[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#170069: ITP: grunt -- Secure remote execution via UUCP or e-mail using GPG

On Fri, Nov 22, 2002 at 12:43:28AM -0500, Joey Hess wrote:
> This is interesting. I've been planning to add play-by-mail support to
> my mooix moo, but have held off because I didn't want to tackle doing it
> securely. But if I can just use grunt and it turns out to be secure..
> that'd be sweet. I hope that grunt lets you just compose commands with a
> standard mailer, without having to run some command on your system to
> set up the random block John mentions. For my (very specific) purposes,
> it would be nice if it could be used without gpg, from any system that
> can send and receive mail.

GPG is integral to grunt's security, so you won't be able to run it without
GPG.

You invoke GRUNT with simple commands like:

gruntsend file.txt jgoerzen@remotemachine destination/file.txt

or

gruntrun jgoerzen@remotemachine 'cdrecord -v dev=1,1,0 -eject' < file.iso

or

gruntrun jgoerzen@remotemachine somebatchjob.sh

That is, it's mostly designed for things like batch jobs -- things that
don't depend on being executed in any particular order.

When you run gruntsend or gruntrun, you'll have to enter in your GPG
passphrase to sign the message.

The receiver has the aging restrictions described before.  Though it can be
tuned -- you could set it down to 60 minutes if that's more appropriate for
your setting.  I'm also still tweaking things yet until I make the first
release -- I want to get the protocol set before that.

I am confident that Grunt is secure.  There is no way to make your system
execute commands that you did not request, nor for an attacker to use a
replay attack.  It is possible, as some have brought up, to delay a command. 
Though you can set the window in which commands are allowed, and can set it
to whatever you like.

> This could me especially amusing if the first, delayed email was:
> 
>   cd /tmp
> 
> And the second was:
> 
>   rm -rf *

Grunt doesn't preserve any notion of a session (think of it sort of like
'at', maybe?)  It's more designed to be able to execute 'batch' type of
commands.  That is, "here's this chunk of data, go do something intensive
with it".  It's also designed to help with people that need to use a
"modified sneakernet" to get data around -- ie, a slow connection one place,
fast one other place, and a laptop.

-- John
Reply to: