exist-development — eXist Developer's List

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Wolfgang M. <wol...@ex...>]

Adam,

> Also, please keep in mind guys that this is 'trunk' and not a stable
> branch...

You know yourself that we can't run most of our applications on 1.4.x
anymore :-) It's just impossible. Trunk is much better in terms of
performance and tooling and has proven to be pretty stable. We should
encourage people to give it a try. But this is only possible if we
don't break backwards compatibility without making it public and
providing alternatives. The major new features in trunk - redesigned
structural index, better query optimizations, package repository -
have been running stable for months now.

So if it doesn't cost you more than an hour to temporarily enable a
simple solution for default permissions, I would beg you to do so. It
would really save me a lot of time because I have to work around those
inconsistencies in the security framework as well.

Wolfgang

Re: [Exist-development] default perms in collection.xconf do not seem to work

[Chris T. <chr...@gm...>]

Adam,

It would be a great help if we had a simple roadmap for the security rework. If you can point me to a thread that has the details or hopefully quickly sketch out where we are and where we're going that would be great. I've been following the security stuff and actually thought it had settled down in the early summer and assumed that it was now stabilizing.

In fact what what other major items are on the to do list for the next stabilization - 1.6?

Thanks,
Chris


On Oct 18, 2011, at 7:08 PM, Adam Retter wrote:

> Yes I have read your emails. I also just responded. I am not deaf to
> the requirement but please do not enable it right at the moment as it
> will impact on outstanding changes I have. As this is all in flux
> before the next release anyway, if you enable it now, it will most
> likely be disabled again later in some way when it is replaced...
> 
> 
> 
> On 18 October 2011 14:12, Wolfgang Meier <wol...@ex...> wrote:
>> Adam,
>> 
>>> Default permissions are no longer configurable, this was a security
>>> design concern.
>> 
>> Have you read our emails? I think there are many arguments why we
>> still need default permissions and I definitely would like to
>> re-enable them.
>> 
>>> New ACL's will permit inheritance in the near future, so this would be
>>> the mechanism for replace such use cases.
>> 
>> ... at least until this mechanism is in place and has been tested.
>> 
>> Wolfgang
>> 
> 
> 
> 
> -- 
> Adam Retter
> 
> eXist Developer
> { United Kingdom }
> ad...@ex...
> irc://irc.freenode.net/existdb
> 
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Exist-development mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-development

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Chris T. <chr...@gm...>]

Wolfgang,

Thanks. I'd also written a q:repair-permissions() since I had this issue for a while. I'll compare with yours - which is likely better.

Chris


On Oct 18, 2011, at 6:12 PM, Wolfgang Meier wrote:

> Chris,
> 
> a quick way of changing permissions on a collection tree would be to
> run a query like the following:
> 
> xquery version "1.0";
> 
> declare function local:fix-permissions($collection, $permissions,
> $xqpermissions) {
>    sm:chmod(xs:anyURI($collection), $permissions),
>    for $resource in xmldb:get-child-resources($collection)
>    return
>        if (xmldb:get-mime-type(xs:anyURI((concat($collection, "/",
> $resource)))) eq "application/xquery") then
>            sm:chmod(xs:anyURI(concat($collection, "/", $resource)),
> $xqpermissions)
>        else
>            sm:chmod(xs:anyURI(concat($collection, "/", $resource)),
> $permissions),
>    for $child in xmldb:get-child-collections($collection)
>    return
>        local:fix-permissions(xs:anyURI(concat($collection, "/",
> $child)), $permissions, $xqpermissions)
> };
> 
> local:fix-permissions("/db", "rw-r--r--")
> 
> But this doesn't solve the problem if you are constantly uploading new
> resources. I wonder how difficult it would be to re-enable the default
> collection permissions for now? I'll look at the corresponding
> revisions.
> 
> Wolfgang

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Chris T. <chr...@gm...>]

On Oct 18, 2011, at 7:01 PM, Adam Retter wrote:
> 
> They are not deleted, more deprecated. The Security Manager module
> (sm:) should be considered the place to do anything with security in
> the future.

Thanks. I have some editor code that I would like to keep to one version for both a 1.4 and a 1.5 system and so far that is possible. I'm going to need to patch the editor to ensure that the permissions are established properly when documents are created and for that I think xmld:set-resource-permissions should work on both 1.4 and 1.5 - at least for the time being.

Chris

Re: [Exist-development] default perms in collection.xconf do not seem to work

[Adam R. <ad...@ex...>]

Yes I have read your emails. I also just responded. I am not deaf to
the requirement but please do not enable it right at the moment as it
will impact on outstanding changes I have. As this is all in flux
before the next release anyway, if you enable it now, it will most
likely be disabled again later in some way when it is replaced...



