[11:17] *** #twiki-st: @PeterThoeny [11:17] *** #twiki-st was created on Sun Feb 18 11:17:06 2007. [13:01] *** Lavr has joined #twiki-st. ...snip... [13:07] PeterThoeny: hmm, nobody else joining? [13:07] PeterThoeny: shall we ask in #twiki? [13:07] Lavr: Sure [13:08] Lavr: CDot and Arthur are not even on IRC it seems [13:08] PeterThoeny: arthur is in austria skiing [13:08] PeterThoeny: for one week [13:09] Lavr: Ah yes. That is right. [13:09] PeterThoeny: i do not know about crawford [13:09] Lavr: We know his oppinion. Are you in doubt or have you made your mind up? [13:10] *** ktwilight has joined #twiki-st. [13:10] ktwilight: hi :) [13:10] Lavr: Hi Welcome [13:11] PeterThoeny: hi kwang [13:11] PeterThoeny: kung hei fat choi [13:11] ktwilight: hi peter [13:11] ktwilight: thanks :) [13:11] PeterThoeny: so far only kenneth and i are here from the security team [13:11] ktwilight: surprised that you know :P [13:11] ktwilight: ah k [13:12] PeterThoeny: my wife is made in hong kong, i am made in switzerland [13:12] ktwilight: oh i see! you should be out and about visiting [13:12] PeterThoeny: we already gave out a much of red pocket money to kids [13:12] ktwilight: we did ours yesterday :) [13:12] ktwilight: cool! [13:13] PeterThoeny: s/much/bunch/ [13:13] PeterThoeny: ok, i guess nobody else is joining [13:13] PeterThoeny: so lets start [13:14] PeterThoeny: first by collecting facts [13:14] PeterThoeny: then brainstorm on the corse of action [13:14] PeterThoeny: and make a decision [13:14] Lavr: OK [13:14] *** randomize has joined #twiki-st. [13:15] ktwilight: sure [13:15] PeterThoeny: the key question is how to handle an empty * Set ALLOW(something)VIEW [13:15] PeterThoeny: such as * Set ALLOWWEBVIEW = [13:15] ktwilight: what's the default for commented Set ALLOW*VIEW? [13:16] Lavr: When it is commented out it is not defined at all. [13:16] Lavr: When you do a Set SOMEVAR = [13:16] ktwilight: hm [13:16] Lavr: then you define it to be '' [13:16] PeterThoeny: cairo had this defined in default webs: * Set DENYWEBVIEW = * Set ALLOWWEBVIEW = * Set DENYWEBCHANGE = * Set ALLOWWEBCHANGE = * Set DENYWEBRENAME = * Set ALLOWWEBRENAME = [13:17] Lavr: Yes. In Cairo having the variable not defined meant the same as having it defined to an empty string. Ie. '' [13:17] PeterThoeny: so, DENYWEBVIEW, ALLOWEBVIEW, etc have been set, but to an empty value [13:17] PeterThoeny: exactly [13:18] PeterThoeny: i designed it taht way, i found this intuitive [13:18] PeterThoeny: now on to dakar [13:19] Lavr: And in both Cairo and Dakar all the important setting topics has explicit defined * Set ALLOWXXXXX = TWikiAdminGroup [13:19] PeterThoeny: during development of dakar in 2005, the spec was changed to mean that an empty ALLOWWEBVIEW is equal to setting it to the admin group [13:19] Lavr: I have checked. We have never distributed a TWiki release where these topics were protected with * Set ALLOWXXX = (nothing) [13:20] ktwilight: hm [13:20] Lavr: So the damage we have done is that we have documented the new behavour but actually never implemented it in a released version of TWiki. [13:21] PeterThoeny: yes [13:21] PeterThoeny: here is the timeline [13:21] PeterThoeny: in early 2005 crawford changed the spec [13:21] PeterThoeny: so code and doc had this new spec [13:22] PeterThoeny: on aug 2005, thomas changed the implementation back to cairo spec with checkin 6011 [13:22] PeterThoeny: but the doc remained with the planned dakar spec change [13:22] Lavr: important to note that none of these were released. Not even as betas. [13:23] ktwilight: hm [13:23] PeterThoeny: meaning that dakar and edinburgh shipped with code supporting same spec orginal as cairo, but with doc that specifies something else [13:24] Lavr: So the danger from a security point of view is that someone may have read the documents and set access rights accordingly without testing with a non-admin user account if it actually worked. [13:24] PeterThoeny: i think that we have now accurate covered the facts [13:25] *** xored has joined #twiki-st. [13:25] xored: hello [13:25] xored: When will the discussion start? [13:25] ktwilight: started :) [13:25] PeterThoeny: crawford's argument is this: "The original rationale for this change was precisely because users complained to me that this was counter-intuitive to them (normal people, not programmers)" [13:26] PeterThoeny: hi xored [13:26] Lavr: It is important to note that in all Dakar and Edinburgh releases TWiki.TWikiPreferences, TWiki.WebPreferences, Main.TWikiPreferences, and all other WebPreferences incl _default web had ALLOW and DENY