custodian-enqueue
-----------------

  We open named files from the user to parse tests.  The configuration file(s)
 are currently opened by root, via /etc/service/custodian-enqueue.  This should
 be changed to run as a lower-privileged user.




custodian-dequeue
-----------------

One test passes arguments from the configuration file to the shell:

    ping

The hostname used to ping will be used assuming it matches the following regular expression:

^([^\s]+)\s+

So the following configuration file snippet potentially allows a command to be executed by our worker:

    $(/home/steve/hg/custodian/exploit.sh) must ping otherwise "Owned".

Given that anybody who can talk to the beanstalkd server can submit jobs we cannot rely on catching this solely in the parser.

For the moment we've solved the case of the ping-exploitation, by validating
that hostnames passed to the multi-ping command match ^[a-z0-9.-]$ - both forms
of input are validated:

  * Ensuring the hostname is valid prior to executing the shell command.

  * Ensure the hostname is valid before adding the job to the queue.




General
-------

We decode arbitrary jobs from the queue.  We should sign them, or validate them to prevent trojan malformed lines from being added.




TODO
----

  Anything else?  DoS attacks?



Steve
--