8 thoughts on - Function SHELL Not Registered

• Did you include func_shell in your Asterisk build?

  Fortunately, it’s no biggie to build a missing module, because the “make”
  command explicitly keeps track of everything it has already done and does not need to do again. Just cd into the folder with your Asterisk source, run
  `make menuselect` and select “func_shell” (under dialplan functions). Then run `make` and finally `make install`.

• I have rebuilt a new version, making sure func_shell was selected, but I am still getting this error.

  —–Original Message—

• Even weirder, when I check in asterisk, using “core show functions”, I can see the function SHELL right there. From what I can find, the call is made from a conf. file, as grep shows:

  globals.conf: G_server=${SHELL(hostname)}

  Is this even correct? The config files are from a much older version of asterisk, which I am trying to update.

  —–Original Message—

• If you just need the name of the system it may be contained in the variable
  ${SYSTEMNAME}.

  This is assuming you have the systemname set in asterisk.conf

  https://wiki.asterisk.org/wiki/display/AST/Asterisk+Main+Configuration+File

  That said, for SHELL support you probably need to set :

  live_dangerously = yes

  Also in your asterisk.conf

  https://wiki.asterisk.org/wiki/display/AST/Privilege+Escalations+with+Dialplan+Functions

• Maybe Asterisk dialplan apps and functions don’t work in the [globals]
  section.

• QWRkaW5nIGxpdmVfZGFuZ2Vyb3VzbHkgZGlkIHRoZSB0cmljay4gVGhhbmtzISBCdXQgaG93IGRh bmdlcm91cyBpcyBBc3RlcmlzayBsaXZpbmcgbm93ID8NCg0KRnJvbTogYXN0ZXJpc2stdXNlcnMt Ym91bmNlc0BsaXN0cy5kaWdpdW0uY29tIFttYWlsdG86YXN0ZXJpc2stdXNlcnMtYm91bmNlc0Bs aXN0cy5kaWdpdW0uY29tXSBPbiBCZWhhbGYgT2YgSm9obiBLaW5pc3Rvbg0KU2VudDogZGluc2Rh ZyA1IGp1bGkgMjAxNiAxNzo0MQ0KVG86IEFzdGVyaXNrIFVzZXJzIE1haWxpbmcgTGlzdCAtIE5v bi1Db21tZXJjaWFsIERpc2N1c3Npb24gPGFzdGVyaXNrLXVzZXJzQGxpc3RzLmRpZ2l1bS5jb20+
  DQpTdWJqZWN0OiBSZTogW2FzdGVyaXNrLXVzZXJzXSBGdW5jdGlvbiBTSEVMTCBub3QgcmVnaXN0
  ZXJlZA0KDQpJZiB5b3UganVzdCBuZWVkIHRoZSBuYW1lIG9mIHRoZSBzeXN0ZW0gaXQgbWF5IGJl IGNvbnRhaW5lZCBpbiB0aGUgdmFyaWFibGUgJHtTWVNURU1OQU1FfS4NClRoaXMgaXMgYXNzdW1p bmcgeW91IGhhdmUgdGhlIHN5c3RlbW5hbWUgc2V0IGluIGFzdGVyaXNrLmNvbmYNCg0KaHR0cHM6
  Ly93aWtpLmFzdGVyaXNrLm9yZy93aWtpL2Rpc3BsYXkvQVNUL0FzdGVyaXNrK01haW4rQ29uZmln dXJhdGlvbitGaWxlDQpUaGF0IHNhaWQsIGZvciBTSEVMTCBzdXBwb3J0IHlvdSBwcm9iYWJseSBu ZWVkIHRvIHNldCA6DQoNCmxpdmVfZGFuZ2Vyb3VzbHkgPSB5ZXMNCkFsc28gaW4geW91ciBhc3Rl cmlzay5jb25mDQoNCmh0dHBzOi8vd2lraS5hc3Rlcmlzay5vcmcvd2lraS9kaXNwbGF5L0FTVC9Q
  cml2aWxlZ2UrRXNjYWxhdGlvbnMrd2l0aCtEaWFscGxhbitGdW5jdGlvbnMNCg0KDQpPbiBUdWUs IEp1bCA1LCAyMDE2IGF0IDc6MjcgQU0sIE1pY2hhZWwgSmVwc29uIDxNaWNoYWVsLkplcHNvbkBj bS5ubDxtYWlsdG86TWljaGFlbC5KZXBzb25AY20ubmw+PiB3cm90ZToNCkV2ZW4gd2VpcmRlciwg d2hlbiBJIGNoZWNrIGluIGFzdGVyaXNrLCB1c2luZyAiY29yZSBzaG93IGZ1bmN0aW9ucyIsIEkg Y2FuIHNlZSB0aGUgZnVuY3Rpb24gU0hFTEwgcmlnaHQgdGhlcmUuDQpGcm9tIHdoYXQgSSBjYW4g ZmluZCwgdGhlIGNhbGwgaXMgbWFkZSBmcm9tIGEgY29uZi4gZmlsZSwgYXMgZ3JlcCBzaG93czoN
  Cg0KZ2xvYmFscy5jb25mOiBHX3NlcnZlcj0ke1NIRUxMKGhvc3RuYW1lKX0NCg0KSXMgdGhpcyBl dmVuIGNvcnJlY3Q/IFRoZSBjb25maWcgZmlsZXMgYXJlIGZyb20gYSBtdWNoIG9sZGVyIHZlcnNp b24gb2YgYXN0ZXJpc2ssIHdoaWNoIEkgYW0gdHJ5aW5nIHRvIHVwZGF0ZS4NCg0KLS0tLS1Pcmln aW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IGFzdGVyaXNrLXVzZXJzLWJvdW5jZXNAbGlzdHMuZGln aXVtLmNvbTxtYWlsdG86YXN0ZXJpc2stdXNlcnMtYm91bmNlc0BsaXN0cy5kaWdpdW0uY29tPiBb bWFpbHRvOmFzdGVyaXNrLXVzZXJzLWJvdW5jZXNAbGlzdHMuZGlnaXVtLmNvbTxtYWlsdG86YXN0
  ZXJpc2stdXNlcnMtYm91bmNlc0BsaXN0cy5kaWdpdW0uY29tPl0gT24gQmVoYWxmIE9mIE1pY2hh ZWwgSmVwc29uDQpTZW50OiBkaW5zZGFnIDUganVsaSAyMDE2IDE2OjA3DQpUbzogQXN0ZXJpc2sg VXNlcnMgTWFpbGluZyBMaXN0IC0gTm9uLUNvbW1lcmNpYWwgRGlzY3Vzc2lvbiA8YXN0ZXJpc2st dXNlcnNAbGlzdHMuZGlnaXVtLmNvbTxtYWlsdG86YXN0ZXJpc2stdXNlcnNAbGlzdHMuZGlnaXVt LmNvbT4+DQpTdWJqZWN0OiBSZTogW2FzdGVyaXNrLXVzZXJzXSBGdW5jdGlvbiBTSEVMTCBub3Qg cmVnaXN0ZXJlZA0KDQpJIGhhdmUgcmVidWlsdCBhIG5ldyB2ZXJzaW9uLCBtYWtpbmcgc3VyZSBm dW5jX3NoZWxsIHdhcyBzZWxlY3RlZCwgYnV0IEkgYW0gc3RpbGwgZ2V0dGluZyB0aGlzIGVycm9y Lg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogYXN0ZXJpc2stdXNlcnMtYm91
  bmNlc0BsaXN0cy5kaWdpdW0uY29tPG1haWx0bzphc3Rlcmlzay11c2Vycy1ib3VuY2VzQGxpc3Rz LmRpZ2l1bS5jb20+IFttYWlsdG86YXN0ZXJpc2stdXNlcnMtYm91bmNlc0BsaXN0cy5kaWdpdW0u Y29tPG1haWx0bzphc3Rlcmlzay11c2Vycy1ib3VuY2VzQGxpc3RzLmRpZ2l1bS5jb20+XSBPbiBC
  ZWhhbGYgT2YgQSBKIFN0aWxlcw0KU2VudDogbWFhbmRhZyA0IGp1bGkgMjAxNiAwOTozNA0KVG86
  IEFzdGVyaXNrIFVzZXJzIE1haWxpbmcgTGlzdCAtIE5vbi1Db21tZXJjaWFsIERpc2N1c3Npb24g PGFzdGVyaXNrLXVzZXJzQGxpc3RzLmRpZ2l1bS5jb208bWFpbHRvOmFzdGVyaXNrLXVzZXJzQGxp c3RzLmRpZ2l1bS5jb20+Pg0KU3ViamVjdDogUmU6IFthc3Rlcmlzay11c2Vyc10gRnVuY3Rpb24g U0hFTEwgbm90IHJlZ2lzdGVyZWQNCg0KT24gTW9uZGF5IDA0IEp1bCAyMDE2LCBNaWNoYWVsIEpl cHNvbiB3cm90ZToNCj4gSGkgYWxsLA0KPg0KPiBJIGFtIGdldHRpbmcgdGhlIGZvbGxvd2luZyBl cnJvciB3aGVuIHN0YXJ0aW5nIGFzdGVyaXNrOg0KPiBwYnhfZnVuY3Rpb25zLmM6IEZ1bmN0aW9u IFNIRUxMIG5vdCByZWdpc3RlcmVkDQo+DQo+IFNvbWUgb2YgbXkgY29uZiBmaWxlcyB1c2UgYSBT
