Disable !command from console

Is it possible to disable the ! from the asterisk console? Our security guys want us to deny the asterisk console from escaping to a shell.

Connected to Asterisk 11.21.0 currently running on A1 (pid = 19418)
A1*CLI> !/bin/sh
sh-4.1#

You can set permission using the cli_permissions.conf

There is an example file in the samples directory.

So in this scenario since the current config in cli_permissions.conf is:

default_perm=permit                    

In my syntax I would have to explicitly deny everything first then allow? Or could I just deny the ! command.

[@mysudo]
deny=all
permit=dialplan show
permit=sip show peer

[@mysudo]
deny=!

I also tried it with my specific user but it still seems to be inheriting the default permit. Even though it says it should not.

; default_perm = permit | deny
;                This is the default permissions to apply for a user that
;                does not has a permissions definided.

I would suggest trying exactly that, deny all and then permit what commands you trust.

Hmm doesn’t seem to work. I’m still able to escape from the console. I tried the following:

[@mysudo]
deny=all
permit=sip show peer

And

[myuser]
deny=all
permit=sip show peer

I even set the default permit to deny and tried that. It will not let me run help and other commands but I can still escape :frowning:

default_perm=deny    
Connected to Asterisk 11.21.0 currently running on A1 (pid = 13635)
You don't have permissions to run 'logger mute silent' command
A1*CLI> help
You don't have permissions to run 'help' command
A1*CLI> !/bin/sh
sh-4.1#

Is there another config file where it may be overriding the permissions?

Have you tried this :…

[myuser]
deny=all
deny=!
permit=sip show peer
permit=any=other-cli=command

! is processed in the user interface process, rather than the main part of Asterisk. Only the main part probably has access to the configuration file. I think the same applies for -c, except it is just a sub-thread.

The easiest solution, except if you are amongst the increasing number that use packages, is to edit the source code. You shouldn’t really need to know C to disable something like this.

However, note that disabling ! will not stop people from executing arbitrary commands in the Asterisk context, as you can load dialplan, and dialplan can shell out.

Yes that did not work either. Thanks.

Yes we looked at that and did re-compile and test it. It works when removed from the .c file. Not sure if it’s going to be a viable solution at the moment.

Thanks

Evan, Are you using sudo to permit access to the asterisk console?

If so you can add the NOEXEC flag to the command and that will stop asterisk from being able to spawn shells with the ! command.

Hello people! If you’re here, you need it, so do the following:

cd /usr/local/src/asterisk_tarball/main/

cp -av asterisk.c asterisk.c.old

vim asterisk.c

Original block:
/* This is the main console CLI command handler. Run by the main() thread. */
static void consolehandler(const char *s)
{
printf("%s", term_end());
fflush(stdout);

    /* Called when readline data is available */
    if (!ast_all_zeros(s))
            ast_el_add_history(s);
    /* The real handler for bang */
    if (s[0] == '!') {
            if (s[1])
                    ast_safe_system(s+1);
            else
                    ast_safe_system(getenv("SHELL") ? getenv("SHELL") : "/bin/sh");
    } else
            ast_cli_command(STDOUT_FILENO, s);

}

static int remoteconsolehandler(const char *s)
{
int ret = 0;

    /* Called when readline data is available */
    if (!ast_all_zeros(s))
            ast_el_add_history(s);

    while (isspace(*s)) {
            s++;
    }

    /* The real handler for bang */
    if (s[0] == '!') {
            if (s[1])
                    ast_safe_system(s+1);
            else
                    ast_safe_system(getenv("SHELL") ? getenv("SHELL") : "/bin/sh");
            ret = 1;
    } else if ((strncasecmp(s, "quit", 4) == 0 || strncasecmp(s, "exit", 4) == 0) &&
        (s[4] == '\0' || isspace(s[4]))) {
            quit_handler(0, SHUTDOWN_FAST, 0);
            ret = 1;
    }

    return ret;

}

Modified block:
/* This is the main console CLI command handler. Run by the main() thread. */
static void consolehandler(const char *s)
{
printf("%s", term_end());
fflush(stdout);

    /* Called when readline data is available */
    if (!ast_all_zeros(s))
            ast_el_add_history(s);
    /* The real handler for bang */
    if (s[0] == '!') {
            if (s[1])
                    ast_verbose("This asterisk does not have Super Cow Powers.\n");
            else
                    ast_verbose("This asterisk does not have Super Cow Powers.\n");
    } else
            ast_cli_command(STDOUT_FILENO, s);

}

static int remoteconsolehandler(const char *s)
{
int ret = 0;

    /* Called when readline data is available */
    if (!ast_all_zeros(s))
            ast_el_add_history(s);

    while (isspace(*s)) {
            s++;
    }

    /* The real handler for bang */
    if (s[0] == '!') {
            if (s[1])
                    ast_verbose("This asterisk does not have Super Cow Powers.\n");
            else
                    ast_verbose("This asterisk does not have Super Cow Powers.\n");
            ret = 1;
    } else if ((strncasecmp(s, "quit", 4) == 0 || strncasecmp(s, "exit", 4) == 0) &&
        (s[4] == '\0' || isspace(s[4]))) {
            quit_handler(0, SHUTDOWN_FAST, 0);
            ret = 1;
    }

    return ret;

}

CLI>:
PBX
CLI> !
This asterisk does not have Super Cow Powers.
PBX*CLI>

PBXCLI> ! ip addr
This asterisk does not have Super Cow Powers.
PBX
CLI>

Good luck!

1 Like