Hyland Connect

omkar · ‎04-04-2016

Hi,

I am currently using Alfresco Community version 4.2 and have observed one potential security concern. When a file is uploaded in Alfresco, it gets uploaded to the 'contentstore' in date wise folder structure. Thus, when I uploaded a '.png' image today (04-Apr-2016) it got saved in the folder "alf_data/contentstore/2016/4/4/13/40/c431a2e1-f90f-49be-ab7b-b70a7544cac9.bin". When I physically go to this location and download the '.bin' file and open it I could see the file contents as it is. Moreover, if the extension is changed to '.png', the file open properly as an image file and thus user is able to see and modify all the data at back end. Sometimes, as an IT service provider, we do have to give the credentials of the Admin user in Alfresco to our customer and they can modify the data. This appears to be a major security concern. Can someone suggest a solution on this in the Community version itself.

Regards,
Omkar

afaust · ‎04-04-2016

Hello,

this is only a security issue for specific use cases and can be easily dealt with. The Alfresco system supports configuration of how / where Alfresco stores its content and you could always set up storage in a way that a normal (admin) user has access to the Alfresco system but not access to the actual content store using either filesystem-level permissions or different storage mechanisms (i.e. store content in a content addressed storage (CAS) system). See <a href="http://docs.alfresco.com/5.1/concepts/manage-cs-home.html">Setting up ContentStores</a> from the (Enterprise) documentation, which also applies to Community except that the actual content store implementations may not be available in Community (but can be implemented and plugged in by any Java developer).

Regards
Axel

Hyland Connect

Security in Alfresco files