Michael Ekstrand wrote:
On Tuesday 27 July 2004 12:22, Vangelis Mihalopoulos wrote:
Well, i agree with you. But, still, using suid python scripts for half of my app is a problem... believe me, it will be much easier for someone to find a security flaw in my app than is Zope... :)
Another idea... don't know how worthy it is, feel free to shoot it down... (but I'd appreciate knowing what's wrong with it for my own education :-)).
What if you encapsulated your code that must run as root in some kind of daemon that listens locally only? Either network, and protected by a file, or maybe use a Unix domain socket or similar mechanism. Either use a proprietary protocol, or maybe have it serve up XML-RPC. Force all interaction between Zope and this code to use a defined interface. It would give you a place to do sanity checking on the commands being fed to the privileged code, and I would think it would provide some protection of the root code from a Zope compromise. To exploit your code, an attacker must first compromise Zope, and then figure out how to get your code to misbehave.
well, my code doesn't have to "misbehave" to cause damage... if zope security is compromised, then the whole system is compromised, so i don't think your idea is applicable on my case. nevertheless, what you propose is a nice architecture which could be used in other cases. For example, a "file manager" with root privileges doesn't have to be compromised. If one bypasses zope security, he can do all the damage he wants :)