On Thu, Mar 20, 2003 at 03:52:45PM -0500, Meehan, Francois wrote:
Hi all,
I want to implement localfs to give users remote access to their home directories. I want to create a localfs object per user. How can I secure this, so a given user can only see his own stuff and prevent the others for accessing it?
Are roles the answers?
No. Localfs objects have to be readable (at least) by the userid that zope is running as. Zope should not be run as root, for a variety of good reasons. Presumably your users own their own files, and in a modern system, are proably in individual groups. This gives you two options; neither inherently secure. Either you can write some kind of suid root program to read/write the files, or you can put zope's groupid in the group of each individual user. In either case, you are intentionally creating an agent that can bypass normal filesystem security. This means that this agent has to be simple, rock solid, and totally paranoid. It has to check that each user has the right to access the directory/file he is trying to access for the purpose that he is accessing it. And this gets into tough policy decisions. Do you read /etc/passwd to determine the home directory of each user? Do you know how zope userids correspond to system userids? Where is this kept? Do you honor umask settings? Can you find them? Do you honor read bits, if you are using a suid root program, that is, can joe read a chmod 000 file in his own home directory? Then you implement the policy in your own code. Fun, eh? Jim Penny
Francois
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )