Tech-invite3GPPspaceIETF RFCsSIP
929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 3744

Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol

Pages: 72
Proposed Standard
Errata
Part 4 of 4 – Pages 60 to 72
First   Prev   None

Top   ToC   RFC3744 - Page 60   prevText

12. Security Considerations

Applications and users of this access control protocol should be aware of several security considerations, detailed below. In addition to the discussion in this document, the security considerations detailed in the HTTP/1.1 specification [RFC2616], the WebDAV Distributed Authoring Protocol specification [RFC2518], and the XML Media Types specification [RFC3023] should be considered in a security analysis of this protocol.

12.1. Increased Risk of Compromised Users

In the absence of a mechanism for remotely manipulating access control lists, if a single user's authentication credentials are compromised, only those resources for which the user has access permission can be read, modified, moved, or deleted. With the introduction of this access control protocol, if a single compromised user has the ability to change ACLs for a broad range of other users (e.g., a super-user), the number of resources that could be altered by a single compromised user increases. This risk can be mitigated by limiting the number of people who have write-acl privileges across a broad range of resources.

12.2. Risks of the DAV:read-acl and DAV:current-user-privilege-set Privileges

The ability to read the access privileges (stored in the DAV:acl property), or the privileges permitted the currently authenticated user (stored in the DAV:current-user-privilege-set property) on a resource may seem innocuous, since reading an ACL cannot possibly affect the resource's state. However, if all resources have world- readable ACLs, it is possible to perform an exhaustive search for those resources that have inadvertently left themselves in a vulnerable state, such as being world-writable. In particular, the property retrieval method PROPFIND, executed with Depth infinity on an entire hierarchy, is a very efficient way to retrieve the DAV:acl or DAV:current-user-privilege-set properties. Once found, this vulnerability can be exploited by a denial of service attack in which the open resource is repeatedly overwritten. Alternately, writable resources can be modified in undesirable ways.
Top   ToC   RFC3744 - Page 61
   To reduce this risk, read-acl privileges should not be granted to
   unauthenticated principals, and restrictions on read-acl and read-
   current-user-privilege-set privileges for authenticated principals
   should be carefully analyzed when deploying this protocol.  Access to
   the current-user-privilege-set property will involve a tradeoff of
   usability versus security.  When the current-user-privilege-set is
   visible, user interfaces are expected to provide enhanced information
   concerning permitted and restricted operations, yet this information
   may also indicate a vulnerability that could be exploited.
   Deployment of this protocol will need to evaluate this tradeoff in
   light of the requirements of the deployment environment.

12.3. No Foreknowledge of Initial ACL

In an effort to reduce protocol complexity, this protocol specification intentionally does not address the issue of how to manage or discover the initial ACL that is placed upon a resource when it is created. The only way to discover the initial ACL is to create a new resource, then retrieve the value of the DAV:acl property. This assumes the principal creating the resource also has been granted the DAV:read-acl privilege. As a result, it is possible that a principal could create a resource, and then discover that its ACL grants privileges that are undesirable. Furthermore, this protocol makes it possible (though unlikely) that the creating principal could be unable to modify the ACL, or even delete the resource. Even when the ACL can be modified, there will be a short period of time when the resource exists with the initial ACL before its new ACL can be set. Several factors mitigate this risk. Human principals are often aware of the default access permissions in their editing environments and take this into account when writing information. Furthermore, default privilege policies are usually very conservative, limiting the privileges granted by the initial ACL.

13. Authentication

Authentication mechanisms defined for use with HTTP and WebDAV also apply to this WebDAV Access Control Protocol, in particular the Basic and Digest authentication mechanisms defined in [RFC2617]. Implementation of the ACL spec requires that Basic authentication, if used, MUST only be supported over secure transport such as TLS.
Top   ToC   RFC3744 - Page 62

14. IANA Considerations

This document uses the namespace defined by [RFC2518] for XML elements. That is, this specification uses the "DAV:" URI namespace, previously registered in the URI schemes registry. All other IANA considerations mentioned in [RFC2518] are also applicable to this specification.

