[CKAN-Security] CKAN security best practices

Thu Feb 28 23:10:09 UTC 2019

Hi Adrià,

Thanks for the swift reply and the valuable information - much appreciated.
Yea, I saw the user_list function shortly after I sent the email yesterday.
I'll drop an email today to the sysadmins of the CKAN installations that
are still exposing the user_list to give them a heads up (and with some
instructions on how to fix it).
I'll send a note to the dev group if I spot anything else.

Thanks again,
Andy

On Thu, 28 Feb 2019 at 23:50, Adrià Mercader <adria.mercader at okfn.org>
wrote:

> Hi Andrew,
>
> Thanks for reaching out.
>
> There is not a dedicated security best practices document as far as I
> know. General practices for securing web applications should apply. At the
> CKAN level you might want to review your authorization settings, although
> the ones used by default offer a good starting point:
> https://docs.ckan.org/en/latest/maintaining/configuration.html#authorization-settings
>
> Yes, the user list was public by default up until recently. On CKAN 2.8
> there was an option to just show it to logged in user, and on the next
> version if will be only available to sysadmins (
> https://github.com/ckan/ckan/pull/4654). In the meantime you can override
> the user_list auth function quite easily to prevent public access to the
> user list. Don't hesitate to write to the dev mailing list if you need
> support on that.
>
> Hope this helps,
>
> Adrià
>
>
> On Thu, 28 Feb 2019 at 09:58, Andrew Wild <andrew.wild at servian.com> wrote:
>
>> Hi,
>>
>> I'm currently in the process of evaluating CKAN's security framework for
>> an open data portal we're building. I'm wondering if you have any reference
>> documentation for security best practices when installing CKAN?
>>
>> On a related note, I've noticed that on some CKAN installations, I can
>> hit the user_list API without an authorisation token and get a list of
>> usernames, names and sysadmin (TRUE/FALSE). I'm presuming this is not the
>> recommended approach, is there any documentation you can share that allows
>> sysadmins to limit the API calls that are available to users?
>>
>> Thanks,
>> Andy
>>
>> --
>> *Andrew Wild* | Consultant | m: 0481 115 645 <0481115645> | p: +61 458
>> 290 389 <+61458290389>
>> Level 3, 200 Mary Street, Brisbane City QLD 4000
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>
>

-- 
*Andrew Wild* | Consultant | m: 0481 115 645 <0481115645> | p: +61 458 290
389 <+61458290389>
Level 3, 200 Mary Street, Brisbane City QLD 4000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190301/790d2838/attachment-0001.html>