                           Grid Security Vulnerability Group - Advisory

-- Topic:          Users in the LCAS ban file may still access dCache
-- Date:           2009-05-12, updated 2010-03-08
-- ID:	           Grid Vulnerability Savannah bug #45207

-- Background

dCache is one of the Mass Storage systems commonly used in EGEE production 
environments.

dCache project provides a system for storing and retrieving huge amounts
of data, distributed among a large number of heterogenous server nodes,
under a single virtual filesystem tree with a variety of standard access
methods [1].

Storage Resource Managers (SRMs), named after their web services
protocol, provide the technology needed to manage the rapidly growing
distributed data volumes, as a result of faster and larger computational
facilities [2].


-- Vulnerability Details

dCache does not check the LCAS ban file, so some administrators may think they 
banned a user who in fact still has access to dCache.. 

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group, in discussion with the dcache team do not think
many site administrators expect dcache to be integrated with the LCAS ban list. However,
we decided to produce an advisory stating that the LCAS ban list is not checked by
dcache for information. 


-- Other information

There is no plan to modify dcache to check the LCAS banning list.

Blacklisting can be done by dCache internal mechanisms. For more information please check 
the "Book" from www.dcache.org or ask for advice from support@dcache.org

There is a plan to use a central banning list as part of the Argus, the EGEE authorization 
service [3]


-- Credit

This vulnerability arose from various e-mail discussions on dcache, where someone expected if
they banned a user in LCAS the user would be banned in dcache. 


-- Disclosure Timeline
Yyyy-mm-dd

2006-02-09 Vulnerability entered as part of a multiple issue vulnerability after
           an e-mail discussion
2008-12-10 Vulnerability separated from multiple issue vulnerability 14923 on
           request of the developers.
2010-03-08 Public disclosure for information as will not be fixed.

-- References

[1] http://www.dcache.org/
[2] https://sdm.lbl.gov/srm-wg/doc/SRM.v2.2.html
[3] https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework

==========================================================================