protected by setting them to %MAINWEB%.TWikiAdminGroup [13:27] PeterThoeny: yes, regardless of spec, this is good for educational purposes and for transparency [13:27] PeterThoeny: any other facts we should state? [13:27] Lavr: If we had shipped TWiki with these topics "protected" with blank settings we would have had a serious level 2 security case. But in my view this is not a level 2. [13:27] PeterThoeny: before going on to solution and decision [13:27] ktwilight: i'm interested in thomas' stand on this [13:28] PeterThoeny: log entry of 6011: "Item214: Implemented InconsistenHandlingOfPreferences" [13:29] PeterThoeny: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item214 [13:29] ktwilight: what inconsistency was thomas referring to? [13:29] PeterThoeny: points to http://twiki.org/cgi-bin/view/Codev/InconsistentHandlingOfPreferences [13:29] ktwilight: yup, reading. [13:30] xored: (what is the exactly topic / direction of the discussion ) [13:30] Lavr: The topic does not seem to address this. But the code change had this result. [13:31] Lavr: Probably because Thomas had not noted the spec change. [13:31] Lavr: The spec change happened in a period of time where it was mainly Crawford that worked on the DEVELOP branch changing everything around. [13:32] Lavr: Not meant negatively. But that was the situation. [13:33] PeterThoeny: yes, exactly [13:33] PeterThoeny: in that time it was primarily a one man show that changed a lot [13:33] ktwilight: but it sounds like two different issues to me here. one is the flexibility of twiki and the other default security, am i right on this? [13:34] PeterThoeny: xored: problem we are facing is that access control implementation and documentation is not the same for dakar [13:34] PeterThoeny: and edinburgh [13:34] PeterThoeny: access control implememntation is consistent across all releases up to now [13:34] Lavr: First we need to decide. Is this a level 1 or level 2 security issue? I believe not. I believe it is a 3. [13:34] PeterThoeny: but doc changed since dakar [13:34] Lavr: Important to how we have to react. [13:35] PeterThoeny: ok, on triaging issue [13:35] PeterThoeny: i think it is a level 3 with a twist [13:35] PeterThoeny: level 3 means "handle as bug fix" [13:35] PeterThoeny: but in this case i think we should send out a security advisory [13:36] PeterThoeny: just to the twiki-announce [13:36] PeterThoeny: not a public advisory [13:36] PeterThoeny: we did that in the past [13:36] Lavr: I was also thinking level 3 but we should send an announcement. [13:36] ktwilight: same, i don't quite see the seriousness of this issue. though it would be great to get a clarification [13:37] PeterThoeny: example security audit: http://twiki.org/cgi-bin/view/Codev/SecurityAuditOnVisibleLibDir [13:37] PeterThoeny: http://twiki.org/cgi-bin/view/Codev/SecureTWikiPreferences [13:38] PeterThoeny: ok, so we have an agreement that this is level 3 with twiki-announce alert (e.g. no public advisory) [13:38] Lavr: Yes. That was also my proposal [13:38] PeterThoeny: now to the big question: [13:39] PeterThoeny: bug fix of code or of doc? [13:39] PeterThoeny: crawford's opinion is code fix [13:39] PeterThoeny: thomas is probably for doc fix [13:40] PeterThoeny: i stronly suggest a doc fix because this is the lesser evil [13:40] Lavr: I can live with both. None of them is a disaster. But my intuition says that the ALLOWXXXX should be set to something to be in effect. [13:40] Lavr: It is also the doc update that will cause least pain for upgraders. [13:40] PeterThoeny: yes [13:40] ktwilight: true [13:41] Lavr: The effect on changing the code is that noone can see any webs if your webs are from the Cairo days. [13:41] Lavr: Which means you have to walk through all WebPreferences and comment out the Set ALLOWWEBXXXXX [13:42] PeterThoeny: i know of 4 companies that have over 700 webs each [13:43] Lavr: ktwilight, Randomize and xored: What are your feeling about it? What is the intuitive meaning? [13:43] Lavr: Set ALLOWWEBVIEW = [13:43] Lavr: Does that means noone can view anything (except Admins who can see everything no matter what) [13:43] Lavr: Or does it mean that it is not set and anyone can view? [13:44] ktwilight: i would stick to the default in cairo, even though i don't use it. i think it's best to keep it that way. but would be good to highlight the security implications, i.e. set the necessary rights [13:44] ktwilight: it's easier for the current twiki users/developers anywayz :) [13:45] PeterThoeny: ktwilight: that is a good argument, yes. besides this, which is more intuitive? [13:46] ktwilight: