Security implications of ACL resources on different servers

solid / web-access-control-spec

Web Access Control (WAC)

https://solid.github.io/web-access-control-spec/

MIT License

121 stars 25 forks source link

Security implications of ACL resources on different servers #90

Open csarven opened 4 years ago

csarven commented 4 years ago

Rough text from auxiliary resource:

A given Solid resource MAY Link to auxiliary resources on a different server under a different authority, per the configuration of the Solid server on which that resource resides.

If that goes through...

This entails that an ACL resource can be on a different server.. and so raises security issues that should be addressed.

Will agent(s) controlling a resource on server-A be authorized to request write operations on the ACL on server-B? Ditto the application.
What should happen if/when remote ACL becomes inaccessible (for whatever reason for any period)?
What should happen if/when remote ACL is compromised?
Would the server need to be authenticated and authorized like any other agent in order to:
- name the ACL URI on different server, and making sure that the ACL can be created/modified (because it needs to have a link relation from primary resource to the ACL)
- delete the associated ACL on different server?

justinwb commented 4 years ago

See this comment on the pull request. TLDR; I think it's safe to remove this statement and do the inverse (which would resolve this issue). If we wanted to retain the flexibility in general, we could limit this specifically for ACLs. However, since we want to have default permission sets for auxiliary resources I think it's better to keep them on same server under the same authority.

csarven commented 4 years ago

Sharing this comment from @emmettownsend :

I suspect most of the auxiliary resources will need to be cached as they will be used at runtime by the server to make decisions on a per request basis. Therefore, if they are remote there needs to be a way to tell the server they have changed; otherwise the server will be using an out of date copy which will result in security holes.

Edit: To add to above, the server may also persist the rel=acl relation in the headers even after agents no longer having Control on the resource ie. the expectation being that only agents with Control can observe the relation.

quattro004 commented 3 years ago

If the ultimate question to resolve this issue is "Is MUST NOT too strong?" I would agree with @csarven, no it is not too strong. IMO security related information should not be ambiguous.

Also, regarding the statement following that "An auxiliary resource that resides on a Solid server MUST adhere to the same interaction model used by other regular Solid resources, except where specified in the definition of that auxiliary resource type." I think that the exceptional portion of the statement is open ended.

csarven commented 3 years ago

Moving this to WAC repo. There are some related considerations about Groups in https://github.com/solid/web-access-control-spec/blob/main/README-v0.5.0.md#group-listings---authentication-of-external-requests that can be taken up at the same time.

csarven commented 3 years ago

Noting that the current WAC Editor's Draft allows servers to associate resources and ACL resources, and they can be on different origins. See #web-origin-authorization #uri-origin .