On 18 October 2011 14:12, Wolfgang Meier <wol...@ex...> wrote:
> Adam,
>
>> Default permissions are no longer configurable, this was a security
>> design concern.
>
> Have you read our emails? I think there are many arguments why we
> still need default permissions and I definitely would like to
> re-enable them.
>
>> New ACL's will permit inheritance in the near future, so this would be
>> the mechanism for replace such use cases.
>
> ... at least until this mechanism is in place and has been tested.
>
> Wolfgang
>



-- 
Adam Retter

eXist Developer
{ United Kingdom }
ad...@ex...
irc://irc.freenode.net/existdb

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Adam R. <ad...@ex...>]

> But this doesn't solve the problem if you are constantly uploading new
> resources. I wonder how difficult it would be to re-enable the default
> collection permissions for now? I'll look at the corresponding
> revisions.

Please can you hold off on this, as I have quite some outstanding
commits for the security stuff. I need some time to focus on this
without people changing bits ad-hoc. I am not ignorant to the fact
that people need simple tools for the permissions, but I am not
convinced that 'default permissions' in its existing guise is the
mechanism for this.
Also, please keep in mind guys that this is 'trunk' and not a stable
branch... And yes, sorry its taken so long, but no one is paying us to
work on this project full-time and so sometimes these things do take
longer than I would like as other priorities interrupt. It looks like
I may have a free week coming up, so I promise to finish this then.


> Wolfgang
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Exist-development mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-development
>



-- 
Adam Retter

eXist Developer
{ United Kingdom }
ad...@ex...
irc://irc.freenode.net/existdb

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Adam R. <ad...@ex...>]

On 18 October 2011 12:36, Chris Tomlinson <chr...@gm...> wrote:
>
> On Oct 18, 2011, at 4:53 PM, Adam Retter wrote:
>
> On Oct 18, 2011 10:06 AM, "Chris Tomlinson" <chr...@gm...>
> wrote:
>>
>> Adam,
>>
>> 1) So if I understand correctly then there is no longer any default
>> permissions feature any where, including in the collection.xconf files for
>> various collections. Is this correct? It seems contrary to the portion of
>> the thread with Dmitriy so you'll appreciate my confusion.
>
> Yes that is correct. I am not sure what Dmitriy is describing.
>
>> 2) What is the security issue? Incorrect admin of the DB is always an
>> opportunity for problems: performance, security and so on. It seems to me
>> that removing the ability to provide a default set of permissions some how -
>> on a collection or on a per user basis or whatever - is a significant
>> reduction in functionality in order to keep some DB admins from shooting
>> themselves in the foot so to speak. This means to me that eXist is now
>> enforcing a particular policy rather than providing mechanism.
>
> This is an interesting argument and one that I am not deaf to. However I
> would like to know if there is a known mechanism in Unix for this?
>
> Well there's umask which has been used for this purpose in user's .profile
> or equivalent.
>
> My approach would be permissions inheritance through our new acl's.
> Inheritance is not ready yet though.
>
>> 3) Setting permissions after upload is an additional step that is not
>> supported by the admin.xq and that is poorly supported by the java admin GUI
>> since for large collections (1000s of files) remotely one has to list the
>> entire collection contents before being able to then use the GUI panel for
>> permissions. The command line on a headless server works with less
>> performance issue but doesn't seem to support any wildcarding or other
>> method of selecting multiple files / collections for the chmod to affect.
>
> Your best option would be to run a small xquery that uses the sm:chmod
> function.
>
> have xmldb:set-resource-permissions and xmldb:set-collection-permissions
> been deleted?

They are not deleted, more deprecated. The Security Manager module
(sm:) should be considered the place to do anything with security in
the future.

