Loading ...
Sorry, an error occurred while loading the content.

Security implemention question

Expand Messages
  • richard@crosswired.co.uk
    Hi all. I am working on an application for which there are two levels of user. User level 1 must upload files to the server, and user level 2 must be able to
    Message 1 of 5 , Jan 3, 2003
    • 0 Attachment
      Hi all.
      I am working on an application for which there are two levels of user.
      User level 1 must upload files to the server, and user level 2 must be able
      to download any files uploaded by users of level 1.
      I have already implemented page level security to restrict each level user to
      the pages for which they are authorised. My problem is that for user level 2
      to be able to download these files, they must be placed somewhere within the
      webroot. I want to prevent user level 1 from downloading these files as they
      are only intended for downloading by users of level 2.

      The only idea I had was to store all files outside of the webroot, and when a
      user of level 2 wants to download these files, they are copied to somewhere in
      the webroot, with a filename such as
      "$current-PID_$current-unixtime_$filename". Furthermore, periodically, (every
      hour for example), delete all files in this folder which are older than an
      hour.

      This way, by also preventing directory listing of this folder, the only way a
      user of level 1 could get these files would be to guess the PID, unix
      timestamp, and filename, all within an hour (before they are cleaned away
      again).
      This I dont think is very likely.

      Can anyone either point out any major problems with this approach, or
      alternatively (preferably), suggest a better alternative ?
      In case it makes any difference to peoples ideas/views, I am not using Apache
      for access control. Users authenticate against a database, then on each page
      they visit, their user level (taken from the session object) is checked
      against the access level required for that page.

      I am using Apache::ASP (latest), mod_perl 1.99, Apache2 (latest), perl 5.6.1

      Thanks for any advice / feedback

      Richard



      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    • Thanos Chatziathanassiou
      Hi Richard, Happy new year to the list, BTW. ... Since You already have the users level is the Session object, you can have an asp handle the downloads, like
      Message 2 of 5 , Jan 3, 2003
      • 0 Attachment
        Hi Richard,

        Happy new year to the list, BTW.

        richard@... wrote:

        >Can anyone either point out any major problems with this approach, or
        >alternatively (preferably), suggest a better alternative ?
        >In case it makes any difference to peoples ideas/views, I am not using Apache
        >for access control. Users authenticate against a database, then on each page
        >they visit, their user level (taken from the session object) is checked
        >against the access level required for that page.
        >
        Since You already have the users level is the Session object, you can
        have an asp handle the downloads, like this:
        - check if the user has the required level.
        - set $Response->{ContentType} to whatever it is you want
        - open the (out of the webroot) file and while reading it, output to
        the client.

        Now with this approach you will avoid the constant back and forth
        copying of files and
        the remote possibility that a user can guess the filename, but there are
        some drawbacks:
        - the ``heavy'' apache mod_perl process will be tied up for the duration
        of the download, so depending on your setup, the size of the download
        and the speed of the clients you might need more httpds running. The
        mod_perl guide can help you more on this - rather large - subject
        (http://perl.apache.org/docs/1.0/guide/index.html)

        I really don't know if the above is a better solution, just a thought.

        Regards,
        Thanos Chatziathanassiou



        ---------------------------------------------------------------------
        To unsubscribe, e-mail: asp-unsubscribe@...
        For additional commands, e-mail: asp-help@...
      • Theo Schlossnagle
        On Friday, Jan 3, 2003, at 04:59 US/Eastern, richard@crosswired.co.uk ... If you don t mind using you mod_perl instances to serve files (your site is low
        Message 3 of 5 , Jan 3, 2003
        • 0 Attachment
          On Friday, Jan 3, 2003, at 04:59 US/Eastern, richard@...
          wrote:
          > I have already implemented page level security to restrict each level
          > user to
          > the pages for which they are authorised. My problem is that for user
          > level 2
          > to be able to download these files, they must be placed somewhere
          > within the
          > webroot. I want to prevent user level 1 from downloading these files
          > as they
          > are only intended for downloading by users of level 2.
          >
          > [ ... snip ... ]
          >
          > I am using Apache::ASP (latest), mod_perl 1.99, Apache2 (latest), perl
          > 5.6.1
          >
          > Thanks for any advice / feedback

          If you don't mind using you mod_perl instances to serve files (your
          site is low traffic and this won't hurt you). Then write a mod_perl
          PerlAccessHandler to deny people access. Implement all of your login
          system in a PerlAuthenHandler. Then just have simple login page.

