Menu
▾
▴
Re: [Exist-development] Confused about permissions and defaults for XQuery files
|
From: Adam R. <ad...@ex...> - 2011-10-18 11:08:48
|
On Oct 18, 2011 10:06 AM, "Chris Tomlinson" <chr...@gm...> wrote: > > Adam, > > 1) So if I understand correctly then there is no longer any default permissions feature any where, including in the collection.xconf files for various collections. Is this correct? It seems contrary to the portion of the thread with Dmitriy so you'll appreciate my confusion. Yes that is correct. I am not sure what Dmitriy is describing. > 2) What is the security issue? Incorrect admin of the DB is always an opportunity for problems: performance, security and so on. It seems to me that removing the ability to provide a default set of permissions some how - on a collection or on a per user basis or whatever - is a significant reduction in functionality in order to keep some DB admins from shooting themselves in the foot so to speak. This means to me that eXist is now enforcing a particular policy rather than providing mechanism. This is an interesting argument and one that I am not deaf to. However I would like to know if there is a known mechanism in Unix for this? My approach would be permissions inheritance through our new acl's. Inheritance is not ready yet though. > 3) Setting permissions after upload is an additional step that is not supported by the admin.xq and that is poorly supported by the java admin GUI since for large collections (1000s of files) remotely one has to list the entire collection contents before being able to then use the GUI panel for permissions. The command line on a headless server works with less performance issue but doesn't seem to support any wildcarding or other method of selecting multiple files / collections for the chmod to affect. Your best option would be to run a small xquery that uses the sm:chmod function. > > Chris > > > On Oct 18, 2011, at 2:21 PM, Adam Retter wrote: > >> >> On Oct 18, 2011 6:16 AM, "Chris Tomlinson" <chr...@gm...> wrote: >> > >> > Hello, >> > >> > I'm looking into some issues surrounding permissions management in current trunk and am trying to make sure I understand what is intended and what is implemented in this area. I ran across this post of yours from 3 months ago and I wanted to know the status in this area is or whether it has been reconsidered. >> >> No the plan is still in progress. >> >> > In looking at org.exist.security.Permission.java it looks like it hasn't been worked on since 4 Aug and the "update" nomenclature is still in place and used in org.exist.security.AbstractUnixStylePermission.java which hasn't been worked on for even longer. >> > >> > Trunk certainly still interprets the "u" perm as indicating that the file is updatable or not (versus deletable "w") and throws an error in the event that a user attempts to update and that flag isn't set for the user, group or other as appropriate. >> > >> > Is this the behavior we can expect as trunk morphs into 1.6 or are there more changes on the way for org.exist.security? >> > >> >> A few more changes to come. Other priorities got in the way. But its top of my list again. >> >> > I also seem to not understand the semantics of the <db-connection/> <default-permissions collection="0774" resource="0774" /> in the conf.xml file. I have the above set in the conf.xml on trunk rev 15412 and it doesn't seem to make any difference. For example, when I upload a file via the http://localhost:8080/exist/admin/admin.xql > Browse collections interface I get permissions: "rw-r--r--" rather than "rwuruwr--" which I would have expected. The same is true when running java client from the command line. >> >> Default permissions have been removed as a security concern. >> >> > We have need of being able to upload files and the resulting permissions need to be "rwuruwr--" by default. How do we achieve this via the admin.xql or the command line client? >> >> You can set perms after upload... >> >> > Thanks, >> > Chris >> > >> > >> > On Jul 7, 2011, at 12:33 PM, Wolfgang Meier wrote: >> > >> > >> #1: Why does my controller.xql file need guest update permissions for >> > >> regular web browsing? >> > > >> > > For XQuery resources, the permission flags are now interpreted as rwx >> > > instead of the old rwu. We're in the process of changing this >> > > everywhere. The documentation is a bit behind. >> > > >> > > Wolfgang >> > > >> > > ------------------------------------------------------------------------------ >> > > All of the data generated in your IT infrastructure is seriously valuable. >> > > Why? It contains a definitive record of application performance, security >> > > threats, fraudulent activity, and more. Splunk takes this data and makes >> > > sense of it. IT sense. And common sense. >> > > http://p.sf.net/sfu/splunk-d2d-c2 >> > > _______________________________________________ >> > > Exist-open mailing list >> > > Exi...@li... >> > > https://lists.sourceforge.net/lists/listinfo/exist-open >> > >> > >> > ------------------------------------------------------------------------------ >> > All the data continuously generated in your IT infrastructure contains a >> > definitive record of customers, application performance, security >> > threats, fraudulent activity and more. Splunk takes this data and makes >> > sense of it. Business sense. IT sense. Common sense. >> > http://p.sf.net/sfu/splunk-d2d-oct >> > _______________________________________________ >> > Exist-development mailing list >> > Exi...@li... >> > https://lists.sourceforge.net/lists/listinfo/exist-development > > |