>>
>> Chris
>>
>>
>> On Oct 18, 2011, at 2:21 PM, Adam Retter wrote:
>>
>>>
>>> On Oct 18, 2011 6:16 AM, "Chris Tomlinson" <chr...@gm...>
>>> wrote:
>>> >
>>> > Hello,
>>> >
>>> > I'm looking into some issues surrounding permissions management in
>>> > current trunk and am trying to make sure I understand what is intended and
>>> > what is implemented in this area. I ran across this post of yours from 3
>>> > months ago and I wanted to know the status in this area is or whether it has
>>> > been reconsidered.
>>>
>>> No the plan is still in progress.
>>>
>>> > In looking at org.exist.security.Permission.java it looks like it
>>> > hasn't been worked on since 4 Aug and the "update" nomenclature is still in
>>> > place and used in org.exist.security.AbstractUnixStylePermission.java which
>>> > hasn't been worked on for even longer.
>>> >
>>> > Trunk certainly still interprets the "u" perm as indicating that the
>>> > file is updatable or not (versus deletable "w") and throws an error in the
>>> > event that a user attempts to update and that flag isn't set for the user,
>>> > group or other as appropriate.
>>> >
>>> > Is this the behavior we can expect as trunk morphs into 1.6 or are
>>> > there more changes on the way for org.exist.security?
>>> >
>>>
>>> A few more changes to come. Other priorities got in the way. But its top
>>> of my list again.
>>>
>>> > I also seem to not understand the semantics of the <db-connection/>
>>> > <default-permissions collection="0774" resource="0774" /> in the conf.xml
>>> > file. I have the above set in the conf.xml on trunk rev 15412 and it doesn't
>>> > seem to make any difference. For example, when I upload a file via the
>>> > http://localhost:8080/exist/admin/admin.xql > Browse collections interface I
>>> > get permissions: "rw-r--r--" rather than "rwuruwr--" which I would have
>>> > expected. The same is true when running java client from the command line.
>>>
>>> Default permissions have been removed as a security concern.
>>>
>>> > We have need of being able to upload files and the resulting
>>> > permissions need to be "rwuruwr--" by default. How do we achieve this via
>>> > the admin.xql or the command line client?
>>>
>>> You can set perms after upload...
>>>
>>> > Thanks,
>>> > Chris
>>> >
>>> >
>>> > On Jul 7, 2011, at 12:33 PM, Wolfgang Meier wrote:
>>> >
>>> > >> #1: Why does my controller.xql file need guest update permissions
>>> > >> for
>>> > >> regular web browsing?
>>> > >
>>> > > For XQuery resources, the permission flags are now interpreted as rwx
>>> > > instead of the old rwu. We're in the process of changing this
>>> > > everywhere. The documentation is a bit behind.
>>> > >
>>> > > Wolfgang
>>> > >
>>> > >
>>> > > ------------------------------------------------------------------------------
>>> > > All of the data generated in your IT infrastructure is seriously
>>> > > valuable.
>>> > > Why? It contains a definitive record of application performance,
>>> > > security
>>> > > threats, fraudulent activity, and more. Splunk takes this data and
>>> > > makes
>>> > > sense of it. IT sense. And common sense.
>>> > > http://p.sf.net/sfu/splunk-d2d-c2
>>> > > _______________________________________________
>>> > > Exist-open mailing list
>>> > > Exi...@li...
>>> > > https://lists.sourceforge.net/lists/listinfo/exist-open
>>> >
>>> >
>>> >
>>> > ------------------------------------------------------------------------------
>>> > All the data continuously generated in your IT infrastructure contains
>>> > a
>>> > definitive record of customers, application performance, security
>>> > threats, fraudulent activity and more. Splunk takes this data and makes
>>> > sense of it. Business sense. IT sense. Common sense.
>>> > http://p.sf.net/sfu/splunk-d2d-oct
>>> > _______________________________________________
>>> > Exist-development mailing list
>>> > Exi...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/exist-development
>>
>>
>
>



-- 
Adam Retter

eXist Developer
{ United Kingdom }
ad...@ex...
irc://irc.freenode.net/existdb

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Adam R. <ad...@ex...>]

Okay, but am I correct in thinking that umask is applied per user?
i.e. it lives in the users profile?

It is the mount point of the fs that defines the overarching degfault
permissions right?
The way 'default permissions' in eXist-db were implemented previously
were neither per user or per mount.

I think permission inheritance with ACL will render umask unneeded?

On 18 October 2011 12:22, Hungerburg <pc...@my...> wrote:
> Am 2011-10-18 13:08, schrieb Adam Retter:
>> This is an interesting argument and one that I am not deaf to. However I
>> would like to know if there is a known mechanism in Unix for this?
>
> The *nix mechanism is called "umask": it specifies the permissions that
> will be subtracted from the default/full, ie rw-rw-rw on files and
> rwxrwxrwx on directories, permissions. Its a per process setting that
> will be passed on to forked children.
>
>  From wikipedia: "The addition of umask (in around 1978) allowed sites,
> groups, and individuals to chose their own defaults. Small close groups
> might choose 000, computer centers 022, security-conscious groups 077 or
> 066 for access to sub-directories under private directories."
>
> --
> peter
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Exist-development mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-development
>



-- 
Adam Retter

eXist Developer
{ United Kingdom }
ad...@ex...
irc://irc.freenode.net/existdb

Re: [Exist-development] default perms in collection.xconf do not seem to work

[Wolfgang M. <wol...@ex...>]

Adam,

> Default permissions are no longer configurable, this was a security
> design concern.

Have you read our emails? I think there are many arguments why we
still need default permissions and I definitely would like to
re-enable them.

> New ACL's will permit inheritance in the near future, so this would be
> the mechanism for replace such use cases.

... at least until this mechanism is in place and has been tested.

Wolfgang

Re: [Exist-development] gradle vs maven

[Adam R. <ad...@ex...>]

>> yeap, he was pessimistic during maven talks. And he wants to leave as it
>> or better build control then maven can provide as ant have. That what I did
>> see =)

Yes he was, because he had some concerns, which we discussed and I
think I addressed each of these to his satisfaction?

However the 'proof is in the pudding' as we say, so that is why I
started on a branch to create a Mavenised build of eXist-db, to prove
this is possible and hopefully to demonstrate the improvements. If at
the end of development, I cannot demonstrate improvemnets then it is
indeed a failure and we should not use Maven.


