http://forums.fedoraforum.org – Hey there, I've recently setup a simple service application using xinetd, which calls a bash script to allow users to check for specific events into a log file. The contents of this logfile is not sensitive, so no need to SSL or password. Though, my only concern about it is the possibility (or not) of sending malicious requests to the service and causing execution of malicious code. I've seen similar bash issues discussed briefly many times, but never actually seen any solid point of how much of this is a fact, or myth. Users would connect to this service using netcat or telnet. I've tested some trivial attempts, like sending tricky characters into the request, but so far it looks like there's no way to do that sort of stuff. So my question here is, considering the following code below, would be possible for an attacker to exploit it? How safe it is to have this sort of application running as a server? Thanks in advance. # /etc/xinetd.conf Code: service logfile-search { server = /home/guest/logfile-search.bash socket_type = stream wait = no instances = 5 per_source = 1 user = guest nice = 15 log_type = FILE /home/guest/logfile-search.bash.access.log log_on_success = HOST DURATION EXIT log_on_failure = HOST } # /etc/services Code: logfile-search 30000/tcp # /home/guest/logfile-search.bash Code: #!/bin/bash trap "" 2 3 24 echo -n "Enter search string: " ; read -t 120 if [ "$REPLY" ]; then echo "`date` - $REMOTE_HOST - $REPLY" >>/home/guest/logfile-search.bash.search.log grep -i "$REPLY" /home/guest/logfile.txt fi exit (HowTos)
Email this page
