mirror of
				https://github.com/asterisk/asterisk.git
				synced 2025-10-26 14:27:14 +00:00 
			
		
		
		
	UserNote: A new asterisk.conf option 'disable_remote_console_shell' has been added that, when set, will prevent remote consoles from executing shell commands using the '!' prefix. Resolves: #GHSA-c7p6-7mvq-8jq2
		
			
				
	
	
		
			88 lines
		
	
	
		
			2.7 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			88 lines
		
	
	
		
			2.7 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| ;
 | |
| ; CLI permissions configuration example for Asterisk
 | |
| ;
 | |
| ; All the users that you want to connect with asterisk using
 | |
| ; rasterisk, should have write/read access to the
 | |
| ; asterisk socket (asterisk.ctl). You could change the permissions
 | |
| ; of this file in 'asterisk.conf' config parameter: 'astctlpermissions' (0666)
 | |
| ; found on the [files] section.
 | |
| ;
 | |
| ; general options:
 | |
| ;
 | |
| ; default_perm = permit | deny
 | |
| ;                This is the default permissions to apply for a user that
 | |
| ;                does not has a permissions defined.
 | |
| ;
 | |
| ; user options:
 | |
| ; permit = <command name> | all		; allow the user to run 'command' |
 | |
| ;					; allow the user to run 'all' the commands
 | |
| ; deny = <command name> | all		; disallow the user to run 'command' |
 | |
| ;					; disallow the user to run 'all' commands.
 | |
| ;
 | |
| ; NOTE: This file can't be used to restict the use of the '!' prefix
 | |
| ; for running shell commands from the CLI. You can however disable the
 | |
| ; use of the shell commands in remote consoles altogether by setting
 | |
| ; the 'disable_remote_console_shell' parameter in asterisk.conf to 'yes'.
 | |
| ;
 | |
| 
 | |
| [general]
 | |
| 
 | |
| default_perm=permit	; To leave asterisk working as normal
 | |
| 			; we should set this parameter to 'permit'
 | |
| ;
 | |
| ; Follows the per-users permissions configs.
 | |
| ;
 | |
| ; This list is read in the sequence that is being written, so
 | |
| ; In this example the user 'eliel' is allow to run only the following
 | |
| ; commands:
 | |
| ;          pjsip show endpoints
 | |
| ;          core set debug
 | |
| ;          core set verbose
 | |
| ; If the user is not specified, the default_perm option will be apply to
 | |
| ; every command.
 | |
| ;
 | |
| ; Notice that you can also use regular expressions to allow or deny access to a
 | |
| ; certain command like: 'core show application D*'. In this example the user will be
 | |
| ; allowed to view the documentation for all the applications starting with 'D'.
 | |
| ; Another regular expression could be: 'channel originate PJSIP/[0-9]* extension *'
 | |
| ; allowing the user to use 'channel originate' on a pjsip channel and with the 'extension'
 | |
| ; parameter and avoiding the use of the 'application' parameter.
 | |
| ;
 | |
| ; We can also use the templates syntax:
 | |
| ; [supportTemplate](!)
 | |
| ; deny=all
 | |
| ; permit=pjsip show       ; all commands starting with 'pjsip show' will be allowed
 | |
| ; permit=core show
 | |
| ;
 | |
| ; You can specify permissions for a local group instead of a user,
 | |
| ; just put a '@' and we will know that is a group.
 | |
| ; IMPORTANT NOTE: Users permissions overwrite group permissions.
 | |
| ;
 | |
| ;[@adm]
 | |
| ;deny=all
 | |
| ;permit=pjsip
 | |
| ;permit=core
 | |
| ;
 | |
| ;
 | |
| ;[eliel]
 | |
| ;deny=all
 | |
| ;permit=pjsip show endpoint
 | |
| ;deny=pjsip show endpoints
 | |
| ;permit=core set
 | |
| ;
 | |
| ;
 | |
| ;User 'tommy' inherits from template 'supportTemplate':
 | |
| ;	deny=all
 | |
| ;	permit=pjsip show
 | |
| ;	permit=core show
 | |
| ;[tommy](supportTemplate)
 | |
| ;permit=core set debug
 | |
| ;permit=dialplan show
 | |
| ;
 | |
| ;
 | |
| ;[mark]
 | |
| ;deny=all
 | |
| ;permit=all
 | |
| ;
 | |
| ;
 |