Security update notification based on permission needed to exploit vulnerability

Events happening in the community are now at Drupal community events on www.drupal.org.
ezra's picture
Posted by ezra on April 10, 2012 at 6:15pm

I manage numerous Drupal sites, and have run into a kink in my procedure that I'd imagine many others share. Many people have their sites notify them whenever a security update applies to them, and promptly install that security update. Generally that's a good practice, and leads to relatively stable and secure sites.

The problem with that approach, however, is that it leads to installing far more updates than what is needed. Most security updates are accompanied by a disclaimer that 'Vulnerability X is mitigated by the fact that a user needs Y permission to exploit it. In my experience, most of the time Y permission only applies to trusted administrators anyway, and the update is unneeded. I save my clients money by avoiding installing, testing, and deploying those updates -- or at least waiting until there are a few of them and doing them all at once.

Unfortunately, since I like to have my sites email when a security update is needed, the result is that I am deluged by emails from sites that have unneeded security patches. I'm afraid that I will one day miss an important security notification in the flood of unimportant ones.

My idea for a new module (or possibly just a new feature of http://drupal.org/project/update_advanced), is to allow for role-based security notifications. The way it would work is as follows:

  1. An administrator specifies which roles are 'untrusted.'
  2. When an security advisory is posted, the module would look at the advisory and see if it is mitigated by the need for a certain permission. That information is already part of the security post, but we may need help from drupal.org to serialize that data so it easily read by the module.
  3. Now that the module has the permission ID from the security advisory, it can check whether not any 'untrusted' users have that permission.
  4. If an untrusted role has the permission needed to exploit the vulnerability, or if the vulnerability is not mitigated by the need for a specific permission, then the module would send out a 'update needed' email as usual. If not, no email is sent.

I can dedicate some time to creating this module. I could also probably get some help from others in my company. That said, we'd probably need some guidance from people more familiar with Drupal security practices. Anyone else think they could benefit from this kind of module? Anyone want to help develop it? Perhaps most importantly -- how could I go about getting serialized information about the permissions needed to exploit a vulnerability, as mentioned it step #2?

Best,
-Ezra

Categories: ,

Comments

core issues on this

Posted by coltrane on January 19, 2013 at 10:54pm
coltrane's picture
  1. Can be handled by extracting some code from Security Review module: http://drupalcode.org/project/security_review.git/blob/refs/heads/7.x-1.... sets up default untrusted roles based on registration settings.

I think this is a good place for discussion on this approach though unfortunately there hasn't been any :( I encourage you to propose this at http://drupal.org/node/1094018

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: