On Thu, 2002-11-07 at 18:44, Jerome Alet wrote:
On Thu, Nov 07, 2002 at 04:10:12PM +0000, Florent Guillaume wrote:
I can't see the point of this. The whole point of having TTW python scripts is that they execute in a *restricted* environment, and thus pose no security problem. Your ZShellScripts are a gaping security hole, anyone gaining control of your Zope site (sniffing a password for instance) gains control of your whole machine.
- Unix : runs in a "somewhat" restricted environment : in fact it runs as the user Zope is run as, which shouldn't be root (at least for me it's not root !). You claim of someone gaining full control of my machine is uninformed, at best.
Ok, Unix is the one that poses security problem. If the others are suitably restricted then ok, I have no beef with them. Basically the problem is that you may allow a remote hacker the use of local exploits instead of restricting him to remote exploits. And you don't need to be root to do damage (remove files or backups or logs, change configuration, kill Zope, all depending on the local machine).
As said in a previous message, just forbid people to add or use "Shell (Unix)" objects if you're afraid, and still use the rest if you want, because the execution delegation facility allows some parts of the product to be used independantly than the others.
That was not my point. One goal of the security restrictions in Zope is that if you're accessing Zope TTW and even if you succeed in becoming Manager (because the site is misconfigured or someone sniffed a Manager password), you can't do any damage outside of the part of the ZODB this Manager has access to. Providing a way to escape the ZODB or restricted code is very dangerous. Consider the whole point of External Methods: they allow access to unrestricted code, but the code has to be written on the filesystem, and not TTW. Mind you, it's probably helpful to some people, but I feel this departs strongly from the basic Zope security model and should be noted prominently. Consider for instance what XXXPythonScript requires:
In order to create or edit XXX Python Scripts, you have to set "ALL_YOUR_BASE_ARE_BELONG_TO" equal to "US".
Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com