from the security point of view, the latter, i.e. default of dakar, only admins. who knows? we may err one day, and bang! everything is open. [13:47] PeterThoeny: xored: what is your intuition on syntax? [13:48] PeterThoeny: which one is "right" from your gut feel? [13:48] PeterThoeny: (btw, i need to go in 5 min) [13:48] Lavr: One of the arguments for the Cairo way is this.... [13:49] Lavr: We want the setting to be in WebPreferences per default so the admin knows that the setting is there and can see the syntax. [13:49] Lavr: So we always had the * Set ALLOWWEBVIEW = [13:50] Lavr: But with the Dakar spec we had to change that to * #Set ALLOWWEBVIEW = [13:50] Lavr: This gives the danger that people leave it as [13:50] Lavr: * #Set ALLOWWEBVIEW = MyGroup, MyOtherGroup [13:51] PeterThoeny: and adds a layer of compexity [13:51] Lavr: I have seen this error in real life. [13:51] PeterThoeny: admins need to learn that # is a comment [13:51] ktwilight: hm [13:51] PeterThoeny: ok, it seems like we are in agreement to fix the doc, not the code [13:52] Lavr: It is usually with ALLOWTOPICVIEW in a template document that I have seen people forgetting to remove the # [13:52] PeterThoeny: i wish crawford is here so that he can comment [13:52] ktwilight: why don't we wait till the next meeting? [13:53] PeterThoeny: this is basically up to the security team [13:53] Lavr: We have 3 choices! [13:53] ktwilight: hn [13:53] ktwilight: hm [13:53] Lavr: 1. We change the code and release the changed code in 4.1.2 [13:54] Lavr: 2. We change the doc and release the changed doc in 4.1.2 [13:54] Lavr: 3. We change the doc and release this in 4.1.2. And later change the code/doc in 4.2.0. [13:54] ktwilight: 3 can cause much confusion [13:55] PeterThoeny: ktwilight: current security team members are PeterThoeny, SvenDowideit, RichardDonkin, KennethLavrsen [13:55] ktwilight: hm [13:55] PeterThoeny: but lately it is only kenneth and i who are active [13:55] PeterThoeny: http://twiki.org/cgi-bin/view/Codev/SecurityTeam [13:56] ktwilight: i would prefer to check out what is the common practise on setting permissions, then go with it. it's easier that way and also mean that that's what generally people will do when they install a new twiki, or not. [13:56] PeterThoeny: after collecting the facts today and disussing the options i feel we need option 2 [13:56] *** Lavr_ has joined #twiki-st. [13:56] ktwilight: same [13:57] PeterThoeny: ok, so we are on the same page [13:57] Lavr_: Lavr's keyboard lost connection. Had to change computer :-) [13:57] Lavr_: The good with option 2 is that it still leaves option 3 open later. [13:57] Lavr_: If we go with option 1 we would look like suckers changing our mind again later [13:57] PeterThoeny: hi randomize, & welcome, i missed you [13:58] ktwilight: what is/are the benefit(s) of changing the code? [13:58] Lavr_: Intuition is a difficult thing. Crawford thinks the changed code is more intuitive. And he says he has users that think the same. [13:59] PeterThoeny: the only thing i can think of if an admin reads the doc and sets an empty pref to lock down content [13:59] Lavr_: Just asked my wife. She says "blank means everyone can view" [13:59] Lavr_: So she likes 2 [13:59] Lavr_: But she never used TWiki :-) [13:59] PeterThoeny: i think we have consensus here [14:00] PeterThoeny: i will work on a security advisory [14:00] PeterThoeny: and send out to twiki-announce [14:00] ktwilight: :) [14:00] PeterThoeny: not sure if i can do that today [14:00] *** xored has signed off IRC ("... und tschüß"). [14:00] PeterThoeny: social event now, and this evening another [14:00] PeterThoeny: and mon, tue skiing [14:00] PeterThoeny: so probably on wed [14:00] ktwilight: busy busy [14:01] PeterThoeny: who is fixing the doc? [14:01] Lavr_: I am sure Wednesday is OK. [14:01] PeterThoeny: ok [14:01] PeterThoeny: i gotta go now [14:01] Lavr_: Shall I make an entry in KnownIssues right away? [14:01] PeterThoeny: i will attach this log to the advisory (for transparency) [14:02] PeterThoeny: s/advisory/security audit/ [14:02] Lavr_: Shall I make an entry in KnownIssues right away? [14:02] PeterThoeny: no, better wait for security audit topic [14:02] Lavr_: OK [14:03] PeterThoeny: so that you can link to it [14:03] ktwilight: sweet [14:03] PeterThoeny: ttyl, we are late for the birthday party... [14:03] ktwilight: :) [14:03] ktwilight: go go go! [14:03] ktwilight: have fun! [14:03] Lavr_: See you - night all. [14:03] Lavr_: And thanks for your oppinions [14:03] ktwilight: :) [14:04] PeterThoeny: thanks all! [14:04] * ktwilight waves