Re: [AC] Access Control Algorithm

Thu, 26 Apr 2007 16:55:29 -0700 


Jonas Sicking wrote:


Anne van Kesteren wrote:

On Tue, 24 Apr 2007 21:12:35 +0200, Jonas Sicking <[EMAIL PROTECTED]> 
wrote:

One thing that is very important IMHO is that it is possible using
headers to turn off access to a whole server. One usecase for this would
be if a site notices some files are missconfigured and as immediate
security precaution disables access to all files while figuring out what
is wrong.
Another scenario would be a hosting server such as livejournal or
geocities wanting to disable access to all their hosted files even
though other users manage the contents of those files.


How about changing:

  rule ::= "allow" (pattern)+ ("exclude" (pattern)+)?

To:

  rule  ::= deny | allow
  deny  ::= "deny" (pattern)+
  allow ::= "allow" (pattern)+ ("exclude" (pattern)+)?


And then letting the algorithm in section 3 first seek through all 
explicit deny clauses.



I actually liked the idea of going through the clauses in the order they 
appear. It seems logical and easy for authors to follow that logic.



However as I've been thinking about this I do think that "exclude" can 
be useful, at least for the processing instruction. One example I 
brought up was a server administrator inside a firewall wanting to block 
access to all files from servers outside the firewall. Such a header 
would likely look something like:



deny <*> exclude <http://*.intranet.company.com> 
<https://*.intranet.company.com>



This would then allow the page to explicitly define which sites would be 
able to access it, but would prevent the page from accidentally allow 
access from an external site.


An even better idea occured to me. How about the following syntax:

  rule    ::= deny | allow | default
  deny    ::= "deny" (pattern)+
  allow   ::= "allow" (pattern)+
  default ::= "default" (pattern)+


The rules are match first-to-last, if a 'default' rule is hit processing 
of the header is stopped and only the PI rules in the document. This 
allows the same set of rules to be constructed as if we had 'exclude' on 
both deny and allow, but is IMHO easier to read and see what matches what.



The name 'default' might not be ideal. 'none' or 'page' are other names 
i could think of.


/ Jonas























					Reply via email to