Re: POSTing to LDPC and security

Melvin:
Good point.  Hopefully the WG will start working on Access Control soon.
When we do, we should consider a default access control setting on create.


All the best, Ashok

On 1/30/2015 6:32 AM, Melvin Carvalho wrote:
> I'm using an LDPC as a webized version of a UNIX file system
>
> What I do is POST to an LDPC and look for the location field after creating a resource
>
> Then I add an ACL file to control access
>
> However I realized there is a short window where the file might not have the access control I want.  An attacker could subscribe to the container for notifications then intercept the message creating a race condition
>
> In the UNIX world inodes and files are closely coupled so the operation is atomic, this is not true in HTTP
>
> Maybe a better idea would be to use the UNIX equivalent of a umask to set default permissions
>
> Any thoughts on this?

Received on Friday, 30 January 2015 14:41:01 UTC