![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ef3b9cc)
raw | patch | inline | side by side (parent: ef3b9cc)
| author | richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2> | |
| Mon, 17 Jun 2002 23:15:05 +0000 (23:15 +0000) | ||
| committer | richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2> | |
| Mon, 17 Jun 2002 23:15:05 +0000 (23:15 +0000) |
git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/trunk@787 57a73879-2fb5-44c3-a270-3262357dd7e2
| doc/security.txt | patch | blob | history |
diff --git a/doc/security.txt b/doc/security.txt
index c25fca89287081c26a47658e9780316a475b08b6..d63f0eda2000ddc66618219457a8f46a3ec6b160 100644 (file)
--- a/doc/security.txt
+++ b/doc/security.txt
Security Mechanisms
===================
-:Version: $Revision: 1.2 $
+:Version: $Revision: 1.3 $
Current situation
=================
ANONYMOUS_REGISTER_MAIL = 'deny'
Deny or allow anonymous users to register through the mail interface
-The web interface implements another level of user-interface security,
+Current user interface authentication and controls:
+
+- command-line tool access controlled with passwords, but no logical controls
+- CGI access is by username and password and has some logical controls
+- mailgw access is through identification using sender email address, with
+ limited functionality available
+
+The web interface implements has specific logical controls,
preventing non-admin users from accessing:
- other user's details pages
- listing the base classes (not issues or their user page)
- editing base classes
-
Issues
======
but restrict those users from accessing the web interface.
3. Only one user may perform admin functions.
4. There is no verification of users in the mail gateway by any means other
- than the From address. Support for strong signatures should be added.
+ than the From address. Support for strong identification through digital
+ signatures should be added.
+5. The command-line tool has no logical controls.
Possible approaches
hyperdatabase itself, through Operating System controls such as user or group
permissions.
+
Hyperdb-level control
---------------------
- large number of possible permissions that may be defined, possibly
mirroring actual user interface controls.
+ - access to the hyperdb must be strictly controlled through program code
+ that implements the logical controls.
Applying controls to users
r = db.getclass('role').find('User')
user.create(username="anonymous", roles=[r])
+
+Authentication of Users
+-----------------------
+
+Users must be authenticated correctly for the above controls to work. This is
+not done in the current mail gateway at all. Use of digital signing of
+messages could alleviate this problem.
+
+The exact mechanism of registering the digital signature should be flexible,
+with perhaps a level of trust. Users who supply their signature through their
+first message into the tracker should be at a lower level of trust to those
+who supply their signature to an admin for submission to their user details.
+
+
+Action
+======
+
+The CGI interface must be changed to:
+
+- authenticate over a secure connection
+- use unique tokens as a result of authentication, rather than pass the user's
+ real credentials (username/password) around for each request (this means
+ sessions :)
+- use the new logical control mechanisms
+
+The mail gateway must be changed to:
+
+- use digital signatures
+- use the new logical control mechanisms
+The command-line tool must be changed to:
+
+- use the new logical control mechanisms (only allowing write
+ access by admin users, and read-only by everyone else)
+
Use cases
=========