Files Handling Security Issue

James_Robertson · May 21, 2017, 5:54pm

Howdy forum

I am writing because I have a concern about how ERPNext handles files at rest on the server. There are two aspects that I am concerned with. The first I started here with a conversation on how to set the default file handling to private, instead of public on document attachments

This needs to be addressed because most users are not going to ensure that every file is set to private before attaching. I am having to go through my system every other day and fixing these issues by hand. ERP holds and manages A LOT of sensitive information for our business (and I assume everyone else’s business that uses the platform). There are many elements to what can be in an attachment and the majority of it can be sensitive to operations. By having files be public by default means that anyone can browse the file repository with a simple wget script against your URL. Not good…

My next concern has to do with the files on the server itself. These are not protected at all. If a person was able to gain access to the server, they will be able to see every file, even the private ones since they are simply dropped to the file system. Out of the box, the sites/[site name] directory has read and execute permissions for “other”. Here is an example of the private and public folders on my production site.

drwxr-xr-x 4 erpnext erpnext 4096 Oct 19  2016 private
drwxr-xr-x 3 erpnext erpnext 4096 Oct 19  2016 public

This means that ANY USER, even a non-root user can access the files!

Moving into the private/files and private/backups directories does improve things a little. The default permissions is 644 (-rw-r--r--). But this does mean that anyone can read the files!

So, there are some suggestions I would like to make and see what others think as well.

First - change the file permissions so that only the erpnext user has any rights. This means that at sites, the permissions would be 600 (-rw-------) for all files and 700 (drwx------) for directories. Bench should be changed to ensure that these permissions are enforced at every time bench is run (no matter the command given).

This will probably require a change in the nginx.conf file, but I am not sure. Once I can get my dev environment fixed (Error in update to latest 8.0.29) I will look into this and document any changes needed.

Second - ERPNext should be configured to encrypt all data at rest. This includes the database, tables and all data as well as ALL files on the filesystem, especially the files in the private directory, which includes backups as well as the regular private document attachments. However, public files could use the treatment as well and the frappe framework would be the “thing” that determines security on the file before allowing a browser to see it and not the web server.

I realize that what I am asking is alot, especially of the foundation and the development team. However, in our highly interconnected world, security for platforms such as ERPNext needs to be very high on the list.

I look forward to your thoughts.

chdecultot · May 21, 2017, 8:59pm

Hi @James_Robertson,
I completely agree with your analysis and requirements to improve ERPNext’s files security .

+1

James_Robertson · May 21, 2017, 9:43pm

Thanks. One thing that occurred to me since I posted the original. It might be easiest to move the files into the database as BLOBs. This would remove them from the file system and make backups/restores easier. Then all you have to do is encrypt the database. Then the frappe framework would do all the heavy lifting, so to speak, to serve the files requested. You gain all the advantages of the database and rich security model in frappe along with the ease of maintaining data at rest as well.

brian_pond · May 22, 2017, 6:00pm

Storing private files and attachments as BLOBs is a great suggestion. Seen this done with other commercial ERPs.

James_Robertson · May 24, 2017, 6:44pm

I opened a git issue for this
https://github.com/frappe/erpnext/issues/9014

JoEz · May 24, 2017, 6:49pm

@James_Robertson i completely agree with you …I think this should be part of road map to next major version

James_Robertson · May 24, 2017, 6:57pm

Thanks @JoEz. I can appreciate that what I am asking for is not simple. If the foundation can figure this out though as part of a future road map item that would be huge from a platform security perspective.

krnkris · May 24, 2017, 7:01pm

There is not a danger, in this case the database will encrease a bit?
I mean all the unnecesary mail attachments will fill up a lot of space, is not it?

JoEz · May 24, 2017, 7:35pm

just to be clear …i’m speaking personally not, in any way, in name of foundation …i agree about increase security …

xainch · February 14, 2019, 7:08am

@James_Robertson, seems like this is not getting enough traction from the ERPNext team, because its been almost 2 years and the Git issue is still open and has not been assigned to anyone. Any updates on your personal efforts?

James_Robertson · February 25, 2019, 7:35pm

Yes. I honestly left ERP Next over a year ago because the dev’s were more worried about fancy stuff and not concentrating on core functionality. Base accounting never worked right.

xainch · March 10, 2019, 6:12pm

Exactly. What alternatives are you working on now? I don,t see a better open source ERP in features.

Omar_Arana · April 1, 2020, 11:29am

Same problem… Many (all) have this problem because a erp without basic file security is a really big risk. I thy to manage files outside erp with a authenticate link with a manage file system (like SharePoint) but think is a urgent fix option. Almost have 5 solutions to this from other users. Just developers have final desicion if want a secured file system option.

alkuhlani · April 23, 2020, 9:13am

Now in V12.7 I can not access to private fiels even if I have System Manager role!
How can I fix this problem

krnkris · April 23, 2020, 1:35pm

May the files has bad access rights.

Or

This is the issue

Hope it helps.