custodian-enqueue
-----------------

  We open named files from the user to parse tests.

  We don't run shell commands.


custodian-dequeue
-----------------

  Two tests pass arguments from the configuration file to the shell:

    ping
    http/https

  The hostname used to ping, and the url, are both passed directly to the shell with no encoding or sanitizing.

  This means a test such as the following is a risk:

 $(touch /tmp/blah) must run ping.

  HOWEVER the hostname will pass the following regexp:

^([^\s]+)\s+

  So in real terms the only risk is commands without spaces:


  $(/tmp/exploit.sh) must run ping


  TODO: Fix this



General
-------

We decode arbitrary JSON from the queue.  We should sign it, or validate it to  will prevent trojan malformed
JSON from being added.

At the moment we ensure that the job-body we retrieve looks JSON-like, and decodes to a non-empty hash.

Problem: We cannot sign the body without giving away our key details.

Solution: Read /etc/custodian/salt, and store the checksum of all keys + values with that salt?


TODO
----

  Anything else?  DoS attacks?



Steve
--