm

The privileges reported from the server are those that apply to the event, not to the user.

shawty · September 17, 2015, 9:10pm

Ahhh, ok that makes sense.

So what it’s saying is not what the connected user has, but what level is needed to see the event that is displayed.

That makes things a little more understanding, now I just need to find out why I’m not getting the correct privileges on my user then

on the afore mentioned “shawty” user, I have:

read = system, call, agent, all
write = system, call, agent, all

Yet I get denied access to AMI functions that require “call” or “agent”

Thanks
Shawty