FeatureRequests/ACLExamplePageForMLS

Short description

Write a documentation with example acl definitions for a MLS scenario.

essentially it is a model for containment/fine grained control of access permissions to resources ex a top secret user can access unclassified and secret data but an unclassified user cant access anything but unclassified data

Maybe first write a doc about what "MLS" means.

Besides from that, did you read HelpOnAccessControlLists?

$/!\$ MoinMoin has not been designed for an MLS based implementation, MLS is not just having ACL,

Please give a concrete description what "MLS" means. ReimarBauer/Photo/img.png -- ReimarBauer 2011-09-07 17:23:37

$/!\$ MLS Stands for Multilevel Security, it refers to systems that should deal with different levels of users at different levels of security clearances and different levels of information sensitivities, i.e. Gov data classified at different levels, Public, For Official Use only, Restricted, Secret and Top Secret, such data if placed on a system; the security system must provide assurance that the information is safe to its level of sensitivity ,such system is called Multilevel Security, this requires implementing Mandatory Access Control, Identity based access control, Role based access control and so on and so forth, an example is SELinux, it is not MLS but it provides tools for establishing MLS system, all user level as well as kernel/system level programs (involved) should be MLS aware to be able to be qualified as MLS system, MoinMoin Doesn't

Another approach is Multiple Single-level Security, or placing untrusted applications (anything that does not conform to TRUSTED COMPUTING) - actually treating everything that works with data) in its restricted sandbox and security domain, this one (Multiple Single-Level Security) is possible with every software with adequate security measures in place even MoinMoin.

I imagine that if groups could include other groups, you could define the SecretGroup to include a number of users and also the TopSecretGroup, for example. That would let you have the group hierarchy without having to copy all the users around. However, this still leaves the access controls at the level of Moin, not at any more fundamental level, which might be what you're interested in. In other words, a TopSecretGroup user wouldn't be saving edits to a page with a TopSecretGroup:read,write All: ACL with an actual system role corresponding to their status in Moin, so the security wouldn't be enforced at multiple levels. I guess you could turn this around and make Moin aware of system roles and then have filesystem operations performed under such roles, but this kind of thing is tricky to do in conventional Web applications. -- PaulBoddie 2011-09-08 14:25:01

$/!\$ This is not MLS, and it is meaningless in terms of MLS, it is obvious you are not an Information Security specialist, What you suggest is Discretionary Access Control (DAC), let me show you in an example: on Linux you can create users and each user can change its files and folders permissions to chmod 777, world readable and writable as well as executable, in MLS The user should not be able to do so (elevation or changing sensitivity of data), in other words you cannot give making such decisions to the users or even admins, you set the roles and sensitivity of the information system wide and nobody can elevate or reduce the sensitivity or cause leakage of the data, MLS is on top of DAC, it limits DAC actually, Even when you established that, the way MoinMoin stores data does not conform to MLS/MAC a part of MLS is MAC/RBAC/IBAC, also MLS should follow general system security policies set by security specialists/security admins, i.e. on Linux you need to follow MLS setup (roles and policies) by SELinux, On the other hand I'm afraid there is no such thing as MLS on Windows, this is why in practice (For Windows) MSL is used (Multiple Single-Level Security Model), Frankly talking about MLS on a Wiki is a Joke, trying to make MoinMoin MLS aware is another funny Joke, they are controversial in terms.

The question is if one can do that definition by setting up a security policy. For examples look at http://hg.moinmo.in/moin/1.9/file/89882824b375/MoinMoin/security and SecurityPolicy.

If you're interested in figuring this out then Reimar's response is the only way to go and is a lot more productive than just saying that it is a joke. I don't pretend to be an "Information Security specialist" but I've used various technologies including SELinux, so I certainly know what they are and what they do, and although I can imagine someone making Moin use SELinux intensively, this kind of thing is rarely done unless someone is willing to invest the time, effort and - typically - money in making it so. I don't really understand why someone would create a page asking for an ACL example for MLS and then spend the rest of their time saying that ACL is not enough and that you can't use Moin for MLS. It all sounds like a strawman scenario to me, whereas people might be willing to explore the possibilities if you were a bit more constructive. -- PaulBoddie 2011-09-09 07:28:45

$/!\$ PaulBoddie, I'm not figuring things up here, Just answering to the feature request, Making MoinMoin MLS aware is out of context and such request is bogus, I'm not the person requested it, and what you suggest does not have any meaning or improvement in terms of Security and MLS systems, if one wants secure MoinMoin deployment he can use MSL (Multiple Single Level) Deployment instead, MLS is seeing security based on the information context not user context (this is why your reference to the solution is not right), You are again showing you are not aware of the Information Security, I'm not having that luxury and just tried to answer the guy requested the feature, see wikipedia and search for intelink and you will find out mediawiki also is used in MSL deployments not MLS based deployment. I know what I say but when you do not posses such specialty, isn't it better to let those who have such experiences contribute to the community? I'm from a very well established security firm and do not write this for advertising just answering the feature request.

Well, I stand by what I wrote above: if the requester wants something that looks a bit like MLS, but doesn't actually expect the real thing (for example, if you bypass Moin, you can read anything), then they can just use groups within groups just as I described. That would be a useful authorisation pattern in itself - I can tell you that from experience. Again, I haven't even claimed familiarity with MLS, but given that I've acknowledged the limitations of just using ACLs in Moin to fake something that looks like it using a permissions hierarchy, it's not entirely true that I am "not aware of the Information Security": I'm just saying that they won't get the real deal. For some people, they don't actually want the real deal. Instead, they've just seen some features and would be happy with just those features - I guess that's why the requester focused on ACLs straight away. And again, if they want the real deal then they should expect to pay someone for it, because I doubt that the community will do it without their own need for it, and those who do need it are the kinds of organisations who are prepared to pay for it and can afford it. -- PaulBoddie 2011-09-14 12:59:38

CategoryFeatureRequest

MoinMoin: FeatureRequests/ACLExamplePageForMLS (last edited 2011-09-14 12:59:38 by PaulBoddie)