User with Read permission can export everything to bring home

I see that if a user is granted with Read permission for a workspace, he can view and EXPORT everything in that workspace to a file, and if he install a new instance of nuxeo (quite easy due to the excelent work from Nuxeo team) he can then import every thing to it and have that workspace at hand with full access rights.

I'm quite embarrassed, or even terrified, with the fact that a user with lowest access right (Read permission) can easily download EVERYTHING from workspace structure to content, files… inside and bring home, upload (import) to new instance of Nuxeo and then become the owner of the full data. It's just like employee at a company: they are provided with everything at the office to work: computer, office machine and other properties. They have access to that in order to work at the office but absolutely they cannot take them home and become the owner of those properties.

If this is the case, in my opinion it would be a terrible thing regarding access right permission. I think that in the access right management, there should be setting to whether allow user to export workspace or not, just some very high-level users can export and users with low-level right such as Read right cannot export. I think the Export right should be even higher than Manage right (and of course much higher than Read, Write, Remove rights)

Could anyone please help me to clarify this point?

Thanks alot.

0 votes

1 answers

1442 views

ANSWER



Hi,

If you access a web page you can do (almost) everything you want, in Nuxeo or other, with an export feature or withtout. Because you can receive the source of the page, and you can hit each resources.

For example, if your user can read a folder from :

  • a Nuxeo instance
  • a Google Drive account
  • a Sharepoint server
  • a Windows shared folder

then he can create a folder with the same name in :

  • a Nuxeo instance
  • a Google Drive account
  • a Sharepoint server
  • a Windows shared folder

and he can download all files and upload them. He doesn't need an export feature. NB: manually it could be a pain, but with a simple web parser it's easy

If you can't trust the user, don't allow him to access your data. Have you never seen an employee going to home with its professional laptop ? or getting data on an usb key ? Depending on the security requirements needed by the company, you have to implement some rules … and educate your employees.

0 votes



Thank you for your prompt reply. I think for the technical side it's quite clear and straigthforward with what you say and how Nuxeo behaves regarding this issue.

I just want to share idea on the practical side at work of this issue.

  • I agree with you that Google Drive or Share Point user can download files and then upload. But the key point here is that: they do not provide Export feature like that. There must be reason that all those systems allow donwload and upload of single file but none of them provide the EXPORT EVERY THING feature. Or it should be put this way: all those system have no reasons to ACTIVELY SUPPORT USERS TO DOWNLOAD EVERYTHING AT ONCE WITH A SIGNLE CLICK like Export feature.

I don't know what the reasons, logics are behind the design of Export feature enabled for Read-right users. There's a reason for that or it's just the scenario that has not been calculated. I see that Nuxeo is a great work with great effort to help organization to manage its content and users within, and one of Nuxeo's great work is sophisticated security authorization and permimission management. Regarding this, I don't think any organization want, not to mention actively support with one-click Export function , its user with lowest access right level to export everything like that. That's the reason why other systems like Google Docs, Share POint (and all other system I've been with) don't provide such Export feature for user with Read right.

  • The other thing is about security on the web: we all know that nothing on the web can be said to be 100% secured. Even the SSL connection is not 100% safe and there's still be the change that they can break the security with SSL connection. Recenty The U.S goverment is claimed to break Google SSL connection to inpect iformation with. So why SSL connection is still in use? Why don't websites just use normal (not encrypted) for easier deployment?

The point here is that: we can not 100% eliminate the risk but we can REDUCE THE RISK.

Similaly for password brute force attack. On theory, password are made from letter on the keyboard and they can brute attack to find out the keyword, or people can do a wild guess and there's still chance that the guess is the right password although the chance is very very low. So why they still use password?

The point here is the risk is still exist but it's very, very low.

The point with download/export issue in Nuxeo is similar: yes, they can download single file to upload anywhere (All Nuxeo, Google Drive and other systems allow that) but it would be painful (as you said) to do so with a system after 1-2 years in operation with hundreds of thousands of files, topics…. and this way THE RISK IS VERY, VERY LOW. But if on-click-for-all export feature is support, SUDDENLY THE RISK IS VERY HIGH.

It's similar to ability to export the whole Nuxeo database (Postgre, Mysql…). Technically content and database is different but practically these two actions have many thing in common: export feature can let a Read-only user to download and upload (backup and restore) evrything they can access, even the workspcae structure and files, content, data inside. While with database, only Administrator can export that, even Power User can do nothing about export.

In summary, what are the reasons behind the design of Export feature for Read-only users while in rea-life operation, no organization want to allow, not to mention actily support with available tools, its user with lowest access right to export everything at once like that. You meantioned education of the employee but I think it's a different story. Here we talk about system design, system security, how to have as higher security as possible.

Do you think that this point should be suggested as new feature to be put in the nex version?

Thank you.

12/27/2013

As sdenef said, when you have read access, then you can read all the docs.

The export feature is just an integrated "get all content" feature. If you think this feature makes it too easy for people to download content, you can disable it very easily.

But the question is, why one would want to download all the content ? : is this the easiest way to gain access to some document ? For sure not, since it already has read access. So the answer is perhaps that he really wants all the content for various reasons, and if he wants it then he can get it even without the export feature. It is very easy to download a whole website with tools like wget. For instance, I remember some time, I did it for an e-commerce site to grab all the prices of all the products…. without any export feature.

So yes, i you give read access to all documents, then the user have access to all documents ;-)

12/27/2013

> I agree with you that Google Drive or > Share Point user can download files > and then upload. But the key point > here is that: they do not provide > Export feature like that.

You're wrong. In your Google Drive :

  • select all your documents (docs, folders, shared docs, shared folders)
  • in the "Autres" (in french) menu choose "Télécharger …" (in french again)
  • choose each export format for each type of document
  • and you can download them easily

And I don't think Google doesn't give attention to security.

> it would be painful (as you said)

Manually it is painful. But as Damien said, wget or a website copier program can be as easy as a one-click action. For anyone.

> all those system have no reasons to > ACTIVELY SUPPORT USERS TO DOWNLOAD > EVERYTHING AT ONCE WITH A SIGNLE CLICK > like Export feature

Oh yes they have. People, and therefore companies, like having a system very open. Because they (usually) want to be able to switch to an other system easily.

> Damien: If you think this feature makes it too > easy for people to download content, > you can disable it very easily.

+1 But if your company has strong security requirements, you're not protected with that.

> how to have as higher security as > possible

In that case you have to find an other way to secure your data. I'm not a security expert but :

you could store in Nuxeo only encrypted files, and these files could be open only when the user is on your LAN (for example by getting the key on a network shared folder) It depends on your case.

or maybe with an usb token

> In summary, what are the reasons > behind the design of Export feature > for Read-only users while in rea-life > operation

ex: your CEO has an important meeting, at a capital venture headquarters, and has to be able to show any of the 1368 documents stored in the "to_investors" folder. He can't access the documents via Internet (maybe for security reasons, or the connection is not reliable) … and if he can't your company won't receive 2M$ of investments.

You can find any example explaining why to allow or to disallow this kind of feature.

12/27/2013