Components in permission_policies should be always loaded

[Mitar]

Trac should enforce loading of all components in permission_policies and restrain from starting if this is not possible. Otherwise it is possible that some component does not load (because of some system upgrade or any other Python error) and some security enforcing is turned off. This could have grave security implications.

More about this topic in ​this ticket.

[rblank]

We could extend OrderedExtensionOption to do that (or create a MandatoryOrderedExtensionOption subclass). Sounds like a good idea.

OTOH, a whitelist is inherently safer than the blacklist currently implemented in ​SensitiveTicketsPlugin. Trac supports both policies, and actually, if a permission isn't granted explicitly by an IPermissionPolicy, it's denied. Maybe the plugin should also be modified to use a blacklist?

[cboos]

Also have a look at the discussion in #5535, where similar concerns about security when permission policies couldn't be loaded were raised.

([OT] where's the (-) Remove this change button? I was about to remove ryano@ from the CC: ;-) )

[rblank]

Replying to cboos:

([OT] where's the (-) Remove this change button? I was about to remove ryano@ from the CC: ;-) )

Yes, I had the same experience with comment:1. The thing is, it's more difficult to implement than I initially thought, and I haven't had time to dive in lately. Still on my list, though.

[Mitar]

Replying to rblank:

We could extend OrderedExtensionOption to do that (or create a MandatoryOrderedExtensionOption subclass). Sounds like a good idea.

This really sounds as a good idea.

BTW, why is required Component flag/field not checked anywhere, it seems? I saw it in some official Trac components being set to True.

Trac supports both policies, and actually, if a permission isn't granted explicitly by an IPermissionPolicy, it's denied. Maybe the plugin should also be modified to use a blacklist?

Yes, but the idea is that you augment the existing permission policy components (like official one for tickets). Otherwise you have to replace whole chain with your own permission policy. I believe MandatoryOrderedExtensionOption is a very simple solution which would make things easy to develop with predicting results. So good work/effect ratio in my opinion.

[dkg@…]

I'm the new maintainer for the ​SensitiveTicketsPlugin. For this plugin to be able to deny access to certain tickets, I would very much like to see a way to force trac to fail closed if the plugin isn't properly loaded.

I don't know enough about trac internals to advocate for any of the proposed mechanisms above, but i agree that one of them needs to be available for plugins like ​SensitiveTickets.

If such a mechanism already exists, i'd be happy to learn about it and would use it.

If it doesn't exist, what can i do to help it along?

[rblank]

Replying to dkg@…:

If it doesn't exist, what can i do to help it along?

It currently doesn't. The best idea so far is still comment:2: enhance OrderedExtensionOption with an optional boolean argument require_all, defaulting to False, and when True, have the option check that all specified components actually exist. This is probably going to require a few changes to ExtensionPoint as well.

[fd766@…]

Is there a work around for this problem? I disabled then re-enabled the plugin, now it doesn't work and client is not happy to say the least.

[Ryan J Ollos <ryan.j.ollos@…>]

Replying to fd766@…:

Is there a work around for this problem? I disabled then re-enabled the plugin, now it doesn't work and client is not happy to say the least.

I can't make sense of your question in the context of this thread. Please post your question to the MailingList.

[Steven R. Loomis <srl@…>]

patch against milestone:0.12.3 implementing MandatoryOrderedExtensionsOption?