15. Acknowledgements

This protocol is the collaborative product of the WebDAV ACL design team: Bernard Chester, Geoff Clemm, Anne Hopkins, Barry Lind, Sean Lyndersay, Eric Sedlar, Greg Stein, and Jim Whitehead. The authors are grateful for the detailed review and comments provided by Jim Amsden, Dylan Barrell, Gino Basso, Murthy Chintalapati, Lisa Dusseault, Stefan Eissing, Tim Ellison, Yaron Goland, Dennis Hamilton, Laurie Harper, Eckehard Hermann, Ron Jacobs, Chris Knight, Remy Maucherat, Larry Masinter, Joe Orton, Peter Raymond, and Keith Wannamaker. We thank Keith Wannamaker for the initial text of the principal property search sections. Prior work on WebDAV access control protocols has been performed by Yaron Goland, Paul Leach, Lisa Dusseault, Howard Palmer, and Jon Radoff. We would like to acknowledge the foundation laid for us by the authors of the DeltaV, WebDAV and HTTP protocols upon which this protocol is layered, and the invaluable feedback from the WebDAV working group.

16. References

16.1. Normative References

[REC-XML] Bray, T., Paoli, J., Sperberg-McQueen, C. and E. Maler, "Extensible Markup Language (XML) 1.0 ((Third ed)", W3C REC REC-xml-20040204, February 2004, <http://www.w3.org/TR/2004/REC-xml-20040204>. [REC-XML-INFOSET] Cowan, J. and R. Tobin, "XML Information Set (Second Edition)", W3C REC REC-xml-infoset- 20040204, February 2004, <http://www.w3.org/TR/2004/REC-xml-infoset- 20040204/>. [REC-XML-NAMES] Bray, T., Hollander, D. and A. Layman, "Namespaces in XML", W3C REC REC-xml-names-19990114, January 1999, <http://www.w3.org/TR/1999/REC-xml-names- 19990114>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
Top   ToC   RFC3744 - Page 63
   [RFC2518]         Goland, Y., Whitehead, E., Faizi, A., Carter, S.
                     and D. Jensen, "HTTP Extensions for Distributed
                     Authoring -- WEBDAV", RFC 2518, February 1999.

   [RFC2616]         Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
                     Masinter, L., Leach, P. and T. Berners-Lee,
                     "Hypertext Transfer Protocol -- HTTP/1.1", RFC
                     2616, June 1999.

   [RFC2617]         Franks, J., Hallam-Baker, P., Hostetler, J.,
                     Lawrence, S., Leach, P., Luotonen, A. and L.
                     Stewart, "HTTP Authentication: Basic and Digest
                     Access Authentication", RFC 2617, June 1999.

   [RFC3023]         Murata, M., St.Laurent, S. and D. Kohn, "XML Media
                     Types", RFC 3023, January 2001.

   [RFC3253]         Clemm, G., Amsden, J., Ellison, T., Kaler, C. and
                     J. Whitehead, "Versioning Extensions to WebDAV",
                     RFC 3253, March 2002.

   [RFC3530]         Shepler, S., Ed., Callaghan, B., Robinson, D.,
                     Thurlow, R., Beame, C., Eisler, M. and D. Noveck,
                     "Network File System (NFS) version 4 Protocol", RFC
                     3530, April 2003.

   [RFC3629]         Yergeau, F., "UTF-8, a transformation format of ISO
                     10646", STD 63, RFC 3629 November 2003.

16.2. Informative References

[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997. [RFC2255] Howes, T. and M. Smith, "The LDAP URL Format", RFC 2255, December 1997. [UNICODE4] The Unicode Consortium, "The Unicode Standard - Version 4.0", Addison-Wesley , August 2003, <http://www.unicode.org/versions/Unicode4.0.0/>. ISBN 0321185781.
Top   ToC   RFC3744 - Page 64

