Hi,
I was thinking about the implications of giving a user write access to
a subtree of the repository. With that access the user could now
upload a new script and create a node that invokes that script when
rendered.
What if the script contains something like System.exit(1)? Or
something even mo
Bertrand Delacretaz wrote:
2) Prevent legitimate scripts from messing up with the system
An variant of 2) just showed up in the "Accessing JCR" thread. Looks
like anyone that can upload a script can do the following:
<%
SlingRepository repo = sling.getService(SlingRepository.class);
The servlet container usually have default security policies defined, which
can easily be changed. Eg for tomcat, look at conf/catalina.policy.
Am not sure what facilities ogsi containers provide in this area though?
2009/4/22 Jukka Zitting
> Hi,
>
> I was thinking about the implications of givi
Hi,
Jukka Zitting schrieb:
> Hi,
>
> I was thinking about the implications of giving a user write access to
> a subtree of the repository. With that access the user could now
> upload a new script and create a node that invokes that script when
> rendered.
>
> What if the script contains somethi
This is an interesting one for us, since all users will have write
access to the repository.
Is there an 'execute' permission in sling, or perhaps even an
equivalent to the no execute mount option in posix. I see some
extensions to the DefaultAccessControlManager looming.
Ian
On 22 Apr 2009
Hi,
On Wed, Apr 22, 2009 at 12:40 PM, Torgeir Veimo wrote:
> The servlet container usually have default security policies defined, which
> can easily be changed. Eg for tomcat, look at conf/catalina.policy.
What would such a policy file look like, i.e. what codeBase should be
used and what permi
Hi,
Torgeir Veimo schrieb:
> The servlet container usually have default security policies defined, which
> can easily be changed. Eg for tomcat, look at conf/catalina.policy.
> Am not sure what facilities ogsi containers provide in this area though?
OSGi containers basically also depend on standa
Hi,
Ian Boston schrieb:
> This is an interesting one for us, since all users will have write
> access to the repository.
> Is there an 'execute' permission in sling, or perhaps even an equivalent
> to the no execute mount option in posix. I see some extensions to the
> DefaultAccessControlManager
Hi Jukka,
On Wed, Apr 22, 2009 at 12:25 PM, Jukka Zitting wrote:
> ...I was thinking about the implications of giving a user write access to
> a subtree of the repository. With that access the user could now
> upload a new script and create a node that invokes that script when
> rendered
Req
Bertrand Delacretaz wrote:
> Hi Jukka,
>
> On Wed, Apr 22, 2009 at 12:25 PM, Jukka Zitting
> wrote:
>> ...I was thinking about the implications of giving a user write access to
>> a subtree of the repository. With that access the user could now
>> upload a new script and create a node that invok
Hi,
Carsten Ziegeler schrieb:
> Bertrand Delacretaz wrote:
>> Hi Jukka,
>>
>> On Wed, Apr 22, 2009 at 12:25 PM, Jukka Zitting
>> wrote:
>>> ...I was thinking about the implications of giving a user write access to
>>> a subtree of the repository. With that access the user could now
>>> upload a
On Wed, Apr 22, 2009 at 1:42 PM, Felix Meschberger wrote:
> Hi,
>
> Carsten Ziegeler schrieb:
>> ...scripts are
>> only picked
>> up from configured paths (libs and apps by default). So as long as the
>> user is not allowed to write in these locations, everything should be fine.
>
> Well, there is
Felix,
That sounds like it would address the issue of accepting scripts from
trusted sources but would not, make the scripts safe as per your
original post.
On System.exit itself
I cant remember if the runtime shutdown handler can veto System.exit,
although the damage will already be done
On Wed, Apr 22, 2009 at 12:41 PM, Felix Meschberger wrote:
> Hi,
>
> Jukka Zitting schrieb:
>> Hi,
>>
>> I was thinking about the implications of giving a user write access to
>> a subtree of the repository. With that access the user could now
>> upload a new script and create a node that invokes
Hi,
On Wed, Apr 22, 2009 at 2:22 PM, Tobias Bocanegra wrote:
> System.exit() bears IMO no real risk, since it can be prevented by
> java security.
I'd like to see the relevant java security settings. With all the OSGi
stuff, JCR bundle loading, and script compiling in place I think
coming up wit
Hi,
Jukka Zitting schrieb:
> Hi,
>
> On Wed, Apr 22, 2009 at 2:22 PM, Tobias Bocanegra wrote:
>> System.exit() bears IMO no real risk, since it can be prevented by
>> java security.
