On Tuesday 27 July 2004 12:22, Vangelis Mihalopoulos wrote:
Well, i agree with you. But, still, using suid python scripts for half of my app is a problem... believe me, it will be much easier for someone to find a security flaw in my app than is Zope... :)
Another idea... don't know how worthy it is, feel free to shoot it down... (but I'd appreciate knowing what's wrong with it for my own education :-)). What if you encapsulated your code that must run as root in some kind of daemon that listens locally only? Either network, and protected by a file, or maybe use a Unix domain socket or similar mechanism. Either use a proprietary protocol, or maybe have it serve up XML-RPC. Force all interaction between Zope and this code to use a defined interface. It would give you a place to do sanity checking on the commands being fed to the privileged code, and I would think it would provide some protection of the root code from a Zope compromise. To exploit your code, an attacker must first compromise Zope, and then figure out how to get your code to misbehave. Just my $0.02 -Michael