From 6e629a8f6731cf2d5291eb353c01ec4823bc89b3 Mon Sep 17 00:00:00 2001 From: bnewbold Date: Tue, 25 Dec 2012 22:13:28 +0100 Subject: add notes and TODO from nick's audit --- README | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'README') diff --git a/README b/README index b9f759f..7fbc898 100644 --- a/README +++ b/README @@ -27,6 +27,10 @@ probably escalate privileges one way or another (install arbitrary packages, reconfigure networks, enable callback scripts, edit system configuration files). +The server and client processes should be one-to-one: only one client should +ever connect to the server. The init_test.sh script shows how this could be +achieved in a SysV-style /etc/init.d script. + The intended use case is writing a user-friendly web control panel for a Debian server or router: the web designer creating the user interface should not be overly concerned with writing secure code, and the web application itself @@ -72,6 +76,10 @@ Features: * call augeas API: match, set, setm, get, save, move, insert, remove * call init.d service scripts: status, start, stop, restart +In late 2012 Nick Daly (of the FreedomBox project) wrote up a brief audit of +this code and concept on his blog (https://www.betweennowhere.net/). Link is +frequantly broken. + ### Dependencies (server) * augeas configuration editing library -- cgit v1.2.3