security: Inhibit execution of privilege escalating functions

This patch allows individual dialplan functions to be marked as 'dangerous', to inhibit their execution from external sources. A 'dangerous' function is one which results in a privilege escalation. For example, if one were to read the channel variable SHELL(rm -rf /) Bad Things(TM) could happen; even if the external source has only read permissions. Execution from external sources may be enabled by setting 'live_dangerously' to 'yes' in the [options] section of asterisk.conf. Although doing so is not recommended. Also, the ABI was changed to something more reasonable, since Asterisk 12 does not yet have a public release. (closes issue ASTERISK-22905) Review: http://reviewboard.digium.internal/r/432/ ........ Merged revisions 403913 from http://svn.asterisk.org/svn/asterisk/branches/1.8 ........ Merged revisions 403917 from http://svn.asterisk.org/svn/asterisk/branches/11 ........ Merged revisions 403959 from http://svn.asterisk.org/svn/asterisk/branches/12 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@403960 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-09-02 19:16:15 +00:00 · 2013-12-16 19:11:51 +00:00
parent 00dcee2a64
commit 744556c01d
12 changed files with 418 additions and 37 deletions
--- a/funcs/func_lock.c
+++ b/funcs/func_lock.c
@@ -59,6 +59,11 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 			Returns <literal>1</literal> if the lock was obtained or <literal>0</literal> on error.</para>
 			<note><para>To avoid the possibility of a deadlock, LOCK will only attempt to
 			obtain the lock for 3 seconds if the channel already has another lock.</para></note>
+			<note>
+				<para>If <literal>live_dangerously</literal> in <literal>asterisk.conf</literal>
+				is set to <literal>no</literal>, this function can only be executed from the
+				dialplan, and not directly from external protocols.</para>
+			</note>
 		</description>
 	</function>
 	<function name="TRYLOCK" language="en_US">
@@ -72,6 +77,11 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 			<para>Attempts to grab a named lock exclusively, and prevents other channels
 			from obtaining the same lock.  Returns <literal>1</literal> if the lock was 
 			available or <literal>0</literal> otherwise.</para>
+			<note>
+				<para>If <literal>live_dangerously</literal> in <literal>asterisk.conf</literal>
+				is set to <literal>no</literal>, this function can only be executed from the
+				dialplan, and not directly from external protocols.</para>
+			</note>
 		</description>
 	</function>
 	<function name="UNLOCK" language="en_US">
@@ -86,6 +96,11 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 			had a lock or <literal>0</literal> otherwise.</para>
 			<note><para>It is generally unnecessary to unlock in a hangup routine, as any locks 
 			held are automatically freed when the channel is destroyed.</para></note>
+			<note>
+				<para>If <literal>live_dangerously</literal> in <literal>asterisk.conf</literal>
+				is set to <literal>no</literal>, this function can only be executed from the
+				dialplan, and not directly from external protocols.</para>
+			</note>
 		</description>
 	</function>
 ***/
@@ -502,9 +517,9 @@ static int unload_module(void)

 static int load_module(void)
 {
-	int res = ast_custom_function_register(&lock_function);
-	res |= ast_custom_function_register(&trylock_function);
-	res |= ast_custom_function_register(&unlock_function);
+	int res = ast_custom_function_register_escalating(&lock_function, AST_CFE_READ);
+	res |= ast_custom_function_register_escalating(&trylock_function, AST_CFE_READ);
+	res |= ast_custom_function_register_escalating(&unlock_function, AST_CFE_READ);

 	if (ast_pthread_create_background(&broker_tid, NULL, lock_broker, NULL)) {
 		ast_log(LOG_ERROR, "Failed to start lock broker thread. Unloading func_lock module.\n");