Appendix A. WebDAV XML Document Type Definition Addendum

All XML elements defined in this Document Type Definition (DTD) belong to the DAV namespace. This DTD should be viewed as an addendum to the DTD provided in [RFC2518], section 23.1. <!-- Privileges -- (Section 3)> <!ELEMENT read EMPTY> <!ELEMENT write EMPTY> <!ELEMENT write-properties EMPTY> <!ELEMENT write-content EMPTY> <!ELEMENT unlock EMPTY> <!ELEMENT read-acl EMPTY> <!ELEMENT read-current-user-privilege-set EMPTY> <!ELEMENT write-acl EMPTY> <!ELEMENT bind EMPTY> <!ELEMENT unbind EMPTY> <!ELEMENT all EMPTY> <!-- Principal Properties (Section 4) --> <!ELEMENT principal EMPTY> <!ELEMENT alternate-URI-set (href*)> <!ELEMENT principal-URL (href)> <!ELEMENT group-member-set (href*)> <!ELEMENT group-membership (href*)> <!-- Access Control Properties (Section 5) --> <!-- DAV:owner Property (Section 5.1) --> <!ELEMENT owner (href?)> <!-- DAV:group Property (Section 5.2) --> <!ELEMENT group (href?)> <!-- DAV:supported-privilege-set Property (Section 5.3) --> <!ELEMENT supported-privilege-set (supported-privilege*)> <!ELEMENT supported-privilege (privilege, abstract?, description, supported-privilege*)> <!ELEMENT privilege ANY> <!ELEMENT abstract EMPTY> <!ELEMENT description #PCDATA>
Top   ToC   RFC3744 - Page 65
   <!-- DAV:current-user-privilege-set Property (Section 5.4) -->

   <!ELEMENT current-user-privilege-set (privilege*)>

   <!-- DAV:acl Property (Section 5.5) -->

   <!ELEMENT acl (ace)* >
   <!ELEMENT ace ((principal | invert), (grant|deny), protected?,
    inherited?)>

   <!ELEMENT principal (href)
    | all | authenticated | unauthenticated
    | property | self)>

   <!ELEMENT all EMPTY>
   <!ELEMENT authenticated EMPTY>
   <!ELEMENT unauthenticated EMPTY>
   <!ELEMENT property ANY>
   <!ELEMENT self EMPTY>

   <!ELEMENT invert principal>

   <!ELEMENT grant (privilege+)>
   <!ELEMENT deny (privilege+)>
   <!ELEMENT privilege ANY>

   <!ELEMENT protected EMPTY>

   <!ELEMENT inherited (href)>

   <!-- DAV:acl-restrictions Property (Section 5.6) -->

   <!ELEMENT acl-restrictions (grant-only?, no-invert?,
    deny-before-grant?, required-principal?)>

   <!ELEMENT grant-only EMPTY>
   <!ELEMENT no-invert EMPTY>
   <!ELEMENT deny-before-grant EMPTY>

   <!ELEMENT required-principal
    (all? | authenticated? | unauthenticated? | self? | href*
    |property*)>

   <!-- DAV:inherited-acl-set Property (Section 5.7) -->

   <!ELEMENT inherited-acl-set (href*)>

   <!-- DAV:principal-collection-set Property (Section 5.8) -->
Top   ToC   RFC3744 - Page 66
   <!ELEMENT principal-collection-set (href*)>

   <!-- Access Control and Existing Methods (Section 7) -->

   <!ELEMENT need-privileges (resource)* >
   <!ELEMENT resource ( href, privilege )

   <!-- ACL method preconditions (Section 8.1.1) -->

   <!ELEMENT no-ace-conflict EMPTY>
   <!ELEMENT no-protected-ace-conflict EMPTY>
   <!ELEMENT no-inherited-ace-conflict EMPTY>
   <!ELEMENT limited-number-of-aces EMPTY>
   <!ELEMENT grant-only EMPTY>
   <!ELEMENT no-invert EMPTY>
   <!ELEMENT deny-before-grant EMPTY>
   <!ELEMENT no-abstract EMPTY>
   <!ELEMENT not-supported-privilege EMPTY>
   <!ELEMENT missing-required-principal EMPTY>
   <!ELEMENT recognized-principal EMPTY>
   <!ELEMENT allowed-principal EMPTY>

   <!-- REPORTs (Section 9) -->

   <!ELEMENT acl-principal-prop-set ANY>
   ANY value: a sequence of one or more elements, with at most one
   DAV:prop element.

