Re: Module removed from user acl hangs around...

[Jamie C. <jca...@we...>]

jam...@te... wrote:

>>>will be created.  When you do step 4, remove the module, the acl hangs
>>>around (i.e. it does not get deleted).   I am not sure if this could be
>>>exploited or even lends itself to a writer of a module shooting
>>>
> themselves
> 
>>>in the foot and allowing what was not intended to be allowed.  Even
>>>still I don't think its the right thing to do.  Is this seen as
>>>a problem by any others?
>>>
>>That is actually a feature, so that if you give the module back to the
>>user in future he will have the same access control settings as before.
>>
> 
> I kind of figured that may be the reason its left around.  My main concern
> with it being left around is a module
> being written that uses another modules ACL for something becuase it is
> going to use a foreign function from that
> module.  What should occur (at least as I understand it the webmin code)
> is:
> 
>      1) Make sure the user can even use the foreign module at all; if not
> abort (or don't show the link (-:).
>      2) Then make sure the user can do the particular foreign funciton.

 >

> What I am afraid of is code that is written that neglects to do the first
> check.  What I think could avoid this from occuring
> and still keep the feature around (I agree it is a nice feature; I am just
> your security paranoid concience talking to you (-;)
> is that you rename the acl when that module is removed from the users list
> of modules.  For instance, say its user test,
> and the fdisk module is being removed, then the acl file:
> 
>      fdisk/test.acl
> 
> could be renamed to:
> 
>      fdisk/_old_test.acl
> 
> or prepend a dot or whatever seems nice.  If the module gets added back
> then it would look for the users old
> acl file and rename it appropriately.


That wouldn't really make any difference, unless there was another module
also in the /fdisk/ directory, which should never happen. Modules don't look
at each other's .acl files at the moment, not even for foreign function calls
(which are always assumed to be trusted). ACL checking is done at the .cgi program
level, not in the underlying libraries, so even if you don't have access to the /mount
module you can still see information about mounted filesystems in the /fdisk module.

Anyway, I am totally sure that there is no security risk in leaving .acl files around.
If anything, removing them would be a security risk because if you deleted a module and
then re-installed it, all users with access to it would get fully privileges if the .acl
files were deleted.

  - Jamie