MagicTree Documentation: Security Considerations

Sample Workflow | Table of Contents | Submitting a Bug Report or a Feature Request >

MagicTree is a data management tool for penetration testers. It is likely to be used to process sensitive and confidential data.

MagicTree data files (.mt) should be treated as executable code. Opening a MagicTree data file is equivalent to running a program or script. The data files contain information about executed and scheduled tasks. When a data file is opened by MagicTree it will execute the scheduled tasks. In the future version we will add an option to allow opening MT files without launching the embedded tasks.

MagicTree creates temporary files that contain screen logs and other information about executed tasks. On Unix-like systems (such as Linux and Mac OS X) temporary files are stored in /tmp. On Windows they are stored in user's home directory in .magictree/cygwin/tmp . The temporary file permissions are subject to umask settings, so if your umask is 022 (default setting on Mac OS X) your temporary files will be world readable. If you are executing tasks on a shared host where /tmp directory may be accessed by untrusted parties, modify .magictree/bin/config file and set spooldir variable to a directory which is only readable to you. This setting will affect tasks executed locally and remotely. We will probably make storing temporary files in user's home directory the default behaviour on all operating systems. Modifying umask can interfere with reading data produced by tasks executed with sudo, so modifying umask is not a viable workaround.

MagicTree itself does not listen on any network sockets. MagicTree will connect to remote hosts via SSH for remote task execution. On Unix-like systems it will use the SSH client present on the system. On Windows it will use Cygwin SSH client shipped with MagicTree.

MagicTree itself does not require elevated privileges (i.e. being run as root). We recommend running MagicTree as normal user, and using sudo from MagicTree to run tasks that require root priviliges.

MagicTree does not include or require any server applications (i.e. web or SQL servers). It does not use an SQL database and it does not have a web interface.

Sample Workflow | Table of Contents | Submitting a Bug Report or a Feature Request >