On Wed, Jul 6, 2016 at 4:05 AM, Michael Jepson <michael.jep...@cm.nl> wrote: > Adding live_dangerously did the trick. Thanks! But how dangerous is Asterisk > living now ? > > >
>From README-SERIOUSLY.bestpractices.txt: =========================== Avoid Privilege Escalations =========================== External control protocols, such as Manager, often have the ability to get and set channel variables; which allows the execution of dialplan functions. Dialplan functions within Asterisk are incredibly powerful, which is wonderful for building applications using Asterisk. But during the read or write execution, certain diaplan functions do much more. For example, reading the SHELL() function can execute arbitrary commands on the system Asterisk is running on. Writing to the FILE() function can change any file that Asterisk has write access to. When these functions are executed from an external protocol, that execution could result in a privilege escalation. Asterisk can inhibit the execution of these functions, if live_dangerously in the [options] section of asterisk.conf is set to no. In Asterisk 12 and later, live_dangerously defaults to no. When setting 'live_dangerously' to yes, you are taking responsibility for preventing permission escalation for those dialplan functions that can alter the underlying system. In addition to running Asterisk as a non-root user - which is always a good idea - your external applications should be sanitizing data passed through to said dialplan functions, and should implement their own stringent access control. Matt -- Matthew Jordan Digium, Inc. | CTO 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com & http://asterisk.org -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users