Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon5.gif   secure way to allow users create logbook, posted by Szu-Ching Peckner on Tue Aug 28 23:02:07 2012 
    icon2.gif   Re: secure way to allow users create logbook, posted by Stefan Ritt on Wed Aug 29 10:46:49 2012 
       icon14.gif   Re: secure way to allow users create logbook, posted by Szu-Ching Peckner on Wed Aug 29 14:35:45 2012 
       icon2.gif   Re: secure way to allow users create logbook, posted by Szu-Ching Peckner on Wed Aug 29 18:16:37 2012 
          icon2.gif   Re: secure way to allow users create logbook, posted by Stefan Ritt on Thu Aug 30 10:00:07 2012 
             icon2.gif   Re: secure way to allow users create logbook, posted by Szu-Ching Peckner on Thu Aug 30 22:47:50 2012 
Message ID: 67329     Entry time: Thu Aug 30 10:00:07 2012     In reply to: 67326     Reply to this: 67330
Icon: Reply  Author: Stefan Ritt  Author Email: stefan.ritt@psi.ch 
Category: Question  OS: Linux  ELOG Version: latest 
Subject: Re: secure way to allow users create logbook 

Szu-Ching Peckner wrote:

Stefan Ritt wrote:

Szu-Ching Peckner wrote:

I don't think there is a good secure way so far, but would like to have your opinion. 

If I want user to create logbook for themselves, what's the best way to do it? I guess Execute $attribute = <command> may work, have it write to cfg file, but obviously it impose security problem. Is there a good and secure way to allow user to create logbook themselves?

Actually there is no good secure way. What I usually do is to give users admin rights on individual logbooks, then they can change the config of that logbook. Many times adding some attribute is as good as creating new logbooks. Like if you need two logbooks "home" and "work", you can create an attribute "type" and let the type be "home" or "work". With conditional attributes you can make the logbook behave differently for the two values of "type" and get most functionality of two separate logbooks.

- Stefan 

 Is there a way to set user permission based on certain attribute? can Allow command = <user list> based on attribute?
for example, say type home, user1 can read, user2 can write, user3 can not access type home, but can access type work. 

In short, is access control available when I use type to get functionality of separate logbooks? If so, how is this access control done? 

Actually I never tried that. Using conditional attributes, you could try that out, but no guarantee that it works. Like

 

Options type = home{1}, work{2}

{1}Login user = you, me

{2}Login user = me, other

 

You could play with "login user", "Allow command" and "Deny command".

 

/Stefan 

ELOG V3.1.5-3fb85fa6