RE: ACL and lockdiscovery from Geoffrey M Clemm on 2003-09-18 (w3c-dist-auth@w3.org from July to September 2003)

From: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>
Date: Thu, 18 Sep 2003 08:17:00 -0400
To: w3c-dist-auth@w3.org
Message-ID: <OF8F5468FC.6A169A14-ON85256DA5.00428C89-85256DA5.00437974@us.ibm.com>

That is not correct.  RFC-2518 explicitly states in
section 13.8 (where the DAV:lockdiscovery property is defined):

"The server is free to withhold any or all of this information
if the requesting principal does not have sufficient access rights
to see the requested data."

In particular, if the client does not have sufficient access
rights to UNLOCK the resource, a server could very reasonably
choose to hide the lock-token information.

In addition, a server for which locks have a reasonably
short maximum expiration may chose to never expose the lock tokens
(i.e. nobody has sufficient access rights to see the lock tokens).

Cheers,
Geoff

w3c-dist-auth-request@w3.org wrote on 09/17/2003 07:49:20 PM:

> 
> I'd also point out that the lockdiscovery property MUST contain
> all the lock tokens, regardless of access control settings.  This
> is not considered a security leak, because authorization is also
> needed to use a lock token.  So this is the server logic to apply
> whenever the client provides a lock token: 
> 
> Is this the same authorization context that took out the lock? 
>   Yes {
>    Allow the operation normally, provided the operation is 
>    allowed, and provided the lock token is correct and all
>    required lock tokens are provided, etc.
>   } No {
>    Is this an UNLOCK operation, with an authorization that
>    includes permission to delete others' locks?
>    Yes {
>       perform UNLOCK
>    } No {
>       Fail request
>    }
>   }
> 
> Lisa
> 
> > -----Original Message-----
> > From: w3c-dist-auth-request@w3.org 
> > [mailto:w3c-dist-auth-request@w3.org] On Behalf Of Eric Sedlar
> > Sent: Wednesday, September 17, 2003 11:17 AM
> > To: 'Horst Liermann'; w3c-dist-auth@w3.org
> > Subject: RE: ACL and lockdiscovery
> > 
> > 
> > 
> > The ACL spec hasn't defined a privilege specifically to 
> > control read access to the lockdiscovery property, or even a 
> > privilege to control access to all the privileges in total. 
> > An individual server implementation could provide such a 
> > privilege and aggregate it under <dav:read>, but this isn't required.
> > 
> > --Eric
> > 
> > > -----Original Message-----
> > > From: w3c-dist-auth-request@w3.org 
> > > [mailto:w3c-dist-auth-request@w3.org]
> > > On Behalf Of Horst Liermann
> > > Sent: Wednesday, September 17, 2003 10:08 AM
> > > To: 'w3c-dist-auth@w3.org'
> > > 
> > > 
> > > Hi all,
> > > 
> > > some questions about lockdiscovery and ACL's
> > > 
> > > Suppose, you have a server with WebDAV ( including lock) and it 
> > > support's ACL. What is the behavior for lockdiscovery, can 
> > I see all 
> > > lock token or am I only allowed to see the tokens where I 
> > am the owner 
> > > of the lock ? As far as I understand, lockdiscovery reports 
> > all locks. 
> > > Is this a security leak ?
> > > 
> > > Best Regards
> > >    Horst
> > 
> > 
> > 
> 
>

Received on Thursday, 18 September 2003 11:38:03 UTC