W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

Re: Bindings and permissions

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 22 Dec 2005 14:22:04 +0100
Message-ID: <43AAA87C.5040101@gmx.de>
To: WebDav WG <w3c-dist-auth@w3.org>

> I was thinking about the bindings and permissions stuff today.  I've 
> discussed it before but this may be a new take on the subject.  Recall 
> we don't really know what the behavior is with dynamically inherited 
> ACLs (when a parent's ACLs automatically apply to its child resources) 
> when some of those children are bindings to resources that also have 
> bindings.  Some of the possible solutions to this:

We don't know that because that's beyond the scope of RFC3744. As far as
I can tell, the only inheritance mentioned over there is when ACEs or
ACLs are explicitly inherited from another resource, identified by URL.
*That* model is compatible with multiple bindings, because the
inheritance chain still is well-defined.

> ...
> It seems to me clients have no way of knowing which solution the server 
> has chosen and behavior can be quite unpredictable.  Is there some way 
> to advertise the server's model? Are some of these choices forbidden?  
> Of those that aren't forbidden, is one of them recommended?
> 
> It would be extremely surprising if the 'bind' privilege grants 
> somebody the ability to make a new mapping of a resource into a new 
> directory, AND that a consequence of that 'bind' operation is to change 
> the permissions on the underlying resource -- without requiring 
> 'writeacl' privilege.  Since that's a possible security hole, what 
> should that be -- a MUST NOT?  A security consideration?
> ...

I'm really not sure what you're asking for. This seems to be about a
server implementing an ACL model that's not compatible with RFC3744. In
which case neither RFC3744 nor BIND can hep you predicting the server's
behavior.

I guess I'm missing something; but I dunno what. Please explain.

Best regards, Julian
Received on Thursday, 22 December 2005 13:24:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:12 GMT