   <!ELEMENT principal-match ((principal-property | self), prop?)>
   <!ELEMENT principal-property ANY>
   ANY value: an element whose value identifies a property. The
   expectation is the value of the named property typically contains
   an href element that contains the URI of a principal
   <!ELEMENT self EMPTY>

   <!ELEMENT principal-property-search ((property-search+), prop?) >
   <!ELEMENT property-search (prop, match) >
   <!ELEMENT match #PCDATA >

   <!ELEMENT principal-search-property-set (
    principal-search-property*) >
   <!ELEMENT principal-search-property (prop, description) >
   <!ELEMENT description #PCDATA >
Top   ToC   RFC3744 - Page 67

Appendix B. WebDAV Method Privilege Table (Normative)

The following table of WebDAV methods (as defined in RFC 2518, 2616, and 3253) clarifies which privileges are required for access for each method. Note that the privileges listed, if denied, MUST cause access to be denied. However, given that a specific implementation MAY define an additional custom privilege to control access to existing methods, having all of the indicated privileges does not mean that access will be granted. Note that lack of the indicated privileges does not imply that access will be denied, since a particular implementation may use a sub-privilege aggregated under the indicated privilege to control access. Privileges required refer to the current resource being processed unless otherwise specified.
Top   ToC   RFC3744 - Page 68
   +---------------------------------+---------------------------------+
   | METHOD                          | PRIVILEGES                      |
   +---------------------------------+---------------------------------+
   | GET                             | <D:read>                        |
   | HEAD                            | <D:read>                        |
   | OPTIONS                         | <D:read>                        |
   | PUT (target exists)             | <D:write-content> on target     |
   |                                 | resource                        |
   | PUT (no target exists)          | <D:bind> on parent collection   |
   |                                 | of target                       |
   | PROPPATCH                       | <D:write-properties>            |
   | ACL                             | <D:write-acl>                   |
   | PROPFIND                        | <D:read> (plus <D:read-acl> and |
   |                                 | <D:read-current-user-privilege- |
   |                                 | set> as needed)                 |
   | COPY (target exists)            | <D:read>, <D:write-content> and |
   |                                 | <D:write-properties> on target  |
   |                                 | resource                        |
   | COPY (no target exists)         | <D:read>, <D:bind> on target    |
   |                                 | collection                      |
   | MOVE (no target exists)         | <D:unbind> on source collection |
   |                                 | and <D:bind> on target          |
   |                                 | collection                      |
   | MOVE (target exists)            | As above, plus <D:unbind> on    |
   |                                 | the target collection           |
   | DELETE                          | <D:unbind> on parent collection |
   | LOCK (target exists)            | <D:write-content>               |
   | LOCK (no target exists)         | <D:bind> on parent collection   |
   | MKCOL                           | <D:bind> on parent collection   |
   | UNLOCK                          | <D:unlock>                      |
   | CHECKOUT                        | <D:write-properties>            |
   | CHECKIN                         | <D:write-properties>            |
   | REPORT                          | <D:read> (on all referenced     |
   |                                 | resources)                      |
   | VERSION-CONTROL                 | <D:write-properties>            |
   | MERGE                           | <D:write-content>               |
   | MKWORKSPACE                     | <D:write-content> on parent     |
   |                                 | collection                      |
   | BASELINE-CONTROL                | <D:write-properties> and        |
   |                                 | <D:write-content>               |
   | MKACTIVITY                      | <D:write-content> on parent     |
   |                                 | collection                      |
   +---------------------------------+---------------------------------+
Top   ToC   RFC3744 - Page 69

