custodian-enqueue ----------------- We open named files from the user to parse tests. The configuration file(s) are currently opened by root, via /etc/service/custodian-enqueue. This should be changed to run as a lower-privileged user. custodian-dequeue ----------------- One test passes arguments from the configuration file to the shell: ping The hostname used to ping will be used assuming it matches the following regular expression: ^([^\s]+)\s+ So the following configuration file snippet potentially allows a command to be executed by our worker: $(/home/steve/hg/custodian/exploit.sh) must ping otherwise "Owned". Given that anybody who can talk to the beanstalkd server can submit jobs we cannot rely on catching this solely in the parser. For the moment we've solved the case of the ping-exploitation, by validating that hostnames passed to the multi-ping command match ^[a-z0-9.-]$ - both forms of input are validated: * Ensuring the hostname is valid prior to executing the shell command. * Ensure the hostname is valid before adding the job to the queue. General ------- We decode arbitrary jobs from the queue. We should sign them, or validate them to prevent trojan malformed lines from being added. TODO ---- Anything else? DoS attacks? Steve --