From 6e629a8f6731cf2d5291eb353c01ec4823bc89b3 Mon Sep 17 00:00:00 2001
From: bnewbold <bnewbold@robocracy.org>
Date: Tue, 25 Dec 2012 22:13:28 +0100
Subject: add notes and TODO from nick's audit

---
 README | 8 ++++++++
 TODO   | 7 +++++++
 2 files changed, 15 insertions(+)
 create mode 100644 TODO

diff --git a/README b/README
index b9f759f..7fbc898 100644
--- a/README
+++ b/README
@@ -27,6 +27,10 @@ probably escalate privileges one way or another (install arbitrary packages,
 reconfigure networks, enable callback scripts, edit system configuration
 files).
 
+The server and client processes should be one-to-one: only one client should
+ever connect to the server. The init_test.sh script shows how this could be
+achieved in a SysV-style /etc/init.d script.
+
 The intended use case is writing a user-friendly web control panel for a Debian
 server or router: the web designer creating the user interface should not be
 overly concerned with writing secure code, and the web application itself
@@ -72,6 +76,10 @@ Features:
 * call augeas API: match, set, setm, get, save, move, insert, remove
 * call init.d service scripts: status, start, stop, restart
 
+In late 2012 Nick Daly (of the FreedomBox project) wrote up a brief audit of
+this code and concept on his blog (https://www.betweennowhere.net/). Link is
+frequantly broken.
+
 ### Dependencies (server)
 
 * augeas configuration editing library
diff --git a/TODO b/TODO
new file mode 100644
index 0000000..1ce9b5c
--- /dev/null
+++ b/TODO
@@ -0,0 +1,7 @@
+- socket overwriting problem; use directory trick?
+- strengthen default permissions on socket
+- comment socket code
+- client: if authentication fails, then bail
+- server: only allow one auth ever. close and quit after client closes.
+- document per-app socket naming intention
+- hash secret key, salted with 'exmachina'
-- 
cgit v1.2.3