-- 
Adam Retter

eXist Developer
{ United Kingdom }
ad...@ex...
irc://irc.freenode.net/existdb

Re: [Exist-development] default perms in collection.xconf do not seem to work

[Adam R. <ad...@ex...>]

Default permissions are no longer configurable, this was a security
design concern.

New ACL's will permit inheritance in the near future, so this would be
the mechanism for replace such use cases.
A umask could also be added to accounts if desired, but I dont think
we will need it.



On 18 October 2011 10:52, Dmitriy Shabanov <sha...@gm...> wrote:
> The code that response for that behaver was commened-out by rev 14670. I
> don't know why. Adam?
>
> method Collection.manageDocumentInformation
> On Tue, Oct 18, 2011 at 12:46 PM, Dmitriy Shabanov <sha...@gm...>
> wrote:
>>
>> You uploading to " /db/tbrc" ? need to check...
>>
>> On Tue, Oct 18, 2011 at 12:25 PM, Chris Tomlinson
>> <chr...@gm...> wrote:
>>>
>>> I'm confused. I uploaded the files into the top collection, /db/tbrc
>>> which is where the <default-permissions/> is placed in the collection.xconf
>>> file for the top collection /db/tbrc. Unless you're saying that I have to
>>> have a collection.xconf for /db itself which I don't think is what you're
>>> saying. Surely, I don't need to add <default-permissions/> to
>>> collections /db/tbrc/A and /db/tbrc/B and so on in order to control the
>>> default permissions for files uploaded into collection /db/tbrc??
>
> --
> Dmitriy Shabanov
>



-- 
Adam Retter

eXist Developer
{ United Kingdom }
ad...@ex...
irc://irc.freenode.net/existdb

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Dan M. <dan...@gm...>]

I have also had a challenge using the new permission structure.  Although I
fully support Adam's efforts I have had to build "wrappers" for any function
that updated resources to fix the permissions.  The changing of permissions
also seems to occur when you use the new in-database subversion module.  So
the fix-permissions() function has to be run after every
subversion:commit().

I wonder if there is any way a configuration option be added so that the
user could specify what permission structure is used for new resources much
like the UNIX "umask" function.

- Dan

On Tue, Oct 18, 2011 at 7:27 AM, Wolfgang Meier <wol...@ex...>wrote:

> Chris,
>
> a quick way of changing permissions on a collection tree would be to
> run a query like the following:
>
> xquery version "1.0";
>
> declare function local:fix-permissions($collection, $permissions,
> $xqpermissions) {
>    sm:chmod(xs:anyURI($collection), $permissions),
>    for $resource in xmldb:get-child-resources($collection)
>    return
>        if (xmldb:get-mime-type(xs:anyURI((concat($collection, "/",
> $resource)))) eq "application/xquery") then
>            sm:chmod(xs:anyURI(concat($collection, "/", $resource)),
> $xqpermissions)
>        else
>            sm:chmod(xs:anyURI(concat($collection, "/", $resource)),
> $permissions),
>    for $child in xmldb:get-child-collections($collection)
>    return
>        local:fix-permissions(xs:anyURI(concat($collection, "/",
> $child)), $permissions, $xqpermissions)
> };
>
> local:fix-permissions("/db", "rw-r--r--")
>
> But this doesn't solve the problem if you are constantly uploading new
> resources. I wonder how difficult it would be to re-enable the default
> collection permissions for now? I'll look at the corresponding
> revisions.
>
> Wolfgang
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Exist-development mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-development
>



-- 
Dan McCreary
Semantic Solutions Architect
office: (952) 931-9198
cell: (612) 986-1552

Re: [Exist-development] [Exist-open] Confused about permissions and defaults for XQuery files

[Palmer, E. <ep...@ri...>]

I've been reading this thread with great interest. We are not using 1.5 yet
and haven't even tested it yet.  We expect testing to commence this month.

Our eXist-db instances are isolated via a set of firewalls and we expect to
isolate them more using private IP space (in 6 months).  Oversimplifying
here but in essence we reverse proxy external access to eXist-db via apache
httpd.  So fine grain permissions are not yet needed at the University of
Richmond. At least for Web Services. The Digital Library work of Chris Kemp
may be different so I can't speak for him.

Our content creators can create sub-collections and content on the fly using
our content management system. When they do this they always create
collections underneath existing collections that we have access over.