>
> I'd like to see the relevant java security settings. With all the OSGi
> stuff, JCR bundle loading, and scrip
On Wed, Apr 22, 2009 at 2:44 PM, Jukka Zitting wrote:
> Hi,
>
> On Wed, Apr 22, 2009 at 2:22 PM, Tobias Bocanegra wrote:
>> System.exit() bears IMO no real risk, since it can be prevented by
>> java security.
>
> I'd like to see the relevant java security settings. With all the OSGi
> stuff, JCR
Hello,
I have been working with sling for quite some time and, of course, Day
products. One thing that I have been increasingly concerned with is the end
users ability to scrape all of the sites content and code with minimal
effort using the built in functionality of the SlingPostServlet.
For Ex
Hi,
On Tue, May 26, 2009 at 5:15 PM, John Crawford wrote:
> Is there a better way to handle this?
Access control.
BR,
Jukka Zitting
Hi,
John Crawford schrieb:
> I have been working with sling for quite some time and, of course, Day
> products. One thing that I have been increasingly concerned with is the end
> users ability to scrape all of the sites content and code with minimal
> effort using the built in functionality of t
Felix,
+1
In addition, I would like to see a marker on the parent nodes that
designates the subtree as containing executable content.
Then the special session can be used to execute the scripts, but only
after it had checked to see the script is located in an "executable"
subtree.
A suit
hi guys,
i really think this should be dealt with, using proper repository
access control.
as soon as we start to let the application deal with security we need to
worry about it every specific application, and become prone to "xyz-injection"
similar to the problem that db's have with "sql injecti
Hi,
thanks John, for pointing this out.
Part of the problem you describe is misconfigurations on my part (I did not
realize that the "anonymous" user is not part of the "everyone" group). But
as Felix has described the problem with the /apps directory cannot be fixed
by configuration. I just file
Hi,
Michael Marth schrieb:
> Hi,
>
> thanks John, for pointing this out.
>
> Part of the problem you describe is misconfigurations on my part (I did not
> realize that the "anonymous" user is not part of the "everyone" group). But
> as Felix has described the problem with the /apps directory can
So that marker should be and ACL containing an ACE with execute
privilege granted to the appropriate session.
I wasn't aware that there was such a privilege in the Jackrabbit
DefaultAccessManager or 283,
but I agree thats were it should be.
On a practical note,
Unless DefaultAccessManager et
hi ian,
sorry for the confusion. there are is no privilege to "execute" something in
jcr. i am not even sure that they should be part of the repository since the
repository is not going to execute things anyway.
i think if one has a tight coupling like between the os and the fs this may
make sens
David,
On 2 Jun 2009, at 13:06, David Nuescheler wrote:
hi ian,
sorry for the confusion. there are is no privilege to "execute"
something in
jcr. i am not even sure that they should be part of the repository
since the
repository is not going to execute things anyway.
agreed.
i think
Michael,
No worries at all. I figured I could resolve most of this through a front
end proxy (like Apache2), but wanted to see if there was a better way.
+1 on the json restriction. Would be kind of cool to be able to
restrict/grant access based upon a regexp as well.
Thank you for your help.
Hi all
This is something that has been nagging me for a while now:
imho the whole JSR 283 security stuff looks good from the JCR context,
but Sling is a different beast:
it is a web framework, and therefore susceptible to the whole web attack
vectors, like information disclosure (e.g. unwanted
I have been wondering about this as well. The reverse proxy seems not to
be the right place to add the security since once bypassed one would
have full access to the site and the code of the site.
a sling based lockdown may be a problem too, since one site may need
json (say the content manage
Hi,
On Wed, Apr 22, 2009 at 6:22 PM, Rory Douglas wrote:
> Bertrand Delacretaz wrote:
>> 2) Prevent legitimate scripts from messing up with the system
> An variant of 2) just showed up in the "Accessing JCR" thread. Looks like
> anyone that can upload a script can do the following:
>
>
> <%
>
Hi,
Bertrand Delacretaz schrieb:
> Hi,
>
> On Wed, Apr 22, 2009 at 6:22 PM, Rory Douglas wrote:
>> Bertrand Delacretaz wrote:
>>> 2) Prevent legitimate scripts from messing up with the system
>> An variant of 2) just showed up in the "Accessing JCR" thread. Looks like
>> anyone that can upload
Hello
For sure not the easiest solution, but what about storing the
application in a separate workspace from the content. If scripts were
only executable in the application workspace, malicious attackers
could maybe create a script in the content workspace, but it would not
be possible to execute
33 matches
Mail list logo
