summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve Kemp <steve@steve.org.uk>2015-12-17 17:48:42 +0200
committerSteve Kemp <steve@steve.org.uk>2015-12-17 17:48:42 +0200
commit1b0548485335df7735abc2c66280b31aa98d866c (patch)
tree433596cc97ace79afdf46e8d1dbe96b14374d5f0
parent16583d185bb2d608c258464bb4a80a6c310df0cd (diff)
Remove references to beanstalkd
-rw-r--r--SECURITY26
1 files changed, 10 insertions, 16 deletions
diff --git a/SECURITY b/SECURITY
index 42ffc18..c6bd1f5 100644
--- a/SECURITY
+++ b/SECURITY
@@ -4,12 +4,12 @@
custodian-enqueue
-----------------
-We open a single named file so that we may parse tests. There seems no harm in this,
-because the user must have permission to parse the file.
+We open a single named file so that we may parse tests. There seems no harm in
+this, because the user must have permission to parse the file.
-To successfully enqueue jobs that have been parsed the user must be able to talk to the
-beanstalkd queue - but this happens over TCP, so there is no need to run the parsing
-tool as root, and this is generally discouraged.
+To successfully enqueue jobs that have been parsed the user must be able to
+talk to the queue - but this happens over TCP, so there is no need to run the
+parsing tool as root, and this is generally discouraged.
Conclusion: The enqueuing process contains no security risks.
@@ -30,8 +30,7 @@ So the following configuration file snippet potentially allows a command to be e
$(/home/steve/hg/custodian/exploit.sh) must ping otherwise "Owned".
-Given that anybody who can talk to the beanstalkd server can submit jobs we cannot rely on catching
-this solely in the parser.
+Given that anybody who can talk to the queue can submit jobs we cannot rely on catching this solely in the parser.
For the moment we've solved the case of the ping-exploitation, by validating
that hostnames passed to the multi-ping command match ^[a-z0-9.-]$ - in both
@@ -41,8 +40,7 @@ possible forms:
* Ensure the hostname is valid before adding the job to the queue.
-We are careful to run the system command in the Ruby array-format, which will bypass shell
-exploitation.
+We are careful to run the system command in the Ruby array-format, which will bypass shell exploitation.
Conclusion: There are no obvious security concerns in the dequeuing process.
@@ -51,20 +49,16 @@ Conclusion: There are no obvious security concerns in the dequeuing process.
General
-------
-We pull arbitrary jobs from the queue, and it is possible an attacker could add malicious
-entries.
-
-We could sign tests to prevent trojan malformed lines from being processed, but this is
-not yet done. (It isn't obvious if this would be a sensible addition either.)
+We pull arbitrary jobs from the queue, and it is possible an attacker could add malicious entries.
+We could sign tests to prevent trojan malformed lines from being processed, but this is not yet done. (It isn't obvious if this would be a sensible addition either.)
Anything else?
--------------
-DoS attacks seem likely - the simple case would be to stuff the queue with sufficiently many
-"bogus" jobs that "real" jobs are never completed.
+DoS attacks seem likely - the simple case would be to stuff the queue with sufficiently many "bogus" jobs that "real" jobs are never completed.