Geek Answers Handbook

Access Control List Recommendation List - ACL - Configuring Negative Roles for Users Attacking a Site

CONTEXT

I just read about the Zend ACL http://framework.zend.com/manual/en/zend.acl.html

Question

I am running three Zend applications on the same server.

  • My front end app
  • My Front End-Members App
  • My Back End App (Site Owner Administrator)

There are two types of ACLs in the applications that I am considering.

  • Applications Wide ACL permissions - '' ACLs '' are simply “access” (or maybe “read” it, (or even “SendHTTPRequests”))
  • Wide Account - Leaving All Other Permissions for Separate ACL Accounts ''

I think this will make it easier to block spammers and other attackers.

if (UserActivityScoresHighProbabilityOfHacking_Specification->IsSatisfiedBy(User)) { User->addrole(Attacker) }

Perhaps with the rules something like this:

My settings for access control to external users

  • Name = Attacker
  • Unique permissions = NONE
  • Inheritance of permissions From = N / A
  • Name = Guest
  • Unique Permissions = SendHTTPRequests
  • Inheritance of permissions From = N / A
  • Name = Member
  • Unique Permissions = SendHTTPRequests
  • Inherit Permissions From = Guest
  • Name = Admin
  • Unique permissions = (ALL permissions)
  • Inheritance of permissions From = N / A

Other applications will have stricter rules prohibiting access to guests, etc.

So the question is:

Does the role "Attacker" (negative role) assign the user to hit you as a reasonable thing.

Or is this contrary to general best practice?

+4
source share
4 answers

There are two concepts to using ACLs:

  • Deny everything at startup and grant access to resources only after checking blacklists / whitelists / permissions and all the checks you want.

  • allow everything at startup , and then deny access to a sensitive area where you only allow access after checks.

I prefer to go with the first, usually. The second option is better when you have small areas for protection and mostly public areas. Performing a check for each call adds some weight to your application.

+4
source

After a few days of reflection ... here is my answer to my question above:

Does the role "Attacker" (negative role) assign the user to hit you as a reasonable thing.

My answer:

No, this is a very stupid thing.

Why

In addition to the questions posed by koen and Robert Harvey ..

An ACL allows roles to be inherited, and therefore the presence of positive AND negative roles can cause more chances for complexity and conflict if the two roles become applicable to the situation.

I mean “positive” in the sense of:

  • 'only let someone do something if they are this role

In contrast to the "negative" in the sense of:

  • 'only let someone do something if they are NOT this role

Therefore, if you are going to add a role to define a "hacker", it would be better to keep it positive (denying negation) - i.e. "NOT A HACKER." Or rephrase this name: '' FriendlyUser ''

All positive:

  • + Role1: FriendlyUser
  • + Role2: Guest
  • + Role3: Member
  • + Role4: Admin

In contrast to mixed:

  • - Role1: Hacker
  • + Role2: Guest
  • + Role3: Member
  • + Role4: Admin

The second list of roles is much more confusing.

+2
source

Often users are given a shared IP address, so I'm not sure how practical it is to ban users by IP.

If this is filling out type forms, spammers are best stopped using Captcha.

+1
source

The problem that I see when assigning a role based on what the user does / has is that it hardcodes the rules in your code. Implicit rule in your example:

 deny user access when user has property/behavior X

The way to see this is hard-coded to ask yourself what happens if you want to adjust it. Suppose you find the suspicious behavior is too strict and want to endure more, then you have to go to the .php file and change it.

I think it's best to look at the rule statement part:

http://framework.zend.com/manual/en/zend.acl.advanced.html

Depending on your specific needs, this may be a good solution.

edit: reply to comment → I appreciate what you do. I think this indicates why RBAC will be replaced by more powerful access controls, such as attribute-based access control. This will allow rules based on user attributes and objects / resources under control. Ideally, you want access control to have as much logic as possible in deciding on permissions. When you assign roles to users implicitly, some of the solutions will be outside of access control (for example, which user will be the administrator, mainly determined by things like whoever owns the website). But you want to minimize decision making outside of acl because it adds an access level that is not controlled by acl. Thus, the decision of who will have a role is often implied outside of acl. But still this is access control, defined by some logic, and it is best to keep so much logic inside the program that is responsible for processing this domain. Hope this mess makes sense :-)

+1
source

More articles:


All Articles