summaryrefslogtreecommitdiff
path: root/SECURITY
diff options
context:
space:
mode:
authorSteve Kemp <steve@steve.org.uk>2012-11-18 15:24:13 +0000
committerSteve Kemp <steve@steve.org.uk>2012-11-18 15:24:13 +0000
commit95630b87dad8bd068068af2ea2bb96f616f04dbe (patch)
tree818fb951cbfc0d7f3632422142d906717a1ad700 /SECURITY
parent0ed05e3cb2ff25266429d1b4fbcefbe907093077 (diff)
Updated
Diffstat (limited to 'SECURITY')
-rw-r--r--SECURITY24
1 files changed, 12 insertions, 12 deletions
diff --git a/SECURITY b/SECURITY
index f3e39b0..78779fc 100644
--- a/SECURITY
+++ b/SECURITY
@@ -12,15 +12,12 @@ custodian-enqueue
custodian-dequeue
-----------------
- Two tests pass arguments from the configuration file to
- the shell:
+ Two tests pass arguments from the configuration file to the shell:
ping
-
http/https
- The hostname used to ping, and the url, are both passed
- directly to the shell with no encoding or sanitizing.
+ The hostname used to ping, and the url, are both passed directly to the shell with no encoding or sanitizing.
This means a test such as the following is a risk:
@@ -30,8 +27,7 @@ custodian-dequeue
^([^\s]+)\s+
- So in real terms the only risk is commands without
- spaces:
+ So in real terms the only risk is commands without spaces:
$(/tmp/exploit.sh) must run ping
@@ -41,13 +37,17 @@ custodian-dequeue
-general
+General
-------
- We decode arbitrary JSON from the queue. We should sign
- it, or validate it. This will prevent trojan malformed
- JSON from being added.
+We decode arbitrary JSON from the queue. We should sign it, or validate it to will prevent trojan malformed
+JSON from being added.
+
+At the moment we ensure that the job-body we retrieve looks JSON-like, and decodes to a non-empty hash.
+
+Problem: We cannot sign the body without giving away our key details.
+Solution: Read /etc/custodian/salt, and store the checksum of all keys + values with that salt?
TODO
@@ -58,4 +58,4 @@ TODO
Steve
--- \ No newline at end of file
+--