Currently we have 109 instantiations of the File class spread over 40 java
classes.
Each one of these has as much access to the filesystem as the user.
My proposal is to create a new module in the core which manages access to the
filesystem.
I would like the module to provide roles for read-only and read/write files or
directories.
ReadOnlyFile and ReadWriteFile would extend java.io.File and override
getParentFile() which
allows the owner of a single file to walk the directory tree.
Imagine the following situation:
A class called Alice needs to be able to read all files in ./skins/ and she
needs to be able
to write to ./work/alice.txt
If we use the component system she might say:
@Requirement("./skins/")
ReadOnlyFile skinsDirectory;
@Requirement("./work/alice.txt")
ReadWriteFile workFile;
Now suppose an attacker is able to completely compromise Alice and make her
execute whatever
bytecode he wants. Lets also suppose we have implemented a SecurityManager
which prevents Alice
from loading the File class or accessing Utils.getComponent.
The attacker will be able to read the files in ./skins/ and will be able to
read and write to
/work/alice.txt but he won't be able to read other files or create new files
because Alice
has no references to the component manager and thus cannot access additional
files.
We can leverage the component system to easily provide security using principle
of least permission.
WDYT?
Caleb
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
