1

xinetd and bash scripts

view story
linux-howto

http://forums.fedoraforum.org – Hey there, I've recently setup a simple service application using xinetd, which calls a bash script to allow users to check for specific events into a log file. The contents of this logfile is not sensitive, so no need to SSL or password. Though, my only concern about it is the possibility (or not) of sending malicious requests to the service and causing execution of malicious code. I've seen similar bash issues discussed briefly many times, but never actually seen any solid point of how much of this is a fact, or myth. Users would connect to this service using netcat or telnet. I've tested some trivial attempts, like sending tricky characters into the request, but so far it looks like there's no way to do that sort of stuff. So my question here is, considering the following code below, would be possible for an attacker to exploit it? How safe it is to have this sort of application running as a server? Thanks in advance. # /etc/xinetd.conf Code: service logfile-search {         server                        = /home/guest/logfile-search.bash         socket_type                = stream         wait                        = no         instances                = 5         per_source                = 1         user                        = guest         nice                        = 15         log_type                = FILE /home/guest/logfile-search.bash.access.log         log_on_success                = HOST DURATION EXIT         log_on_failure                = HOST } # /etc/services Code: logfile-search        30000/tcp # /home/guest/logfile-search.bash Code: #!/bin/bash trap "" 2 3 24 echo -n "Enter search string: " ; read -t 120 if [ "$REPLY" ]; then   echo "`date` - $REMOTE_HOST - $REPLY" >>/home/guest/logfile-search.bash.search.log   grep -i "$REPLY" /home/guest/logfile.txt fi exit (HowTos)