Security | Marcus Povey

This is just a quick post to introduce a pair of functions I wrote today while working on some of the Elgg 1.0 access control code.

Namely, call_gatekeeper($function, $file = "") and callpath_gatekeeper($path, $include_subdirs = true), both of which return a boolean value.

call_gatekeeper()

This function tests to see whether it has the given method/function (optionally also test that it is defined in a specified file) exists on the call stack.

The function will return true if the called by the named function (or its parent was called by the named function).

Here is an example of its usage:

function my_secure_function() { if (!call_gatekeeper("my_call_function")) return false; ... do secure stuff ... }

function my_call_function() { // will work my_secure_function(); }

function bad_function() { // Will not work my_secure_function(); }

To specify a method instead of a function, pass an array to $function containing the classname and method name.

callpath_gatekeeper()

This function is similar to call_gatekeeper() but returns true if it is being called by a method or function which has been defined on a given path or by a specified file.

The function accepts two parameters:

$path, which is either the full path of the desired file or a partial path. If a partial path is given and $include_subdirs is true, then the function will return true if called by any function in or below the specified path.

While I do believe some of the analogies to be somewhat erroneous, I find myself broadly agreeing with the points raised in this article about current security practices.

We in the industry often find ourselves focusing on the more technical issues – patches, penetration testing etc. These fall well within the IT department’s sphere of understanding. They are sexy issues.

Certainly more interesting than matters of staff training, but as the article points out this is likely to be a much bigger win than ensuring everyone is using 28 character passwords or that company computers get patches the second they are available.

“Employee training sometimes gets a bad rap because it doesn’t alter the behavior of every employee who takes it,” he said. “But if I can reduce the number of security incidents by 30 percent through a $10,000 security awareness program, doesn’t that make more sense than spending $1 million on an antivirus upgrade that only reduces incidents by 2 percent?”

I am a big fan of the “strength in depth” approach to IT security and I believe that one should never rely too much on one technique. It doesn’t hurt to lock things down – decent passwords are certainly not going to do any harm – but I agree the big hits are probably going to be elsewhere.

However all the fancy security software in the world is not going to stop untrained staff doing something ‘unfortunate’ like sending the bank details of 25 million people through the post on two unencrypted CDs.

Crucially, for real security I think one should plan for failure and make sure that it is not the end of the world if something does happen. Backups, encrypting confidential data, as well as ensuring you have a firewall set up and configure correctly are all parts of a consolidated defence.

In short. Make sure your doors and windows are locked, but keep valuables out of sight and make sure you’ve taken out an insurance policy… and tell your flatmate not to let dodgy masked men with “swag” written on a sack wander around your apartment.

Marcus Povey

Time, Space, and Plexiglas

Tag Archives: Security

Elgg 1.0 gatekeeper functions

Most current IT security practices are a waste of time