Access Trap

Security Model for Web Suites



This artical covers Access_Trap, which is the security environment used in Picture Placemat (web based photo management suite)

Description
Access_Trap provides a secure environment using a Referer test for Authorization between scripts and a user/password test for Authentication.

Although Access Trap was created for Picture Placemat it could be adapted for use in any number of applications.
This article discusses the role of Access Trap as it relates to Picture Placemat.



Security Highlights





Details

  1. Authorization:
  2. Authentication:
  3. First Run:




Layout

ppm_home.sh
   │   └── links to viewing scripts and common libraries
   │
 Aceess Controlled via auth_check and auth_user_check functions
   │
   └── ppm_admin.sh (login) ────────────────────────
       │    │                                       │
       │    └── ppm-admin_auth.sh (encrypted creds) │
       │                                            ├── ppm-admin_libs.sh
       └─ ppm-admin_main.sh (Admin tool links) ─────│  (shared admin libraries)
          │                                         │
          └── various admin scripts for tools ──────





The Code

This is the entire access control code which is called at the start of all admin scripts. It is a function that see's where the request came from (HTTP_REFERER, with page name in it) and what the request string was (REQUEST_URI). Then it does a bunch of if-elif-else stuff and decides what to do with you.

Authorization:
###############################################
#   Authorization for Admin Pages            #
# the main admin page also has an authentication check (auth_user_check).

auth_check() {

START_PAGE="/cgi-bin/ppm_home.sh"  # this is the page you have the "go to admin" button/link on
GOTO_PAGE="/cgi-bin/ppm_home.sh"  # this is where you send requests that are disallowed access
SETUP_PAGE="/cgi-bin/ppm_setup-env.sh"  # this is a temp page used for initial setup

ADMIN_LOGIN_FILE="ppm_admin.sh"
ADMIN_LOGIN_PAGE="/cgi-bin/${ADMIN_LOGIN_FILE}"
ADMIN_PAGES="ppm-admin_*.sh"

# set auth to false
AUTH_OK=0
ALLOW_LOGIN_ATTEMP=0

#ADMIN_PAGES="ppm_admin.sh `ls ppm-admin*.sh`"
ADMIN_PAGES="${ADMIN_LOGIN_FILE} `ls ${ADMIN_PAGES}`"
#ADMIN_PAGES="` ls ${ADMIN_PAGES}`"

# are they returning from a tool (already authed)
# eg.  HTTP_REFERER=http://nesbitt.linux1.ca/cgi-bin/ppm-admin_sometool.sh
for script_name in ${ADMIN_PAGES}
 do
  SCRIPT_REFERER="http://${DOMAIN}/cgi-bin/${script_name}"
  THIS_REFERER=`echo ${HTTP_REFERER} | cut -d\? -f1`
  if [ "${THIS_REFERER}" = "${SCRIPT_REFERER}" ];then
     AUTH_OK=1
  fi
done

# must allow access to admin page from home or from set-up page (triggered first run), but should still prompt
echo "${REQUEST_URI}" | grep "${ADMIN_LOGIN_PAGE}" &> /dev/null
 URI_VAL=$?

if ( [ "${THIS_REFERER}" = "http://${DOMAIN}${START_PAGE}" ] && [ ${URI_VAL} -eq 0 ] ) || ( [ "${THIS_REFERER}" = "http://${DOMAIN}${SETUP_PAGE}" ] && [ ${URI_VAL} -eq 0 ] );then
   ALLOW_LOGIN_ATTEMP=1
fi

# case where login (ADMIN_LOGIN_FILE) reloads to check submitted creds, must not set AUTH_OK=1
echo "${REQUEST_URI}" | grep "${ADMIN_LOGIN_PAGE}" &> /dev/null
ADMIN_REFER_VAL=$?
echo "${THIS_REFERER}" |grep "http://${DOMAIN}${ADMIN_LOGIN_PAGE}" &> /dev/null
REFER_MATCHES=$?

LOGIN_CHECK=0
#if [ "${THIS_REFERER}" = "http://${DOMAIN}${ADMIN_LOGIN_PAGE}" ] && [ ${ADMIN_REFER_VAL} -eq 0 ];then
if [ ${REFER_MATCHES} -eq 0 ] && [ ${ADMIN_REFER_VAL} -eq 0 ];then
   AUTH_OK=0
   LOGIN_CHECK=1
fi

#############
# act_on_auth
 if [ ${AUTH_OK} -ne 1 ] && [ ${LOGIN_CHECK} -ne 1 ]; then
    if [ ${ALLOW_LOGIN_ATTEMP} -ne 1 ];then
       # send them away
       cat << EOAF
Status: 303
Location: /cgi-bin/ppm_home.sh

EOAF

     exit
   fi
 fi
}

##### e/o admin auth check  ######




Authentication:
Authentication is controlled by the script that presents the Admin Login (ppm_admin.sh).
It is just 2 small functions.
The first encrypts and compare the provided creds
On a successful match, the second function is called to send the user to the main admin tools area.
Below, the vars ADMIN_NAME & ADMIN_PASSWD are received from user input, and REAL_IMG_ADMIN & REAL_IMG_PASSWD are encrypted variables defined in an separate admin auth file.
## compare provided creds
auth_user_check() {
 AUTH_USER=0  # set auth to false
 ADMIN_NAME_CRYPT=`perl -le "print crypt(\"${ADMIN_NAME}\", 13)"`
 ADMIN_PASSWD_CRYPT=`perl -le "print crypt(\"${ADMIN_PASSWD}\", 13)"`

 if [ "${ADMIN_NAME_CRYPT}" = "${REAL_IMG_ADMIN}" ] && [ "${ADMIN_PASSWD_CRYPT}" = "${REAL_IMG_PASSWD}" ]; then
    AUTH_USER=1
 fi
 if [ ${AUTH_OK} -eq 1 ];then  # AUTH_OK comes from auth_check
    AUTH_USER=1
 fi
}

##  act on auth results
act_on_auth_ok() {
if [ ${AUTH_USER} -eq 1 ];then # login was okay, send them to main page
   cat << EOH
Status: 303
Location: /cgi-bin/ppm-admin_main.sh

EOH
exit
fi
}




Known Weaknesses





original document created by Pete Nesbitt, May 2011