Menu
▾
▴
Re: [Exist-development] [HEADS-UP] Merge in of Security Branch
|
From: Dmitriy S. <sha...@gm...> - 2012-02-09 12:48:44
|
On Thu, Feb 9, 2012 at 5:38 PM, Hungerburg <pc...@my...> wrote: > Am 2012-02-09 04:32, schrieb Dmitriy Shabanov: > > >> C program for linux is same as xquery script for eXist (visa versa), IMHO. >> >> > So I am now open to the idea of just requiring the 'x' bit to execute >> > an XQuery script and not the 'r' bit, however the implementation of >> > this is incredibly hard without sacrificing security and seperation of >> > concerns. >> >> It simple if interpretator check 'x' bit and read script as SYSTEM >> (including modules) >> > > Dmitriy, as your case is to keep some users of the system from seeing the > source of certain scripts: it is about confidentiality in a local context, > unlike Joe, who seems to care about remote visibility only. > > Can the xquery processor (the agent) be trusted, to not allow literal > output of some resource, that the calling user (the princpal) must not see? > The way I see it, the devil is in /including modules/. Then there are > xquery functions, that are probably safe - eg. import() when constructing > the parse tree - and xquery functions that are not safe. > XQuery processor have three stagers: read, compile & evaluation. My proposal to run first stage (read) as SYSTEM after 'x' check & 2nd/3rd as authenticated/guest user. Can we trust to XQuery processor? ... well .... hmmmm .... why not? -) -- Dmitriy Shabanov |
