Mercurial > p > roundup > code

annotate doc/security.txt @ 4480:1613754d2646

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix first part of Password handling security issue2550688 (thanks Joseph Myers for reporting and Eli Collins for fixing) Small change against original patch: We still accept plaintext passwords (in known_schemes) when parsing encrypted password (e.g. from database). This way existing databases with plaintext passwords continue to work (I don't know of any, this would need patching on the users side) and all regression tests pass.
author Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
date Thu, 14 Apr 2011 12:24:59 +0000
parents 251382399e45
children 33a1f03b9de0
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3940
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1 ===================
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2 Security Mechanisms
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
3 ===================
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
4
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
5 :Version: $Revision: 1.16 $
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
6
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
7 Current situation
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
8 =================
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
9
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
10 Current logical controls:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
11
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
12 ANONYMOUS_ACCESS = 'deny'
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
13 Deny or allow anonymous access to the web interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
14 ANONYMOUS_REGISTER = 'deny'
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
15 Deny or allow anonymous users to register through the web interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16 ANONYMOUS_REGISTER_MAIL = 'deny'
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
17 Deny or allow anonymous users to register through the mail interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
18
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
19 Current user interface authentication and controls:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
20
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
21 - command-line tool access controlled with passwords, but no logical controls
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
22 - CGI access is by username and password and has some logical controls
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
23 - mailgw access is through identification using sender email address, with
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
24 limited functionality available
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
25
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
26 The web interface implements has specific logical controls,
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
27 preventing non-admin users from accessing:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
28
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
29 - other user's details pages
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
30 - listing the base classes (not issues or their user page)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
31 - editing base classes
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
32
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
33 Issues
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
34 ======
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
35
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
36 1. The current implementation is ad-hoc, and not complete for all `use cases`_.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
37 2. Currently it is not possible to allow submission of issues through email
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
38 but restrict those users from accessing the web interface.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
39 3. Only one user may perform admin functions.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
40 4. There is no verification of users in the mail gateway by any means other
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
41 than the From address. Support for strong identification through digital
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
42 signatures should be added.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
43 5. The command-line tool has no logical controls.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
44 6. The anonymous control needs revising - there should only be one way to be
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
45 an anonymous user, not two (currently there is user==None and
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
46 user=='anonymous').
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
47
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
48
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
49 Possible approaches
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
50 ===================
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
51
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
52 Security controls in Roundup could be approached in three ways:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
53
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
54 1) at the hyperdb level, with read/write/modify permissions on classes, items
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
55 and item properties for all or specific transitions.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
56 2) at the user interface level, with access permissions on CGI interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
57 methods, mailgw methods, roundup-admin methods, and so on.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
58 3) at a logical permission level, checked as needed.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
59
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
60 In all cases, the security built into roundup assumes restricted access to the
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
61 hyperdatabase itself, through Operating System controls such as user or group
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
62 permissions.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
63
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
64
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
65 Hyperdb-level control
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
66 ---------------------
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
67
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
68 Control is implemented at the Class.get, Class.set and Class.create level. All
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
69 other methods must access items through these methods. Since all accesses go
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
70 through the database, we can implement deny by default.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
71
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
72 Pros:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
73
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
74 - easier to implement as it only affects one module
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
75 - smaller number of permissions to worry about
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
76
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
77 Cons:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
78
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
79 - harder to determine the relationship between user interaction and hyperdb
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
80 permission.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
81 - a lot of work to define
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
82 - must special-case to handle by-item permissions (editing user details,
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
83 having private messages)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
84
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
85
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
86 User-interface control
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
87 ----------------------
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
88
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
89 The user interfaces would have an extra layer between that which
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
90 parses the request to determine action and the action method. This layer
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
91 controls access. Since it is possible to require methods be registered
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
92 with the security mechanisms to be accessed by the user, deny by default
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
93 is possible.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
94
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
95 Pros:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
96
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
97 - much more obvious at the user level what the controls are
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
98
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
99 Cons:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
100
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
101 - much more work to implement
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
102 - most user interfaces have multiple uses which can't be covered by a
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
103 single permission
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
104
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
105 Logical control
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
106 ---------------
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
107
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
108 At each point that requires an action to be performed, the security mechanisms
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
109 are asked if the current user has permission. Since code must call the
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
110 check function to raise a denial, there is no possibility to have automatic
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
111 default of deny in this situation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
112
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
113 Pros:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
114
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
115 - quite obvious what is going on
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
116 - is very similar to the current system
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
117
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
118 Cons:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
119
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
120 - large number of possible permissions that may be defined, possibly
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
121 mirroring actual user interface controls.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
122 - access to the hyperdb must be strictly controlled through program code
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
123 that implements the logical controls.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
124
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
125
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
126 Action
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
127 ======
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
128
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
129 The CGI interface must be changed to:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
130
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
131 - authenticate over a secure connection
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
132 - use unique tokens as a result of authentication, rather than pass the user's
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
133 real credentials (username/password) around for each request (this means
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
134 sessions and hence a session database)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
135 - use the new logical control mechanisms
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
136
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
137 - implement the permission module
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
138 - implement a Role editing interface for users
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
139 - implement htmltemplate tests on permissions
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
140 - switch all code over from using config vars for permission checks to using
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
141 permissions
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
142 - change all explicit admin user checks for Role checks
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
143 - include config vars for initial Roles for anonymous web, new web and new
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
144 email users
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
145
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
146 The mail gateway must be changed to:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
147
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
148 - use digital signatures
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
149 - use the new logical control mechanisms
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
150
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
151 - switch all code over from using config vars for permission checks to using
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
152 permissions
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
153
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
154 The command-line tool must be changed to:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
155
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
156 - use the new logical control mechanisms (only allowing write
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
157 access by admin users, and read-only by everyone else)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
158
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
159
Roundup Issue Tracker: http://roundup-tracker.org/