  SEVMTCBjb21tYW5kLCB3aGljaCB1c2VkIHRvIHdvcmsgd2l0aCBhbg0KPiBvbGRlciB2ZXJzaW9u IG9mIGFzdGVyaXNrLCBidXQgbm93IHdpdGggdmVyc2lvbiAxMy45LjEgSSBzZWUgdGhpcw0KPiB3
  YXJuaW5nIGluIHRoZSBlcnJvciBsb2cuIEhvdyBjYW4gSSByZWdpc3RlciB0aGUgU0hFTEwgZnVu Y3Rpb24/IEZyb20NCj4gd2hhdCBJIGNhbiBmaW5kIGluIHRoZSB3aWtpJ3MsIGl0IHNob3VsZCBq dXN0IGJlIGF2YWlsYWJsZT8NCj4NCj4gQmVzdCByZWdhcmRzLA0KPg0KPiBNaWNoYWVsIEplcHNv bg0KDQpEaWQgeW91IGluY2x1ZGUgZnVuY19zaGVsbCBpbiB5b3VyIEFzdGVyaXNrIGJ1aWxkPw0K
  DQpGb3J0dW5hdGVseSwgaXQncyBubyBiaWdnaWUgdG8gYnVpbGQgYSBtaXNzaW5nIG1vZHVsZSwg YmVjYXVzZSB0aGUgIm1ha2UiDQpjb21tYW5kIGV4cGxpY2l0bHkga2VlcHMgdHJhY2sgb2YgZXZl cnl0aGluZyBpdCBoYXMgYWxyZWFkeSBkb25lIGFuZCBkb2VzIG5vdCBuZWVkIHRvIGRvIGFnYWlu LiAgSnVzdCBjZCBpbnRvIHRoZSBmb2xkZXIgd2l0aCB5b3VyIEFzdGVyaXNrIHNvdXJjZSwgcnVu IGBtYWtlIG1lbnVzZWxlY3RgIGFuZCBzZWxlY3QgImZ1bmNfc2hlbGwiICAodW5kZXIgZGlhbHBs YW4gZnVuY3Rpb25zKS4gIFRoZW4gcnVuIGBtYWtlYCBhbmQgZmluYWxseSBgbWFrZSBpbnN0YWxs YC4NCg0KLS0NCkFKUw0KDQpOb3RlOiAgT3JpZ2luYXRpbmcgYWRkcmVzcyBvbmx5IGFjY2VwdHMg ZS1tYWlsIGZyb20gbGlzdCEgIElmIHJlcGx5aW5nIG9mZi0gbGlzdCwgY2hhbmdlIGFkZHJlc3Mg dG8gYXN0ZXJpc2sxbGlzdCBhdCBlYXJ0aHNob2QgZG90IGNvIGRvdCB1ayAuDQoNCi0tDQpfX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX18NCi0tIEJhbmR3aWR0aCBhbmQgQ29sb2NhdGlvbiBQcm92aWRlZCBieSBodHRwOi8v d3d3LmFwaS1kaWdpdGFsLmNvbSAtLSBOZXcgdG8gQXN0ZXJpc2s/IEpvaW4gdXMgZm9yIGEgbGl2
  ZSBpbnRyb2R1Y3Rvcnkgd2ViaW5hciBldmVyeSBUaHVyczoNCiAgICAgICAgICAgICAgIGh0dHA6
  Ly93d3cuYXN0ZXJpc2sub3JnL2hlbGxvDQoNCmFzdGVyaXNrLXVzZXJzIG1haWxpbmcgbGlzdA0K
  VG8gVU5TVUJTQ1JJQkUgb3IgdXBkYXRlIG9wdGlvbnMgdmlzaXQ6DQogICBodHRwOi8vbGlzdHMu ZGlnaXVtLmNvbS9tYWlsbWFuL2xpc3RpbmZvL2FzdGVyaXNrLXVzZXJzDQoNCi0tDQpfX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX18NCi0tIEJhbmR3aWR0aCBhbmQgQ29sb2NhdGlvbiBQcm92aWRlZCBieSBodHRwOi8vd3d3
  LmFwaS1kaWdpdGFsLmNvbSAtLSBOZXcgdG8gQXN0ZXJpc2s/IEpvaW4gdXMgZm9yIGEgbGl2ZSBp bnRyb2R1Y3Rvcnkgd2ViaW5hciBldmVyeSBUaHVyczoNCiAgICAgICAgICAgICAgIGh0dHA6Ly93
  d3cuYXN0ZXJpc2sub3JnL2hlbGxvDQoNCmFzdGVyaXNrLXVzZXJzIG1haWxpbmcgbGlzdA0KVG8g VU5TVUJTQ1JJQkUgb3IgdXBkYXRlIG9wdGlvbnMgdmlzaXQ6DQogICBodHRwOi8vbGlzdHMuZGln aXVtLmNvbS9tYWlsbWFuL2xpc3RpbmZvL2FzdGVyaXNrLXVzZXJzDQoNCi0tDQpfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X18NCi0tIEJhbmR3aWR0aCBhbmQgQ29sb2NhdGlvbiBQcm92aWRlZCBieSBodHRwOi8vd3d3LmFw aS1kaWdpdGFsLmNvbSAtLQ0KTmV3IHRvIEFzdGVyaXNrPyBKb2luIHVzIGZvciBhIGxpdmUgaW50
  cm9kdWN0b3J5IHdlYmluYXIgZXZlcnkgVGh1cnM6DQogICAgICAgICAgICAgICBodHRwOi8vd3d3
  LmFzdGVyaXNrLm9yZy9oZWxsbw0KDQphc3Rlcmlzay11c2VycyBtYWlsaW5nIGxpc3QNClRvIFVO
  U1VCU0NSSUJFIG9yIHVwZGF0ZSBvcHRpb25zIHZpc2l0Og0KICAgaHR0cDovL2xpc3RzLmRpZ2l1
  bS5jb20vbWFpbG1hbi9saXN0aW5mby9hc3Rlcmlzay11c2Vycw0KDQoNCg0KLS0NCkEgaHVtYW4g YmVpbmcgc2hvdWxkIGJlIGFibGUgdG8gY2hhbmdlIGEgZGlhcGVyLCBwbGFuIGFuIGludmFzaW9u LCBidXRjaGVyIGEgaG9nLCBjb25uIGEgc2hpcCwgZGVzaWduIGEgYnVpbGRpbmcsIHdyaXRlIGEg c29ubmV0LCBiYWxhbmNlIGFjY291bnRzLCBidWlsZCBhIHdhbGwsIHNldCBhIGJvbmUsIGNvbWZv cnQgdGhlIGR5aW5nLCB0YWtlIG9yZGVycywgZ2l2ZSBvcmRlcnMsIGNvb3BlcmF0ZSwgYWN0IGFs b25lLCBzb2x2ZSBlcXVhdGlvbnMsIGFuYWx5emUgYSBuZXcgcHJvYmxlbSwgcGl0Y2ggbWFudXJl LCBwcm9ncmFtIGEgY29tcHV0ZXIsIGNvb2sgYSB0YXN0eSBtZWFsLCBmaWdodCBlZmZpY2llbnRs eSwgZGllIGdhbGxhbnRseS4gU3BlY2lhbGl6YXRpb24gaXMgZm9yIGluc2VjdHMuDQotLS1IZWlu bGVpbg0K

