From: Andrew M. Kuchling <akuchlin@mems-exchange.org>
This leads on to a security-related, I think. DC staff have said in the past that Python code isn't stored in the database for security reasons. PythonMethods change this; someone who gets your manager password can create a Python method that makes a setuid copy of your shell or whatever. (Disclaimer: I haven't actually gotten around to trying out PythonMethods yet.)
The latest release of the PythonMethod Product has two kinds of PythonMethod: regular and XXX. A switch in the source code allows you to turn "XXXPythonMethod"s on and off, and they are off by default. XXXPMs are wild, unsafe, and unrestricted, with (lack of) security equivalent to External Methods. The only limit on them (under *nix, anyway) is that they're likely to be running as user "nobody". Regular PMs, on the other hand, are meant to be completely safe, and subject to all the same restrictions as DTML, although this goal has not yet been acheived. Any holes in regular PM security, however, only give improper access to Zope objects, *not* the system at large.
Question: Is there a way we can reconcile these two conflicting drives? If some solution can be found, then maybe PythonMethods could be added to the products that come with basic Zope. Suggestions?
The DC folks have started talking with me about this. I'm optimistic.
1) Perhaps PythonMethods could be enabled or disabled when you install Zope; if people are going to be using Zope over insecure links, and shouldn't be using PythonMethods, don't install them..
Substitute "XXXPythonMethods" for "PythonMethods", and I agree. Already done, too :-)
2) Perhaps they could use the rexec module or Zope's existing sandbox to run their code (but would the sandbox limit their usefulness? -- maybe not, if you take the attitude that serious Python code should still be in a product or ExternalMethod).
XXXPythonMethods should never be used on a system with untrusted clients, or which is accessed via an unsecure link. People will anyway, of course, but they've been warned. Regular PMs with proxy roles and External Methods should be the norm. Cheers, Evan @ 4-am