-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Transfer security matters of the authentication system
from the user manual (refs qgis/QGIS-Documentation#8985 (comment))
- Loading branch information
1 parent
94bef54
commit b5cbcbd
Showing
1 changed file
with
62 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
_Originally available in the [user manual](https://docs.qgis.org/3.28/en/docs/user_manual/auth_system/auth_considerations.html)_ | ||
|
||
# Security Considerations | ||
|
||
Once the master password is entered, the API is open to access authentication | ||
configs in the authentication database, similar to how Firefox works. | ||
However, in the initial implementation, no wall against PyQGIS access has been defined. | ||
This may lead to issues where a user downloads/installs a malicious PyQGIS plugin | ||
or standalone app that gains access to authentication credentials. | ||
|
||
The quick solution for initial release of feature is to just not include most | ||
PyQGIS bindings for the authentication system. | ||
|
||
Another simple, though not robust, fix is to add a combobox | ||
in Settings --> Options --> Authentication (defaults to "never"): | ||
|
||
``` | ||
"Allow Python access to authentication system" | ||
Choices: [ confirm once per session | always confirm | always allow | never] | ||
``` | ||
|
||
Such an option's setting would need to be saved in a location non-accessible to Python, | ||
e.g. the authentication database, and encrypted with the master password. | ||
|
||
* Another option may be to track which plugins the user has specifically | ||
allowed to access the authentication system, though it may be tricky to deduce | ||
which plugin is actually making the call. | ||
|
||
* Sandboxing plugins, possibly in their own virtual environments, | ||
would reduce 'cross-plugin' hacking of authentication configs from another plugin | ||
that is authorized. | ||
This might mean limiting cross-plugin communication as well, | ||
but maybe only between third-party plugins. | ||
|
||
* Another good solution is to issue code-signing certificates to vetted plugin authors. | ||
Then validate the plugin's certificate upon loading. | ||
If need be the user can also directly set an untrusted policy for the certificate associated | ||
with the plugin using existing certificate management dialogs. | ||
|
||
* Alternatively, access to sensitive authentication system data from Python could never be allowed, | ||
and only the use of QGIS core widgets, or duplicating authentication system integrations, | ||
would allow the plugin to work with resources that have an authentication configuration, | ||
while keeping master password and authentication config loading in the realm of the main app. | ||
|
||
The same security concerns apply to C++ plugins, though it will be harder to restrict access, | ||
since there is no function binding to simply be removed as with Python. | ||
|
||
## Restrictions | ||
|
||
The confusing [licensing and exporting](https://www.openssl.org/docs/faq.html) | ||
issues associated with OpenSSL apply. | ||
In order for Qt to work with SSL certificates, it needs access to the OpenSSL libraries. | ||
Depending upon how Qt was compiled, the default is to dynamically link | ||
to the OpenSSL libs at run-time (to avoid the export limitations). | ||
|
||
QCA follows a similar tactic, whereby linking to QCA incurs no restrictions, | ||
because the qca-ossl (OpenSSL) plugin is loaded at run-time. | ||
The qca-ossl plugin is directly linked to the OpenSSL libs. Packagers would be the ones | ||
needing to ensure any OpenSSL-linking restrictions are met, if they ship the plugin. | ||
Maybe. I don't really know. I'm not a lawyer. | ||
|
||
The authentication system safely disables itself when ``qca-ossl`` is not found at run-time. |