Group Name Guessing Disclosure Policy

David Lawrence dkl at redhat.com
Mon Jul 19 21:48:49 UTC 2010 

Sounds fine to me.

On 7/19/10 5:38 PM, Max Kanat-Alexander wrote:
> 	Hey folks. So, right now we have a policy that goes like this:
>
> 	Group names are confidential. If somebody tries to guess a group name,
> we don't want to tell them whether or not that group name exists,
> because my guessing infinitely, they could discover confidential group
> names. So, if somebody tries to add or remove a group to a bug that
> doesn't exist, we fail silently.
>
> 	This is OK when the only interface for adding groups is the web UI,
> because you can't typo a group name or id--they're checkboxes! :-) So
> anybody mis-adding or removing a group is hacking the URL, and we don't
> care so much. But with 4.0 comes Bug.update, and the ability to add or
> remove groups from bugs using the API! Also, I believe email_in.pl will
> support adding groups in 4.0, so there's another opportunity for typos.
>
> 	Bug security is really important--far more important than protecting
> against guessing group names. Right now, according to our policy, if
> somebody typos a group name (or specifies a group name that can't be
> validly added to the bug), it will silently fail. This means that people
> will have bugs that they intended to be secure that are actually public,
> which is very bad.
>
> 	Now, a simple solution sounds like, "Oh, so we should just tell people
> that 'the group you specified either does not exist or you cannot see
> its name'." However, there are two problems with that:
>
> 	* There is actually no central way for being able to tell if somebody
> "can see the name" of a group. There are so many possible ways that a
> group's name could be seen (membership, othercontrol, permissions,
> inheritance, admin interfaces, etc.) that it would be nearly impossible
> to effectively write a single method that would tell us whether or not
> somebody can see a group's name or not.
>
> 	* The Group Controls are really complex. So if we have the same error
> for "this group doesn't exist" and "this group can't validly be added or
> removed from this product", then it will confuse the heck out of
> everyday Bugzilla administrators.
>
> 	So, I propose that we start explicitly telling people if a group
> doesn't exist, and then we explicitly tell them if they are trying to do
> something invalid with a group that *does* exist. This means that group
> names would be exposed if somebody managed to guess one, but I think
> that that is an acceptable fact, particularly if we relnote it for the
> upcoming 4.0 release, highlighted as a security change.
>
> 	Does this sound OK?
>
> 	-Max

-- 
David Lawrence, RHCE  dkl at redhat.com
------------------------------------
Red Hat, Inc.    Web: www.redhat.com
1801 Varsity Drive Raleigh, NC 27606

What happens when open source way is applied to the world? http://opensource.com

More information about the developers mailing list