From 95630b87dad8bd068068af2ea2bb96f616f04dbe Mon Sep 17 00:00:00 2001 From: Steve Kemp Date: Sun, 18 Nov 2012 15:24:13 +0000 Subject: Updated --- SECURITY | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/SECURITY b/SECURITY index f3e39b0..78779fc 100644 --- a/SECURITY +++ b/SECURITY @@ -12,15 +12,12 @@ custodian-enqueue custodian-dequeue ----------------- - Two tests pass arguments from the configuration file to - the shell: + Two tests pass arguments from the configuration file to the shell: ping - http/https - The hostname used to ping, and the url, are both passed - directly to the shell with no encoding or sanitizing. + The hostname used to ping, and the url, are both passed directly to the shell with no encoding or sanitizing. This means a test such as the following is a risk: @@ -30,8 +27,7 @@ custodian-dequeue ^([^\s]+)\s+ - So in real terms the only risk is commands without - spaces: + So in real terms the only risk is commands without spaces: $(/tmp/exploit.sh) must run ping @@ -41,13 +37,17 @@ custodian-dequeue -general +General ------- - We decode arbitrary JSON from the queue. We should sign - it, or validate it. This will prevent trojan malformed - JSON from being added. +We decode arbitrary JSON from the queue. We should sign it, or validate it to will prevent trojan malformed +JSON from being added. + +At the moment we ensure that the job-body we retrieve looks JSON-like, and decodes to a non-empty hash. + +Problem: We cannot sign the body without giving away our key details. +Solution: Read /etc/custodian/salt, and store the checksum of all keys + values with that salt? TODO @@ -58,4 +58,4 @@ TODO Steve --- \ No newline at end of file +-- -- cgit v1.2.1