The Repository Location is set once for the portal and affects all modules in the portal.

It can be set by the portal Administrator; however, I do not see any way to restrict setting the Repository Location to the Host (SuperUser).

Since it can point to any directory the Admin can circumvent security by pointing to a directory that is used for another portal or even a system directory. On a hosted implementation this could allow a single portal administrator to bring down the whole server. Take the following example:

Repository Location = C:\Windows
Change Extensions = False
now upload a replacement for any of the Windows system files, for example. ntkrnlpa.exe!

Restricting Repository Location to SuperUsers only (or at least an option to restrict it) will prevent portal Admins from bypassing security on  a server that hosts multiple portals.

(Likewise, there should be a way to restrict WebDAV permissions SuperUsers only.)

Hi Lance,

This is not entirely correct. Yes, the admin can point to another location on the server, but:
1. The worker process will need to be granted access to that location. So setting it to C:\Windows will make the module useless as it cannot store anything anymore.
2. The files are rehashed and will never overwrite any existing content. So as admin you could potentially point your DMX repository to the portal directory of someone else, but no one would notice. As your documents are stored as 'file20080730120000_sgzTgfc.resources' or whatever it will (1) never be served out by IIS directly and (2) it will not be recognizable. At most you could annoy another portal with a bunch of files that are not downloadable. As you point out you can switch off extension renaming but all you'll achieve is that your files become downloadable.

I'll see if we can make a few more restrictions on the repository location as you suggest, but as far as I can see there is not the security issue you fear, here.

Peter

OK, so an admin cannot corrupt the C:\Windows directory, but they certainly can put files in the folder for a different portal.

And if Change Extensions is False there is no hashing. So if both portals had a file like Readme.txt  would'nt one portal's upload clobber another?

Lance

Hi Lance,
No, that is not possible. The filename is still hashed despite the extension remaining original and checked to not overwrite another file.
Peter

Hi Lance,

Since it sounds like you are concerned with portal security, you may also want to consider running all IIS sites in Medium Trust, rather than Full Trust (which is the default.) If each web site also uses it's own worker process account (typically a low level Domain account), sites are well protected from each other.

Medium Trust does introduce its own challenges. For example, the Lucene search provider for DMX will not work, so you must use Index Service and can't rename extensions. But with the appropriate settings, you can even move the DMX repository to another drive or UNC path so files are not accessible anonymously.

If security is a compelling issue, Medium Trust makes a lot of sense, but should be investigated and tested first.

Rob Ralston