Forum .LRN Q&A: .LRN Security

Collapse
1: .LRN Security
Posted by Michael Sachnik on 12/09/04 11:03 AM
Hi everybody, can somebody tell me something about the security of .LRN? Is there any mechanism that saves .LRN from external and internal attacks? Are any attacks known? Thanks Michael
Collapse
2: Re: .LRN Security (response to 1)
Posted by Dirk Gomez on 12/09/04 11:39 AM
Michael, your question is way too broad for an answer. Could you detail it a bit more? What is your main area of concern?
Collapse
3: Re: Re: .LRN Security (response to 2)
Posted by Michael Sachnik on 12/09/04 12:51 PM
Hi Dirk, ay concern is, if its possible for somebody without a password, to hack into the system and get data or any information. The other thing is if it is possible for an registered user to hack into an other account (without his password) and get data or informations from him. I think that a good hacker can do that, but does .LRN provied any security beside the password login? (SSL for example) Thanks! Michael
Collapse
4: Re: Re: Re: .LRN Security (response to 3)
Posted by Dirk Gomez on 12/09/04 01:01 PM
No those things .LRN is pretty well protected against :) SSL is a webserver setting, not an application setting. And AOLserver, the webserver for .LRN, supports SSL. .LRN has object-level security, basically for every object in the system you can answer the questions "has user x the permission to do y on object z?". The permissioning model is hierarchical and at times fairly complex, but well-understood. Another big security plus of .lrn is ad_page_contract, a programming function which makes it quite easy and comfortable to check user input. As a community, I think both .LRN and OpenACS are quite security-conscious. Why and more importantly how do you think a good hacker can turn around a .lrn system?
Collapse
5: Re: .LRN Security (response to 1)
Posted by Nagita Karunaratne on 12/10/04 03:07 AM
You can only exploit a vulnerability, you can't 'turn around' a system without finding some weakness to exploit. Also a lot has to do with how you program (ie. do you check permissions before allowing access to data and objects etc.) I think dotLRN is as safe the more secure applications and it is easy to work with.
Collapse
6: Re: .LRN Security (response to 1)
Posted by Michael Sachnik on 12/16/04 02:15 PM
Thanks! Are there any Documentations about the "Object-Level Security" and the ad_page_contract Method.
Collapse
7: Re: Re: .LRN Security (response to 6)
Posted by Jarkko Laine on 12/16/04 02:30 PM
Here's the api-doc for ad_page_contract: https://openacs.org/api-doc/proc-view?proc=ad%5fpage%5fcontract

Here's another doc that tries to explain the permissions model that OpenACS uses: https://openacs.org/doc/openacs-5-1/permissions.html