W3C home > Mailing lists > Public > public-ldp@w3.org > January 2015

Re: POSTing to LDPC and security

From: ashok malhotra <ashok.malhotra@oracle.com>
Date: Fri, 30 Jan 2015 09:40:23 -0500
Message-ID: <54CB97D7.2070201@oracle.com>
To: public-ldp@w3.org
Melvin:
Good point.  Hopefully the WG will start working on Access Control soon.
When we do, we should consider a default access control setting on create.


All the best, Ashok

On 1/30/2015 6:32 AM, Melvin Carvalho wrote:
> I'm using an LDPC as a webized version of a UNIX file system
>
> What I do is POST to an LDPC and look for the location field after creating a resource
>
> Then I add an ACL file to control access
>
> However I realized there is a short window where the file might not have the access control I want.  An attacker could subscribe to the container for notifications then intercept the message creating a race condition
>
> In the UNIX world inodes and files are closely coupled so the operation is atomic, this is not true in HTTP
>
> Maybe a better idea would be to use the UNIX equivalent of a umask to set default permissions
>
> Any thoughts on this?
Received on Friday, 30 January 2015 14:41:01 UTC

This archive was generated by hypermail 2.3.1 : Friday, 30 January 2015 14:41:01 UTC