For example a user might create this collection hierarchy

/db/articles/features/business/2011/oct

We control this collection /db/articles/features/business

It would be great if we have the ability to set default inheritable
permissions for /db/articles/features/business

Eric




On 10/18/11 8:27 AM, "Wolfgang Meier" <wol...@ex...> wrote:

> Chris,
> 
> a quick way of changing permissions on a collection tree would be to
> run a query like the following:
> 
> xquery version "1.0";
> 
> declare function local:fix-permissions($collection, $permissions,
> $xqpermissions) {
>     sm:chmod(xs:anyURI($collection), $permissions),
>     for $resource in xmldb:get-child-resources($collection)
>     return
>         if (xmldb:get-mime-type(xs:anyURI((concat($collection, "/",
> $resource)))) eq "application/xquery") then
>             sm:chmod(xs:anyURI(concat($collection, "/", $resource)),
> $xqpermissions)
>         else
>             sm:chmod(xs:anyURI(concat($collection, "/", $resource)),
> $permissions),
>     for $child in xmldb:get-child-collections($collection)
>     return
>         local:fix-permissions(xs:anyURI(concat($collection, "/",
> $child)), $permissions, $xqpermissions)
> };
> 
> local:fix-permissions("/db", "rw-r--r--")
> 
> But this doesn't solve the problem if you are constantly uploading new
> resources. I wonder how difficult it would be to re-enable the default
> collection permissions for now? I'll look at the corresponding
> revisions.
> 
> Wolfgang
> 
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Exist-open mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-open

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Wolfgang M. <wol...@ex...>]

Chris,

a quick way of changing permissions on a collection tree would be to
run a query like the following:

xquery version "1.0";

declare function local:fix-permissions($collection, $permissions,
$xqpermissions) {
    sm:chmod(xs:anyURI($collection), $permissions),
    for $resource in xmldb:get-child-resources($collection)
    return
        if (xmldb:get-mime-type(xs:anyURI((concat($collection, "/",
$resource)))) eq "application/xquery") then
            sm:chmod(xs:anyURI(concat($collection, "/", $resource)),
$xqpermissions)
        else
            sm:chmod(xs:anyURI(concat($collection, "/", $resource)),
$permissions),
    for $child in xmldb:get-child-collections($collection)
    return
        local:fix-permissions(xs:anyURI(concat($collection, "/",
$child)), $permissions, $xqpermissions)
};

local:fix-permissions("/db", "rw-r--r--")

But this doesn't solve the problem if you are constantly uploading new
resources. I wonder how difficult it would be to re-enable the default
collection permissions for now? I'll look at the corresponding
revisions.

Wolfgang

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Chris T. <chr...@gm...>]

Wolfgang,

I haven't yet heard the security issue with the per collection defaults which you seem to be also liking at this point.

As a long time user and sometimes small contributor to eXist I am rather concerned with the burgeoning security apparatus. I was not concerned with it as long as it didn't get in the way. However, we now have an issue that is going to require me to do some quick engineering. We've been constructing a new version of our DB with the trunk because it has some features like the versioning and triggers which have been working for us and is otherwise satisfactorily stable. I have been assuming that I just didn't have things set correctly for the permissions default and got around today to trying to figure out what I was doing wrong.

I agree that an understandable (and preferably simple) approach to permissions is likely to be secure in that it is more likely to be understandable in terms of how to configure things to get the desired effects. being able to set the defaults on a top-level collection and have that inherited as with triggers seems simple and understandable in terms of permissions behavior.

In our case we have a tightly controlled access to the DB and can apply relatively simple security. The larger models involving LDAP and so on are fine for some situations but lets not lose sight of simple uses of eXist that are still serious production uses.

Chris

On Oct 18, 2011, at 5:09 PM, Wolfgang Meier wrote:

> 
> > Somehow, the old mechanism of defining default permissions on a collection basis was more consistent and thus, one could argue: more secure.
> 
> For example, with respect to the package repository, I could define the correct default permissions in two collection.xconf, one for the top collection, and one for the collection containing the XQuery modules. This way, the installer would not have to bother with setting permissions and the setup would be easy to understand and change for the package developer.
> 
> Wolfgang
> 

Re: [Exist-development] gradle vs maven

[Wolfgang M. <wol...@ex...>]

> yeap, he was pessimistic during maven talks. And he wants to leave as it
or better build control then maven can provide as ant have. That what I did
see =)

Sure,  Dannes and I always had some concerns with respect to maven, but I
think we acknowledge that this may just be due to our lack of experience
with maven (and lack of interest to spend time with it). There's no basic
opposition against maven in any way.

So the general decision was to go ahead with maven and see how it works out.

Wolfgang

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Chris T. <chr...@gm...>]

On Oct 18, 2011, at 4:53 PM, Adam Retter wrote:

> 
> On Oct 18, 2011 10:06 AM, "Chris Tomlinson" <chr...@gm...> wrote:
> >
> > Adam,
> >
> > 1) So if I understand correctly then there is no longer any default permissions feature any where, including in the collection.xconf files for various collections. Is this correct? It seems contrary to the portion of the thread with Dmitriy so you'll appreciate my confusion.
> 
> Yes that is correct. I am not sure what Dmitriy is describing.
> 
> > 2) What is the security issue? Incorrect admin of the DB is always an opportunity for problems: performance, security and so on. It seems to me that removing the ability to provide a default set of permissions some how - on a collection or on a per user basis or whatever - is a significant reduction in functionality in order to keep some DB admins from shooting themselves in the foot so to speak. This means to me that eXist is now enforcing a particular policy rather than providing mechanism.
> 
> This is an interesting argument and one that I am not deaf to. However I would like to know if there is a known mechanism in Unix for this?
> 
Well there's umask which has been used for this purpose in user's .profile or equivalent.

> My approach would be permissions inheritance through our new acl's. Inheritance is not ready yet though.
> 
> > 3) Setting permissions after upload is an additional step that is not supported by the admin.xq and that is poorly supported by the java admin GUI since for large collections (1000s of files) remotely one has to list the entire collection contents before being able to then use the GUI panel for permissions. The command line on a headless server works with less performance issue but doesn't seem to support any wildcarding or other method of selecting multiple files / collections for the chmod to affect.
> 
> Your best option would be to run a small xquery that uses the sm:chmod function.
> 
have xmldb:set-resource-permissions and xmldb:set-collection-permissions been deleted?


> >
> > Chris
> >
> >
> > On Oct 18, 2011, at 2:21 PM, Adam Retter wrote:
> >
> >>
> >> On Oct 18, 2011 6:16 AM, "Chris Tomlinson" <chr...@gm...> wrote:
> >> >
> >> > Hello,
> >> >
> >> > I'm looking into some issues surrounding permissions management in current trunk and am trying to make sure I understand what is intended and what is implemented in this area. I ran across this post of yours from 3 months ago and I wanted to know the status in this area is or whether it has been reconsidered.
> >>
> >> No the plan is still in progress.
> >>
> >> > In looking at org.exist.security.Permission.java it looks like it hasn't been worked on since 4 Aug and the "update" nomenclature is still in place and used in org.exist.security.AbstractUnixStylePermission.java which hasn't been worked on for even longer.
> >> >
> >> > Trunk certainly still interprets the "u" perm as indicating that the file is updatable or not (versus deletable "w") and throws an error in the event that a user attempts to update and that flag isn't set for the user, group or other as appropriate.
> >> >
> >> > Is this the behavior we can expect as trunk morphs into 1.6 or are there more changes on the way for org.exist.security?
> >> >
> >>
> >> A few more changes to come. Other priorities got in the way. But its top of my list again.
> >>
> >> > I also seem to not understand the semantics of the <db-connection/> <default-permissions collection="0774" resource="0774" /> in the conf.xml file. I have the above set in the conf.xml on trunk rev 15412 and it doesn't seem to make any difference. For example, when I upload a file via the http://localhost:8080/exist/admin/admin.xql > Browse collections interface I get permissions: "rw-r--r--" rather than "rwuruwr--" which I would have expected. The same is true when running java client from the command line.
> >>
> >> Default permissions have been removed as a security concern.
> >>
> >> > We have need of being able to upload files and the resulting permissions need to be "rwuruwr--" by default. How do we achieve this via the admin.xql or the command line client?
> >>
> >> You can set perms after upload...
> >>
> >> > Thanks,
> >> > Chris
> >> >
> >> >
> >> > On Jul 7, 2011, at 12:33 PM, Wolfgang Meier wrote:
> >> >
> >> > >> #1: Why does my controller.xql file need guest update permissions for
> >> > >> regular web browsing?
> >> > >
> >> > > For XQuery resources, the permission flags are now interpreted as rwx
> >> > > instead of the old rwu. We're in the process of changing this
> >> > > everywhere. The documentation is a bit behind.
> >> > >
> >> > > Wolfgang
> >> > >
> >> > > ------------------------------------------------------------------------------
> >> > > All of the data generated in your IT infrastructure is seriously valuable.
> >> > > Why? It contains a definitive record of application performance, security
> >> > > threats, fraudulent activity, and more. Splunk takes this data and makes
> >> > > sense of it. IT sense. And common sense.
> >> > > http://p.sf.net/sfu/splunk-d2d-c2
> >> > > _______________________________________________
> >> > > Exist-open mailing list
> >> > > Exi...@li...
> >> > > https://lists.sourceforge.net/lists/listinfo/exist-open
> >> >
> >> >
> >> > ------------------------------------------------------------------------------
> >> > All the data continuously generated in your IT infrastructure contains a
> >> > definitive record of customers, application performance, security
> >> > threats, fraudulent activity and more. Splunk takes this data and makes
> >> > sense of it. Business sense. IT sense. Common sense.
> >> > http://p.sf.net/sfu/splunk-d2d-oct
> >> > _______________________________________________
> >> > Exist-development mailing list
> >> > Exi...@li...
> >> > https://lists.sourceforge.net/lists/listinfo/exist-development
> >
> >

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Wolfgang M. <wol...@ex...>]

> Somehow, the old mechanism of defining default permissions on a collection
basis was more consistent and thus, one could argue: more secure.

For example, with respect to the package repository, I could define the
correct default permissions in two collection.xconf, one for the top
collection, and one for the collection containing the XQuery modules. This
way, the installer would not have to bother with setting permissions and the
setup would be easy to understand and change for the package developer.

Wolfgang

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Wolfgang M. <wol...@ex...>]

> +1 to keep this feature. What security issue? human? let move it to mars
then .... =)

Well, what's the consequence of disabling the configurable default
permissions? In the end, we'll need to introduce some mechanism to allow the
user to change the permissions of uploaded resources. I already changed the
package repository installer to automatically set +x on all xquery resources
you upload. So in a way we're just moving the problem into the user
interface. We need to extend every interface to allow the user to specify
default permissions.

Somehow, the old mechanism of defining default permissions on a collection
basis was more consistent and thus, one could argue: more secure.

Wolfgang

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Hungerburg <pc...@my...>]

Am 2011-10-18 13:08, schrieb Adam Retter:
> This is an interesting argument and one that I am not deaf to. However I
> would like to know if there is a known mechanism in Unix for this?

The *nix mechanism is called "umask": it specifies the permissions that 
will be subtracted from the default/full, ie rw-rw-rw on files and 
rwxrwxrwx on directories, permissions. Its a per process setting that 
will be passed on to forked children.

 From wikipedia: "The addition of umask (in around 1978) allowed sites, 
groups, and individuals to chose their own defaults. Small close groups 
might choose 000, computer centers 022, security-conscious groups 077 or 
066 for access to sub-directories under private directories."

-- 
peter

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Adam R. <ad...@ex...>]

On Oct 18, 2011 10:06 AM, "Chris Tomlinson" <chr...@gm...>
wrote:
>
> Adam,
>
> 1) So if I understand correctly then there is no longer any default
permissions feature any where, including in the collection.xconf files for
various collections. Is this correct? It seems contrary to the portion of
the thread with Dmitriy so you'll appreciate my confusion.

Yes that is correct. I am not sure what Dmitriy is describing.

> 2) What is the security issue? Incorrect admin of the DB is always an
opportunity for problems: performance, security and so on. It seems to me
that removing the ability to provide a default set of permissions some how -
on a collection or on a per user basis or whatever - is a significant
reduction in functionality in order to keep some DB admins from shooting
themselves in the foot so to speak. This means to me that eXist is now
enforcing a particular policy rather than providing mechanism.

This is an interesting argument and one that I am not deaf to. However I
would like to know if there is a known mechanism in Unix for this?
My approach would be permissions inheritance through our new acl's.
Inheritance is not ready yet though.

> 3) Setting permissions after upload is an additional step that is not
supported by the admin.xq and that is poorly supported by the java admin GUI
since for large collections (1000s of files) remotely one has to list the
entire collection contents before being able to then use the GUI panel for
permissions. The command line on a headless server works with less
performance issue but doesn't seem to support any wildcarding or other
method of selecting multiple files / collections for the chmod to affect.

Your best option would be to run a small xquery that uses the sm:chmod
function.

>
> Chris
>
>
> On Oct 18, 2011, at 2:21 PM, Adam Retter wrote:
>
>>
>> On Oct 18, 2011 6:16 AM, "Chris Tomlinson" <chr...@gm...>
wrote:
>> >
>> > Hello,
>> >
>> > I'm looking into some issues surrounding permissions management in
current trunk and am trying to make sure I understand what is intended and
what is implemented in this area. I ran across this post of yours from 3
months ago and I wanted to know the status in this area is or whether it has
been reconsidered.
>>
>> No the plan is still in progress.
>>
>> > In looking at org.exist.security.Permission.java it looks like it
hasn't been worked on since 4 Aug and the "update" nomenclature is still in
place and used in org.exist.security.AbstractUnixStylePermission.java which
hasn't been worked on for even longer.
>> >
>> > Trunk certainly still interprets the "u" perm as indicating that the
file is updatable or not (versus deletable "w") and throws an error in the
event that a user attempts to update and that flag isn't set for the user,
group or other as appropriate.
>> >
>> > Is this the behavior we can expect as trunk morphs into 1.6 or are
there more changes on the way for org.exist.security?
>> >
>>
>> A few more changes to come. Other priorities got in the way. But its top
of my list again.
>>
>> > I also seem to not understand the semantics of the <db-connection/>
<default-permissions collection="0774" resource="0774" /> in the conf.xml
file. I have the above set in the conf.xml on trunk rev 15412 and it doesn't
seem to make any difference. For example, when I upload a file via the
http://localhost:8080/exist/admin/admin.xql > Browse collections interface I
get permissions: "rw-r--r--" rather than "rwuruwr--" which I would have
expected. The same is true when running java client from the command line.
>>
>> Default permissions have been removed as a security concern.
>>
>> > We have need of being able to upload files and the resulting
permissions need to be "rwuruwr--" by default. How do we achieve this via
the admin.xql or the command line client?
>>
>> You can set perms after upload...
>>
>> > Thanks,
>> > Chris
>> >
>> >
>> > On Jul 7, 2011, at 12:33 PM, Wolfgang Meier wrote:
>> >
>> > >> #1: Why does my controller.xql file need guest update permissions
for
>> > >> regular web browsing?
>> > >
>> > > For XQuery resources, the permission flags are now interpreted as rwx
>> > > instead of the old rwu. We're in the process of changing this
>> > > everywhere. The documentation is a bit behind.
>> > >
>> > > Wolfgang
>> > >
>> > >
------------------------------------------------------------------------------
>> > > All of the data generated in your IT infrastructure is seriously
valuable.
>> > > Why? It contains a definitive record of application performance,
security
>> > > threats, fraudulent activity, and more. Splunk takes this data and
makes
>> > > sense of it. IT sense. And common sense.
>> > > http://p.sf.net/sfu/splunk-d2d-c2
>> > > _______________________________________________
>> > > Exist-open mailing list
>> > > Exi...@li...
>> > > https://lists.sourceforge.net/lists/listinfo/exist-open
>> >
>> >
>> >
------------------------------------------------------------------------------
>> > All the data continuously generated in your IT infrastructure contains
a
>> > definitive record of customers, application performance, security
>> > threats, fraudulent activity and more. Splunk takes this data and makes
>> > sense of it. Business sense. IT sense. Common sense.
>> > http://p.sf.net/sfu/splunk-d2d-oct
>> > _______________________________________________
>> > Exist-development mailing list
>> > Exi...@li...
>> > https://lists.sourceforge.net/lists/listinfo/exist-development
>
>

