Menu
▾
▴
Re: [Exist-development] [HEADS-UP] Merge in of Security Branch
|
From: Adam R. <ad...@ex...> - 2012-02-08 22:03:20
|
Okay so I have been weighing up the pros and cons of the 'r-x' vs.
'--x' requirements on stored XQuery main modules in eXist-db. I have
foremost my security hat on, and want to adhere to the Unix security
model as that is what eXist-db attempts to implement, and it is a very
good model.
The argument or not having the 'r' flag on XQuery scripts because they
may contain sensitive information like usernames and passwords seems
invalid to me, because sensitive information probably should not be in
these scripts anyway.
Arguably there was a time when you had to do this because the eXist-db
authentication and user management system was not flexible enough; so
perhaps because you created your own username/password system which
mapped onto a few simple eXist-db users. This has changed, eXist-db
now supports ACL's and multiple authentication realms. In fact it is
this very use-case that prompted the start of all the security changes
in eXist-db by me.
> If one can consider xquery /the native binary format/ in eXist-db, the
> model would look a lot more, like what you are used to.
However, the above argument suggested by Peter actually almost
convinced me that maybe we should just require '--x' for execution of
XQuery scripts and not 'r-x'.
However, we would have to be willing to apply the same rule to XSLT
and XProc, which I think is not perhaps a problem?
I just wrote a small bash script and a C program on my Macbook and
compared the Unix permissions required to execute each, to check.
The bash script requires both read and execute bits when executed as
'$ ./hello.sh' and bash cmd requires execute, BUT only requires read
when executed as '$ bash hello.sh', whilst bash cmd requires execute.
The C program, only requires the execute bit to execute.
So I am now open to the idea of just requiring the 'x' bit to execute
an XQuery script and not the 'r' bit, however the implementation of
this is incredibly hard without sacrificing security and seperation of
concerns.The problem is that eXist-db's internals are somewhat messy,
and to know if a document is an XQuery document you have to read it
from the database, reading from the database requires the 'r' flag.
So what am I saying, I think this is doable and I will change it to
just require the 'x' bit, but it will take time to do this correctly
as much refactoring of eXist-db will have to happen. So please be
patient...
And before someone points out that you 'only used to' need 'x' (or
'u') in eXist-db to execute a script, so solving the problem should
not be hard, I should pre-empt and point out that eXist-db used to
have several security holes; most of which I hope are now plugged ;-)
--
Adam Retter
eXist Developer
{ United Kingdom }
ad...@ex...
irc://irc.freenode.net/existdb
|
