Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

disabling standard mode security problems

Hi All,

We are using Qlik sense and wanted to know if there are any major security issues we should be knowing if want to enable legacy mode , so that we can run the 'Execute' command in script loads.

Requirement:

We have a pre-caching app which is C# code and bundled as a .exe.

We want to run this after the data load happens so that the apps are pre-cached.

To execute this we need to enable the legacy mode.

According to the article : http://help.qlik.com/en-US/sense/June2017/Subsystems/Hub/Content/LoadData/disable-standard-mode.htm

it may create a security risk by exposing the file system.

Will this cause any major issues? Is this going to expose the filesystem only for Qlik data load scripts?

Thanks,

Salman

1 Solution

Accepted Solutions
Michael_Tarallo
Employee
Employee

Hi Guys

If your load scripts are protected from malicious eyes you should have nothing to worry about. We need to put that disclaimer in there because when you disable standard mode - the full path is exposed in the load script - so instead of seeing:

LIB/myfile.xls

You would see:

c:\myfolder\myfile.xls

NOTE that you would  still need permissions from windows to allow the appropriate access to perform read, write operations.

So in other words - there is nothing malicious that could take advantage by disabling standard mode.

Hope this helps:

When applicable please mark the appropriate replies as CORRECT. This will help community members and Qlik Employees know which discussions have already been addressed and have a possible known solution. Please mark threads as HELPFUL if the provided solution is helpful to the problem, but does not necessarily solve the indicated problem. You can mark multiple threads as HELPFUL if you feel additional info is useful to others.

Regards,

Michael Tarallo (@mtarallo) | Twitter

Qlik

Regards,
Mike Tarallo
Qlik

View solution in original post

7 Replies
Anonymous
Not applicable
Author

As far as I am aware it only exposes the filesystem for Qlik data load scripts...

...but I am no expert on Qlik internals and would love to hear a definitive answer from someone who is.

Anonymous
Not applicable
Author

Interesting Question. mto‌ perhaps Michael Tarallo can weigh in here.

Regards, Sara

Michael_Tarallo
Employee
Employee

Hi Guys

If your load scripts are protected from malicious eyes you should have nothing to worry about. We need to put that disclaimer in there because when you disable standard mode - the full path is exposed in the load script - so instead of seeing:

LIB/myfile.xls

You would see:

c:\myfolder\myfile.xls

NOTE that you would  still need permissions from windows to allow the appropriate access to perform read, write operations.

So in other words - there is nothing malicious that could take advantage by disabling standard mode.

Hope this helps:

When applicable please mark the appropriate replies as CORRECT. This will help community members and Qlik Employees know which discussions have already been addressed and have a possible known solution. Please mark threads as HELPFUL if the provided solution is helpful to the problem, but does not necessarily solve the indicated problem. You can mark multiple threads as HELPFUL if you feel additional info is useful to others.

Regards,

Michael Tarallo (@mtarallo) | Twitter

Qlik

Regards,
Mike Tarallo
Qlik
Miguel_Angel_Baeyens

In addition to what Michael said, LIBraries appear in the QMC and can be governed, i.e.: granted users access to or revoked or disabled. When the script uses the full path and it changes, it is up to the developer to update the connection manually in the script, and it is not reusable by other applications, it must be specified manually again in the script for those apps.

This does not imply any security risk per se, but a maintenance effort to bear in mind.

Last but not least, the script in Qlik Sense cannot be hidden as of Sep 2017 version -there are other ways of protecting it-, in our case, most of the script is hidden in QlikView apps and using $(Include=) and similar approaches to completely separate the development from the administration, and scripts in QlikView can be reused in Qlik Sense. This may not be your case but worth exploring, too.

I'm also using JMeter to cache warm some apps, but I use Windows Scheduler tasks calls instead of the execute for the reasons above among others.

stevedark
Partner Ambassador/MVP
Partner Ambassador/MVP

Hi Michael,

Surely the issue is though that the Service Account for running the Qlik services must have access to every where on the file system that any application can load data from.

If Standard Mode is turned off then any user who has the ability to edit a load script can load from or write to any location on the file system that the service account can see (as they effectively inherit the service accounts permissions).

It would be straight forward for a user to do a for each vFile in FileList('c:\') and then the same for FolderList to get a complete list of files in the file system, from which they can then load from.  As well as loading from, they can also write to - causing damage and injecting data into apps.

With Standard mode on you can chose whether or not users can create connections, or just consume existing governed connections.  Without it they don't need to use connections and libraries at all.

If you are in a situation where anyone who has permission to write a load script should be able to see the whole file system then all is well.  If, on the other hand, you have users who need to be able to write load scripts, but should only be able to see their own files you have a problem.

I'm torn on this topic, as I often need to disable standard mode for clients to be able to do things with the REST connector and/or Qlik Web Connectors, but I am all too aware of the potential pitfalls.

I know chrisbrain‌ has some thoughts on this topic also...

Steve

chrisbrain
Partner - Specialist II
Partner - Specialist II

Our interest in this topic was primarily because standard mode also has the effect of preventing you from building http request paths at script runtime so limiting the flexibility of the Qlik Web Connectors. I can see the issue though - presumably you could configure the service account running the Qlik Service to have limited access to the file system.

beeido.com - BI | Software | Qlik Integration Services
GitFirst - A CI/CD solution for Qlik Sense
stevedark
Partner Ambassador/MVP
Partner Ambassador/MVP

Hi Chris, the issue is that the service account needs to have access to all data that it needs to reload through the task scheduler.  This means that you can't give a user access to only part of that data, if Standard Mode is disabled.  The method for doing this with Security Groups on connections is very elegant, but can be effectively circumnavigated if a non-lib load is performed.