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Adam R. <ad...@ex...>]

On Oct 18, 2011 10:56 AM, "Dmitriy Shabanov" <sha...@gm...> wrote:
>
> On Tue, Oct 18, 2011 at 12:52 PM, Wolfgang Meier <wol...@ex...>
wrote:
>>
>> > for xml resource it should be 'rwu', for binary & collections (or only
xquery scripts, not clear for me) 'rwx'
>>
>> No, I thought we would drop the update semantics altogether. "x" should
always mean "execute", no matter if eXist knows how to execute a particular
resource.
>>
>>
>
> Remove 'u' completely? Just checking to be sure, that's fine for me.

This is already done in a branch here. I need to check in, but first I need
to fix all the tests that relied on bad permissions.

> --
> Dmitriy Shabanov
>
>
------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Exist-development mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-development
>

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Dmitriy S. <sha...@gm...>]

On Tue, Oct 18, 2011 at 2:06 PM, Chris Tomlinson <
chr...@gm...> wrote:

> 1) So if I understand correctly then there is no longer any default
> permissions feature any where, including in the collection.xconf files for
> various collections. Is this correct? It seems contrary to the portion of
> the thread with Dmitriy so you'll appreciate my confusion.
>
> 2) What is the security issue? Incorrect admin of the DB is always an
> opportunity for problems: performance, security and so on. It seems to me
> that removing the ability to provide a default set of permissions some how -
> on a collection or on a per user basis or whatever - is a significant
> reduction in functionality in order to keep some DB admins from shooting
> themselves in the foot so to speak. This means to me that eXist is now
> enforcing a particular policy rather than providing mechanism.
>

+1 to keep this feature. What security issue? human? let move it to mars
then .... =)

-- 
Dmitriy Shabanov

Re: [Exist-development] Confused about permissions and defaults for XQuery files

[Dmitriy S. <sha...@gm...>]

On Tue, Oct 18, 2011 at 12:52 PM, Wolfgang Meier <wol...@ex...>wrote:

> > for xml resource it should be 'rwu', for binary & collections (or only
> xquery scripts, not clear for me) 'rwx'
>
> No, I thought we would drop the update semantics altogether. "x" should
> always mean "execute", no matter if eXist knows how to execute a particular
> resource.
>
>
>
Remove 'u' completely? Just checking to be sure, that's fine for me.

-- 
Dmitriy Shabanov

Re: [Exist-development] default perms in collection.xconf do not seem to work

[Dmitriy S. <sha...@gm...>]

The code that response for that behaver was commened-out by rev 14670. I
don't know why. Adam?

method Collection.manageDocumentInformation

On Tue, Oct 18, 2011 at 12:46 PM, Dmitriy Shabanov <sha...@gm...>wrote:

> You uploading to " */db/tbrc*" ? need to check...
>
> On Tue, Oct 18, 2011 at 12:25 PM, Chris Tomlinson <
> chr...@gm...> wrote:
>
>> I'm confused. I uploaded the files into the top collection, */db/tbrc*which is where the
>> *<default-permissions/>* is placed in the *collection.xconf* file for the
>> top collection */db/tbrc*. Unless you're saying that I have to have a *
>> collection.xconf* for* /db* itself which I don't think is what you're
>> saying. Surely, I don't need to add *<default-permissions/>* to
>> collections */db/tbrc/A* and */db/tbrc/B* and so on in order to control
>> the default permissions for files uploaded into collection */db/tbrc*??
>>
>
-- 
Dmitriy Shabanov