That's all well and good, but users should be able to reasonably expect that their passwords be secure from prying administrators. Sure, an admin could brute force or guess a *nix password, but they aren't cleartext. The only easy way for an admin to get a user's passwd is to chage it (nevermind the 'su username' act). Zope stores it's data in a database, with a seperate security system from the filesystem. These passwords should not be cleartext anymore than you would select the cleartext option for your inituser or access file. Troy -----Original Message----- From: Frank Tegtmeyer [mailto:fte@lightwerk.com] Sent: Wednesday, June 06, 2001 8:26 AM To: zope@zope.org Subject: Re: [Zope] Major security flaw in Zope 2.3.2 On Wed, Jun 06, 2001 at 02:43:48PM +0200, Jerome Alet wrote:
* make Data.fs and Data.fs.old only readable by a user every other user on the system can't run commands as.
Anyone out there who does *not* do that? Regards, Frank _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )