From: Dmitriy S. <sha...@gm...> - 2012-02-09 03:32:33
|
09.02.2012 3:03 пользователь "Adam Retter" <ad...@ex...> написал: > > Okay so I have been weighing up the pros and cons of the 'r-x' vs. > '--x' requirements on stored XQuery main modules in eXist-db. I have > foremost my security hat on, and want to adhere to the Unix security > model as that is what eXist-db attempts to implement, and it is a very > good model. > > The argument or not having the 'r' flag on XQuery scripts because they > may contain sensitive information like usernames and passwords seems > invalid to me, because sensitive information probably should not be in > these scripts anyway. > Arguably there was a time when you had to do this because the eXist-db > authentication and user management system was not flexible enough; so > perhaps because you created your own username/password system which > mapped onto a few simple eXist-db users. This has changed, eXist-db > now supports ACL's and multiple authentication realms. In fact it is > this very use-case that prompted the start of all the security changes > in eXist-db by me. > > > If one can consider xquery /the native binary format/ in eXist-db, the > > model would look a lot more, like what you are used to. > > However, the above argument suggested by Peter actually almost > convinced me that maybe we should just require '--x' for execution of > XQuery scripts and not 'r-x'. > However, we would have to be willing to apply the same rule to XSLT > and XProc, which I think is not perhaps a problem? It simple to get ever with current messy :-) > I just wrote a small bash script and a C program on my Macbook and > compared the Unix permissions required to execute each, to check. > The bash script requires both read and execute bits when executed as > '$ ./hello.sh' and bash cmd requires execute, BUT only requires read > when executed as '$ bash hello.sh', whilst bash cmd requires execute. > The C program, only requires the execute bit to execute. C program for linux is same as xquery script for eXist (visa versa), IMHO. > So I am now open to the idea of just requiring the 'x' bit to execute > an XQuery script and not the 'r' bit, however the implementation of > this is incredibly hard without sacrificing security and seperation of > concerns. It simple if interpretator check 'x' bit and read script as SYSTEM (including modules) > The problem is that eXist-db's internals are somewhat messy, > and to know if a document is an XQuery document you have to read it > from the database, reading from the database requires the 'r' flag. Note: Permissions to read metadata required only. > So what am I saying, I think this is doable and I will change it to > just require the 'x' bit, but it will take time to do this correctly > as much refactoring of eXist-db will have to happen. So please be > patient... Ok ;-) |