Index

A ACL method 40 C Condition Names DAV:allowed-principal (pre) 42 DAV:deny-before-grant (pre) 41 DAV:grant-only (pre) 41 DAV:limited-number-of-aces (pre) 41 DAV:missing-required-principal (pre) 42 DAV:no-abstract (pre) 41 DAV:no-ace-conflict (pre) 41 DAV:no-inherited-ace-conflict (pre) 41 DAV:no-invert (pre) 41 DAV:no-protected-ace-conflict (pre) 41 DAV:not-supported-privilege (pre) 42 DAV:number-of-matches-within-limits (post) 48, 53 DAV:recognized-principal (pre) 42 D DAV header compliance class 'access-control' 38 DAV:acl property 23 DAV:acl-principal-prop-set report 48 DAV:acl-restrictions property 27 DAV:all privilege 13 DAV:allowed-principal precondition 42 DAV:alternate-URI-set property 14 DAV:bind privilege 12 DAV:current-user-privilege-set property 21 DAV:deny-before-grant precondition 41 DAV:grant-only precondition 41 DAV:group property 18 DAV:group-member-set property 14 DAV:group-membership property 14 DAV:inherited-acl-set property 29 DAV:limited-number-of-aces precondition 41 DAV:missing-required-principal precondition 42 DAV:no-abstract precondition 41 DAV:no-ace-conflict precondition 41 DAV:no-inherited-ace-conflict precondition 41 DAV:no-invert precondition 41 DAV:no-protected-ace-conflict precondition 41 DAV:not-supported-privilege precondition 42 DAV:number-of-matches-within-limits postcondition 48, 53 DAV:owner property 15
Top   ToC   RFC3744 - Page 70
      DAV:principal resource type  13
      DAV:principal-collection-set property  30
      DAV:principal-match report  50
      DAV:principal-property-search  51
      DAV:principal-search-property-set  56
      DAV:principal-URL property  14
      DAV:read privilege  10
      DAV:read-acl privilege  11
      DAV:read-current-user-privilege-set privilege  12
      DAV:recognized-principal precondition  42
      DAV:supported-privilege-set property  18
      DAV:unbind privilege  12
      DAV:unlock privilege  11
      DAV:write privilege  10
      DAV:write-acl privilege  12
      DAV:write-content privilege  10
      DAV:write-properties privilege  10

   M
      Methods
         ACL  40

   P
      Privileges
         DAV:all  13
         DAV:bind  12
         DAV:read  10
         DAV:read-acl  11
         DAV:read-current-user-privilege-set  12
         DAV:unbind  12
         DAV:unlock  11
         DAV:write  10
         DAV:write-acl  12
         DAV:write-content  11
         DAV:write-properties  10
      Properties
         DAV:acl  23
         DAV:acl-restrictions  27
         DAV:alternate-URI-set  14
         DAV:current-user-privilege-set  21
         DAV:group  18
         DAV:group-member-set  14
         DAV:group-membership  14
         DAV:inherited-acl-set  29
         DAV:owner  15
         DAV:principal-collection-set  30
         DAV:principal-URL  14
         DAV:supported-privilege-set  18
Top   ToC   RFC3744 - Page 71
   R
      Reports
         DAV:acl-principal-prop-set  47
         DAV:principal-match  49
         DAV:principal-property-search  51
         DAV:principal-search-property-set  56
      Resource Types
         DAV:principal  13

Authors' Addresses

Geoffrey Clemm IBM 20 Maguire Road Lexington, MA 02421 EMail: geoffrey.clemm@us.ibm.com Julian F. Reschke greenbytes GmbH Salzmannstrasse 152 Muenster, NW 48159 Germany EMail: julian.reschke@greenbytes.de Eric Sedlar Oracle Corporation 500 Oracle Parkway Redwood Shores, CA 94065 EMail: eric.sedlar@oracle.com Jim Whitehead U.C. Santa Cruz, Dept. of Computer Science 1156 High Street Santa Cruz, CA 95064 EMail: ejw@cse.ucsc.edu
Top   ToC   RFC3744 - Page 72
Full Copyright Statement

   Copyright (C) The Internet Society (2004).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed
   to pertain to the implementation or use of the technology
   described in this document or the extent to which any license
   under such rights might or might not be available; nor does it
   represent that it has made any independent effort to identify any
   such rights.  Information on the procedures with respect to
   rights in RFC documents can be found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository
   at http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention
   any copyrights, patents or patent applications, or other
   proprietary rights that may cover technology that may be required
   to implement this standard.  Please address the information to the
   IETF at ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.