          There are some good example of this in the mod_perl cookbook.

          The big advantage of this is that you never really need to "know" how
          to auth someone to write another web page for your site. It is
          provided for you by your Authen handler before you page is ever loaded.

          Also, your Authen handler can do slick things like put an instance of a
          "User" object in the Apache request notes. and the "new" method for
          your User object can look there first... This allows you to blindly
          call:
          my $user = User->new();
          at the top of any ASP page and have full access to that user's object.
          And you _know_ it will be populated with valid data because they passed
          through your Authen/Access handlers and it was actually built in there
          -- of course, it does hurt to check ;-)

          --
          Theo Schlossnagle
          Principal Consultant
          OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
          Phone: +1 410 872 4910 x201 Fax: +1 410 872 4911
          1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984
          2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7


          ---------------------------------------------------------------------
          To unsubscribe, e-mail: asp-unsubscribe@...
          For additional commands, e-mail: asp-help@...
        • Richard Curtis
          ... Apache ... page ... Sorry for taking so long to reply, but I had email issues . Thanks for this suggestion - it sounds like it will probably be just what
          Message 4 of 5 , Jan 8, 2003
          • 0 Attachment
            >Can anyone either point out any major problems with this approach, or
            > >alternatively (preferably), suggest a better alternative ?
            > >In case it makes any difference to peoples ideas/views, I am not using
            Apache
            > >for access control. Users authenticate against a database, then on each
            page
            > >they visit, their user level (taken from the session object) is checked
            > >against the access level required for that page.
            > >
            > Since You already have the users level is the Session object, you can
            > have an asp handle the downloads, like this:
            > - check if the user has the required level.
            > - set $Response->{ContentType} to whatever it is you want
            > - open the (out of the webroot) file and while reading it, output to
            > the client.

            ---

            Sorry for taking so long to reply, but I had email "issues".
            Thanks for this suggestion - it sounds like it will probably be just what I
            need.
            I have one further question though. Is there a list somewhere of all the
            "ContentTypes".
            Eg, if I am sending a word document, or a PDF, what is the content type ?

            Thanks
            Richard


            ---------------------------------------------------------------------
            To unsubscribe, e-mail: asp-unsubscribe@...
            For additional commands, e-mail: asp-help@...
          • Josh Chamas
            ... In your apache distribution, you should have the file mime.types. Here are a couple lines from that file: application/msword doc
            Message 5 of 5 , Jan 9, 2003
            • 0 Attachment
              Richard Curtis wrote:
              > >Can anyone either point out any major problems with this approach, or
              > ---
              >
              > Sorry for taking so long to reply, but I had email "issues".
              > Thanks for this suggestion - it sounds like it will probably be just what I
              > need.
              > I have one further question though. Is there a list somewhere of all the
              > "ContentTypes".
              > Eg, if I am sending a word document, or a PDF, what is the content type ?
              >

              In your apache distribution, you should have the file mime.types.
              Here are a couple lines from that file:

              application/msword doc
              application/pdf pdf

              Note, that for some browsers, they are not smart enough to
              know what this mime types tra pdf

              Note, that for some browsers, they are not smart enough to
              know what this mime types translate to, so you should also make sure
              to end the download URL with the document extension, like this:

              /download.asp?file=real_file_name.doc

              Especially for systems that associate extensions with applications,
              this can work pretty well.

              Regards,nslate to, so you should also make sure
              to end the download URL with the document extension, like this:

              /download.asp?file=real_file_name.doc

              Especially for systems that a pdf

              Note, that for some browsers, they are not smart enough to
              know what this mime types translate to, so you should also make sure
              to end the download URL with the document extension, like this:

              /download.asp?file=real_file_name.doc

              Especially for systems that associate extensions with applications,
              this can work pretty well.

              Regards,ssociate extensions with applications,
              this trick can work pretty well.

              Regards,

              Josh

              ________________________________________________________________
              Josh Chamas, Founder phone:925-552-0128
              Chamas Enterprises Inc. http://www.chamas.com
              NodeWorks Link Checking http://www.nodeworks.com


              ---------------------------------------------------------------------
              To unsubscribe, e-mail: asp-unsubscribe@...
              For additional commands, e-mail: asp-help@...
            Your message has been successfully submitted and would be delivered to recipients shortly.