Using TWiki's ACLs to secure topic attachments security
Problem
TWiki itself is not able to protect attachments to topics stored in the
pub subdirectory.
The typical answer to this problem was to maintain a .htaccess file under
pub that constraints
access and/or access attachments using an extra
viewfile cgi script. One could
argued that attachments are at least obscured by a view-restricted topic as you need to know the attachment
name and directory where it is stored.
This all is rather suboptimal for several reasons: mainting access control by editing a pub/.htaccess file
is not able to parallel TWiki's ACLs, is redundant and not possible at all without a shell account.
Using a
viewfile cgi is comparably slow and does not prevent general access to the pub subdirectory.
Rely on obscurity for security is not acceptable in lots of environments.
Solution
A solution is to use a PerlAccessHandler for mod_perl so that TWiki's ACLs can be
checked per attachment. This has been done using the PubAccess solution.
How does it work
Access permissions to an attachment is granted using the
view access rights of the topic it is attached to.
A separate twiki engine gets loaded into mod_perl and is called by registering a PerlAccessHandler
for all files under the pub directory. The apache web server will call this handler whenever a file
is to be served. The access procedure can be configured by defining
- PubAccess_AllowType <regex>: file extension to permit without checking ACLs
- PubAccess_AllowWeb <regex>: web to permit access to without checking ACLs
- PubAccess_AllowPattern <regex>: general pattern to check against the current web/topic/filename
This has been proven to be useful as most of the files under pub (like javascript, CSS stylesheets and icons)
used by the TWiki engine don't need no full ACL check as this comes with an extra overhead.
The following steps take place for each file:
- check if the file type is permitted, return OK if it matches
- check if the web this file is attached to is permitted, return OK if it matches
- check if a pattern matches the web/topic/filename of the attachment, return OK if it matches
- initialize the twiki engine
- check ACL's of the web-topic for the current remote user, return OK if access is granted
- return FORBIDDEN if the user is not allowed to view the current web-topic and thus all
Remaining issues
- this only works for apache + mod_perl, other web servers are not supported
- performance: there's no need to fully initialize a twiki engine -- i.e. including all enabled plugins -- as only the remote user and the current ACLs need to be calculated. A solution would be to install a separate bare bones libs directory with no plugins installed whatsoever. Better: disable plugins per call.
- this solution has not been stress-tested for a longer time. there might be perl memory leaks biting back that have been reported recently (please prove me wrong).
Contrib Info
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.