asterisk.c: Add option to restrict shell access from remote consoles.

UserNote: A new asterisk.conf option 'disable_remote_console_shell' has been added that, when set, will prevent remote consoles from executing shell commands using the '!' prefix. Resolves: #GHSA-c7p6-7mvq-8jq2
2025-09-03 19:28:53 +00:00 · 2025-05-19 08:16:53 -06:00
parent 67360eb671
commit 3a5ffe2842
5 changed files with 20 additions and 1 deletions
--- a/configs/samples/asterisk.conf.sample
+++ b/configs/samples/asterisk.conf.sample
@@ -138,6 +138,9 @@ documentation_language = en_US	; Set the language you want documentation
                ;   cpp_map_name_id: Use C++ Maps to index both
                ;                    channel name and channel uniqueid.
                ; See http://s.asterisk.net/dc679ec3 for more information.
+;disable_remote_console_shell = no; Prevent remote console CLI sessions
+                ; from executing shell commands with the '!' prefix.
+                ; Default: no

 ; Changing the following lines may compromise your security.
 ;[files]
--- a/configs/samples/cli_permissions.conf.sample
+++ b/configs/samples/cli_permissions.conf.sample
@@ -19,6 +19,11 @@
 ; deny = <command name> | all		; disallow the user to run 'command' |
 ;					; disallow the user to run 'all' commands.
 ;
+; NOTE: This file can't be used to restict the use of the '!' prefix
+; for running shell commands from the CLI. You can however disable the
+; use of the shell commands in remote consoles altogether by setting
+; the 'disable_remote_console_shell' parameter in asterisk.conf to 'yes'.
+;

 [general]