aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbnewbold <bnewbold@robocracy.org>2012-12-25 22:13:28 +0100
committerbnewbold <bnewbold@robocracy.org>2012-12-25 22:13:28 +0100
commit6e629a8f6731cf2d5291eb353c01ec4823bc89b3 (patch)
tree114e08b656ed310114633f438258f7d727c27339
parent88ce810a6dc50ed02f7eb3712192823b4e5d5ca6 (diff)
downloadexmachina-6e629a8f6731cf2d5291eb353c01ec4823bc89b3.tar.gz
exmachina-6e629a8f6731cf2d5291eb353c01ec4823bc89b3.zip
add notes and TODO from nick's audit
-rw-r--r--README8
-rw-r--r--TODO7
2 files changed, 15 insertions, 0 deletions
diff --git a/README b/README
index b9f759f..7fbc898 100644
--- a/README
+++ b/README
@@ -27,6 +27,10 @@ probably escalate privileges one way or another (install arbitrary packages,
reconfigure networks, enable callback scripts, edit system configuration
files).
+The server and client processes should be one-to-one: only one client should
+ever connect to the server. The init_test.sh script shows how this could be
+achieved in a SysV-style /etc/init.d script.
+
The intended use case is writing a user-friendly web control panel for a Debian
server or router: the web designer creating the user interface should not be
overly concerned with writing secure code, and the web application itself
@@ -72,6 +76,10 @@ Features:
* call augeas API: match, set, setm, get, save, move, insert, remove
* call init.d service scripts: status, start, stop, restart
+In late 2012 Nick Daly (of the FreedomBox project) wrote up a brief audit of
+this code and concept on his blog (https://www.betweennowhere.net/). Link is
+frequantly broken.
+
### Dependencies (server)
* augeas configuration editing library
diff --git a/TODO b/TODO
new file mode 100644
index 0000000..1ce9b5c
--- /dev/null
+++ b/TODO
@@ -0,0 +1,7 @@
+- socket overwriting problem; use directory trick?
+- strengthen default permissions on socket
+- comment socket code
+- client: if authentication fails, then bail
+- server: only allow one auth ever. close and quit after client closes.
+- document per-app socket naming intention
+- hash secret key, salted with 'exmachina'