security: Inhibit execution of privilege escalating functions

This patch allows individual dialplan functions to be marked as 'dangerous', to inhibit their execution from external sources. A 'dangerous' function is one which results in a privilege escalation. For example, if one were to read the channel variable SHELL(rm -rf /) Bad Things(TM) could happen; even if the external source has only read permissions. Execution from external sources may be enabled by setting 'live_dangerously' to 'yes' in the [options] section of asterisk.conf. Although doing so is not recommended. (closes issue ASTERISK-22905) Review: http://reviewboard.digium.internal/r/432/ ........ Merged revisions 403913 from http://svn.asterisk.org/svn/asterisk/branches/1.8 git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@403917 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-11-16 23:08:32 +00:00 · 2013-12-16 17:14:14 +00:00
parent faf4f6187b
commit a9ee948e90
12 changed files with 472 additions and 37 deletions
--- a/include/asterisk/pbx.h
+++ b/include/asterisk/pbx.h
@@ -1309,16 +1309,44 @@ struct ast_custom_function* ast_custom_function_find(const char *name);
 */
 int ast_custom_function_unregister(struct ast_custom_function *acf);

+/*!
+ * \brief Description of the ways in which a function may escalate privileges.
+ */
+enum ast_custom_function_escalation {
+	AST_CFE_NONE,
+	AST_CFE_READ,
+	AST_CFE_WRITE,
+	AST_CFE_BOTH,
+};
+
 /*!
 * \brief Register a custom function
 */
 #define ast_custom_function_register(acf) __ast_custom_function_register(acf, ast_module_info->self)

+/*!
+ * \brief Register a custom function which requires escalated privileges.
+ *
+ * Examples would be SHELL() (for which a read needs permission to execute
+ * arbitrary code) or FILE() (for which write needs permission to change files
+ * on the filesystem).
+ */
+#define ast_custom_function_register_escalating(acf, escalation) __ast_custom_function_register_escalating(acf, escalation, ast_module_info->self)
+
 /*!
 * \brief Register a custom function
 */
 int __ast_custom_function_register(struct ast_custom_function *acf, struct ast_module *mod);

+/*!
+ * \brief Register a custom function which requires escalated privileges.
+ *
+ * Examples would be SHELL() (for which a read needs permission to execute
+ * arbitrary code) or FILE() (for which write needs permission to change files
+ * on the filesystem).
+ */
+int __ast_custom_function_register_escalating(struct ast_custom_function *acf, enum ast_custom_function_escalation escalation, struct ast_module *mod);
+
 /*!
 * \brief Retrieve the number of active calls
 */
@@ -1432,6 +1460,32 @@ unsigned int ast_hashtab_hash_contexts(const void *obj);
 */
 char *ast_complete_applications(const char *line, const char *word, int state);

+/*!
+ * \brief Enable/disable the execution of 'dangerous' functions from external
+ * protocols (AMI, etc.).
+ *
+ * These dialplan functions (such as \c SHELL) provide an opportunity for
+ * privilege escalation. They are okay to invoke from the dialplan, but external
+ * protocols with permission controls should not normally invoke them.
+ *
+ * This function can globally enable/disable the execution of dangerous
+ * functions from external protocols.
+ *
+ * \param new_live_dangerously If true, enable the execution of escalating
+ * functions from external protocols.
+ */
+void pbx_live_dangerously(int new_live_dangerously);
+
+/*!
+ * \brief Inhibit (in the current thread) the execution of dialplan functions
+ * which cause privilege escalations. If pbx_live_dangerously() has been
+ * called, this function has no effect.
+ *
+ * \return 0 if successfuly marked current thread.
+ * \return Non-zero if marking current thread failed.
+ */
+int ast_thread_inhibit_escalations(void);
+
 #if defined(__cplusplus) || defined(c_plusplus)
 }
 #endif