Introduce CLI permissions.

Based on cli_permissions.conf configuration file, we are able to permit or deny
cli commands based on some patterns and the local user and group running rasterisk.

(Sorry if I missed some of the testers).

Reviewboard: http://reviewboard.digium.com/r/11/

(closes issue #11123)
Reported by: eliel
Tested by: eliel, IgorG, Laureano, otherwiseguy, mvanbaak



git-svn-id: http://svn.digium.com/svn/asterisk/trunk@160062 f38db490-d61c-443f-a65b-d21fe96a405b

1 files changed, 82 insertions, 0 deletions

diff --git a/configs/cli_permissions.conf.sample b/configs/cli_permissions.conf.sample
new file mode 100644
index 000000000..4a6973f50
--- /dev/null
+++ b/configs/cli_permissions.conf.sample
@@ -0,0 +1,82 @@
+;
+; CLI permissions configuration example for Asterisk
+;
+; All the users that you want to connect with asterisk using
+; rasterisk, should have write/read access to the
+; asterisk socket (asterisk.ctl). You could change the permissions
+; of this file in 'asterisk.conf' config parameter: 'astctlpermissions' (0666)
+; found on the [files] section.
+;
+; general options:
+;
+; default_perm = permit | deny
+;                This is the default permissions to apply for a user that
+;                does not has a permissions definided.
+;
+; user options:
+; permit = <command name> | all		; allow the user to run 'command' |
+;					; allow the user to run 'all' the commands
+; deny = <command name> | all		; disallow the user to run 'command' |
+;					; disallow the user to run 'all' commands.
+;
+
+[general]
+
+default_perm=permit	; To leave asterisk working as normal
+			; we should set this parameter to 'permit'
+;
+; Follows the per-users permissions configs.
+;
+; This list is read in the sequence that is being written, so
+; In this example the user 'eliel' is allow to run only the following
+; commands:
+;          sip show peer
+;          core set debug
+;          core set verbose
+; If the user is not specified, the default_perm option will be apply to
+; every command.
+;
+; Notice that you can also use regular expressions to allow or deny access to a
+; certain command like: 'core show application D*'. In this example the user will be
+; allowed to view the documentation for all the applications starting with 'D'.
+; Another regular expression could be: 'channel originate SIP/[0-9]* extension *'
+; allowing the user to use 'channel originate' on a sip channel and with the 'extension'
+; parameter and avoiding the use of the 'application' parameter.
+;
+; We can also use the templates syntax:
+; [supportTemplate](!)
+; deny=all
+; permit=sip show       ; all commands starting with 'sip show' will be allowed
+; permit=core show
+;
+; You can specify permissions for a local group instead of a user,
+; just put a '@' and we will know that is a group.
+; IMPORTANT NOTE: Users permissions overwrite group permissions.
+;
+;[@adm]
+;deny=all
+;permit=sip
+;permit=core
+;
+;
+;[eliel]
+;deny=all
+;permit=sip show peer
+;deny=sip show peers
+;permit=core set
+;
+;
+;User 'tommy' inherits from template 'supportTemplate':
+;	deny=all
+;	permit=sip show
+;	permit=core show
+;[tommy](supportTemplate)
+;permit=core set debug
+;permit=dialplan show
+;
+;
+;[mark]
+;deny=all
+;permit=all
+;
+;