• From README-SERIOUSLY.bestpractices.txt:

  ==========================Avoid Privilege Escalations
  ==========================
  External control protocols, such as Manager, often have the ability to get and set channel variables; which allows the execution of dialplan functions.

  Dialplan functions within Asterisk are incredibly powerful, which is wonderful for building applications using Asterisk. But during the read or write execution, certain diaplan functions do much more. For example, reading the SHELL() function can execute arbitrary commands on the system Asterisk is running on. Writing to the FILE() function can change any file that Asterisk has write access to.

  When these functions are executed from an external protocol, that execution could result in a privilege escalation. Asterisk can inhibit the execution of these functions, if live_dangerously in the [options] section of asterisk.conf is set to no.

  In Asterisk 12 and later, live_dangerously defaults to no.

  When setting ‘live_dangerously’ to yes, you are taking responsibility for preventing permission escalation for those dialplan functions that can alter the underlying system. In addition to running Asterisk as a non-root user – which is always a good idea – your external applications should be sanitizing data passed through to said dialplan functions, and should implement their own stringent access control.

  Matt

• I must admit, still using an ancient Asterisk version, I didn’t know about live_dangerously. But it sort of makes sense.

  It is somewhat dangerous to have a function that can execute arbitrary system commands, especially as root. Just how dangerous depends on what commands can end up being executed. For instance, it probably would -not- be a good idea to include something like

  exten => 666,1,NoOp(${SHELL(/sbin/init 0)})

  in a dialplan on a production server …..

  Just be careful what commands you execute and what parameters you feed to them. You might even want to use a wrapper script around anything that could misbehave if given a wrong parameter (especially if the paramters depend on anything user-settable); do a quick sanity-check in the script itself, and only execute the “real” command if everything is within the range you expect.

  And don’t think that blocking SHELL() makes your Asterisk server magically safe. You can still run dangerous system commands from within an AGI script.