Hi everyone!
This week I've been thinking about how to implement authorization in umitWeb. In other words, I've been trying to define a way to determine what users can or cannot do running nmap on UmitWeb (once UmitWeb every run as root on the server).
After few days I 'compiled' a mockup that how it will work. The mechanism is quite simple: each User will be assigned to a Role, and that role can have several Access Permissions. This appear to be an obvious way to do authorization. But how could access divided in permissions?
I found a way that I guess it's interesting: each Role will have definitions about details of command composition. For example, a Role to an user that can execute OS detection will have a permission to execute nmap with the '-O' parameter. In other hand, if a role doesn't have a permission that define the '-sV' command, users assigned to that role cannot do detection of service's versions.
The better way to find this option inside the nmap command line is comparing it with regular expressions. There are advantages to use regular expressions to indentify parts of a command. The permission definition can me written in an XML file (like options and profiles), and it can be extended by the user. For example, if a user like to create a new permission definition, He/she can easily do it by editing the security.xml and put inside it the properly regular expression associated with that permission.
I'm still thinking if the best way to store user roles is in XML files or a database. I have this issue to store users too. I'll realize tests and researches about security issues in each case.
Next week will be time to implement my thoughts and test it. Let's roll in the first official GSoC week. Here we go!
Sunday, May 27, 2007
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment