Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security implications of ACL resources on different servers #90

Open
csarven opened this issue Apr 27, 2020 · 5 comments
Open

Security implications of ACL resources on different servers #90

csarven opened this issue Apr 27, 2020 · 5 comments
Assignees

Comments

@csarven
Copy link
Member

csarven commented Apr 27, 2020

Rough text from auxiliary resource:

A given
Solid resource MAY Link to auxiliary resources on a different server under a
different authority, per the configuration of the Solid server on which that
resource resides.

If that goes through...

This entails that an ACL resource can be on a different server.. and so raises security issues that should be addressed.

  • Will agent(s) controlling a resource on server-A be authorized to request write operations on the ACL on server-B? Ditto the application.

  • What should happen if/when remote ACL becomes inaccessible (for whatever reason for any period)?

  • What should happen if/when remote ACL is compromised?

  • Would the server need to be authenticated and authorized like any other agent in order to:

    • name the ACL URI on different server, and making sure that the ACL can be created/modified (because it needs to have a link relation from primary resource to the ACL)
    • delete the associated ACL on different server?
@justinwb
Copy link
Member

justinwb commented Apr 30, 2020

See this comment on the pull request. TLDR; I think it's safe to remove this statement and do the inverse (which would resolve this issue). If we wanted to retain the flexibility in general, we could limit this specifically for ACLs. However, since we want to have default permission sets for auxiliary resources I think it's better to keep them on same server under the same authority.

@csarven
Copy link
Member Author

csarven commented Apr 30, 2020

Sharing this comment from @emmettownsend :

I suspect most of the auxiliary resources will need to be cached as they will be used at runtime by the server to make decisions on a per request basis. Therefore, if they are remote there needs to be a way to tell the server they have changed; otherwise the server will be using an out of date copy which will result in security holes.

Edit: To add to above, the server may also persist the rel=acl relation in the headers even after agents no longer having Control on the resource ie. the expectation being that only agents with Control can observe the relation.

@quattro004
Copy link

If the ultimate question to resolve this issue is "Is MUST NOT too strong?" I would agree with @csarven, no it is not too strong. IMO security related information should not be ambiguous.

Also, regarding the statement following that "An auxiliary resource that resides on a Solid server MUST adhere to the same interaction model used by other regular Solid resources, except where specified in the definition of that auxiliary resource type." I think that the exceptional portion of the statement is open ended.

@csarven csarven self-assigned this May 17, 2021
@csarven
Copy link
Member Author

csarven commented Jul 2, 2021

Moving this to WAC repo. There are some related considerations about Groups in https://github.com/solid/web-access-control-spec/blob/main/README-v0.5.0.md#group-listings---authentication-of-external-requests that can be taken up at the same time.

@csarven csarven transferred this issue from solid/specification Jul 2, 2021
@csarven
Copy link
Member Author

csarven commented Jul 2, 2021

Noting that the current WAC Editor's Draft allows servers to associate resources and ACL resources, and they can be on different origins. See #web-origin-authorization #uri-origin .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants