Re: POSTing to LDPC and security

> On 30 Jan 2015, at 15:33, Andrei Sambra <andrei@w3.org> wrote:
> 
> Hi Melvin,
> 
> First of all please bear in mind that the LDP group hasn't really
> tackled this topic. A note [1] was published re. UC&R for LDP and ACLs,
> so you may want to take a look at it. I hope it helps.
> 
> On 1/30/15 6:32 AM, Melvin Carvalho wrote:
>> I'm using an LDPC as a webized version of a UNIX file system
>> 
>> What I do is POST to an LDPC and look for the location field after
>> creating a resource
>> 
>> Then I add an ACL file to control access
>> 
>> However I realized there is a short window where the file might not have
>> the access control I want.  An attacker could subscribe to the container
>> for notifications then intercept the message creating a race condition
> 
> What you're saying is true, but I fear it's more of a theoretical
> problem rather than a practical one. Assuming the server uses HTTPS, an
> attacker won't be able to find out which resource you are creating so
> that they can set an ACL before you do, all in a time frame of about a
> second.

I think we have a method to set default ACLs for created resources.
http://www.w3.org/wiki/WebAccessControl
We should have if not. Something I'd need to check on rww-play.

> 
>> 
>> In the UNIX world inodes and files are closely coupled so the operation
>> is atomic, this is not true in HTTP
>> 
>> Maybe a better idea would be to use the UNIX equivalent of a umask to
>> set default permissions
> 
> Normally, I would expect that a default ACL would be set for the master
> (root) container, blocking write access for everyone.
> 
>> 
>> Any thoughts on this?
> 
> -- Andrei
> 
> [1] http://www.w3.org/TR/ldp-acr/
> 

Social Web Architect
http://bblfish.net/

Received on Friday, 30 January 2015 14:40:43 UTC