This week I've been thinking about how to implement authorization in umitWeb. In other words, I've been trying to define a way to determine what users can or cannot do running nmap on UmitWeb (once UmitWeb aways run as root on the server).
After a few days, I made a draft that describes how it will work. The mechanism is quite simple: each User will be assigned to a Role, and that role can have several Access Permissions. This appear to be an obvious way to do authorization. But how could access divided in permissions?
I found a way that I guess it's interesting: each Role will have definitions about details of command composition. For example, a Role to an user that can execute OS detection will have a permission to execute nmap with the '-O' parameter. In other hand, if a role doesn't have a permission that define the '-sV' command, users assigned to that role cannot do detection of service's versions.
The better way to find this option inside the nmap command line is comparing it with regular expressions. There are advantages to use regular expressions to indentify parts of a command. The permission definition can me written in an XML file (like options and profiles), and it can be extended by the user. For example, if a user want to create a new permission definition, He/she can easily do it by editing the security.xml and put inside it the properly regular expression associated with that permission.
Other important thing that is important to think is about how umit will handle the permissions order in each role. I think that the best way to do it is 'chaining' all permissions and categorize it by defining a priority order. This way, umit will work like a 'command firewall', filtering the options to allow or deny the command execution.
I'm still thinking if the best way to store user roles is in XML files or a database. I have this issue to store users too. I'll realize tests and researches about security issues in each case.
Next week will be time to implement my thoughts and test it. Let's roll in the first official GSoC week. Here we go!
From: UmitWeb POST