-------- Original Message -------- Subject: Re: [e-smith-devinfo] Groupware and file sharing security Date: Mon, 29 Apr 2002 10:46:09 -0700 From: "Greg J. Zartman" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Organization: Logging Engineering International, Inc. To: [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> > I wonder if everyone is aware of the security risk inherent in any groupware > app that shares files. I have not found any app that does this in a secure > fashion becuase they do not and can not implement Apache security via the > SME templates. And I do not mean the security that every app attempts to > implement. I mean _true_ security. Darrell, Glad to see you jumping in on this thread.... First I'd like to reemphasize my previous point about usability. If it isn't simply and straight forward, most people won't use it regardless of how secure it is. IMO (and most of the time), every increase in security results in a decrease in convenience. A good example is CVS. This is a wonderful file sharing system that provides excellent security, not to mention the versioning capabilities. I'd love to implement CVS in my shop for sharing/tracking project files. Problem is, 90% of the users here in my shop wouldn't use it because it's too complicated. Heck, if I don't use it for a few months, I have to go back and brush up on the commands to use and what not. Second, there are ALOT of groupware solutions out there that provide file sharing capabilities in one form or another. I guess it's worth a little research time to see what type of security they are using. > What I do myself to share files is very simple. It may meet your needs (or > not). I've put up a demo site here: This looks really good Darrell. It wouldn't take much work at all to dress this up and integrate it with...... Twiggi for example??? ;-) On the security topic, what issues need to be addressed? -Unauthorized access? : This should be taken care of by the groupware app itself. Why should a person need to login twice to upload a file? Once a person is authenticated into the groupware system (i.e., to check email, browse address,..., etc.) access to a file upload area should be by authenticated users only. I'm not a php person, but I can think of several ways of doing this with perl. -Uploading malicious code? : I think is would be near impossible to prevent this 100%. I think it would be fairly easy, and prudent, to have a "data scrubbing" layer in what ever solution is used (i.e., to look for obvious security issues). To prevent propagation of viruses, couldn't a person point RAV (or some other virus scanning app) at the file repository area? - What else??? Regards, Greg J. Zartman, P.E. -- Greg J. Zartman, P.E. Vice-President Logging Engineering International, Inc. 1243 West 7th Avenue Eugene, Oregon 97402 541-683-8383 541-683-8144 www.leiinc.com -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
