You can restrict access to LocalFS in the following ways: - by restricting the permissions of the Zope process in the file system - by restricting the permissions of Zope users in the LocalFS object - by limiting the base path of the LocalFS object. No one should be able to access anything outside of the base path I think in this case you would want to use method #3 don't create LocalFS objects that can access your restricted content. For example, if your directory structure is: /home/www /data /images /secure You could create LocalFS objects with base paths: /home/www/data /home/www/images Then /home/www/secure could not be accessed. Unfortunately, there is no way to create a LocalFS pointing to /home/www without giving it access to secure/. What you could do in that case is move the content up to /home/www-secure and configure apache to serve that directory from the base path /secure. Hope this helps, --jfarr "Perl is worse than Python because people wanted it worse." Larry Wall, 14 Oct 1998 ----- Original Message ----- From: Alexandre A. Drummond Barroso <alexandre@intelligenesis.net> To: <zope@zope.org> Sent: Friday, May 12, 2000 4:33 PM Subject: [Zope] Security problems with localFS and PCGI
When Zope started as PCGI, it runs at the same user of the web server process (I'm using a variant of Apache).
So for every file the web server has access, localFS product has access too. But some areas of the web site are restrict area (must be accessed with authentication certificates).
If a content manager user can create localFS objects into Zope, the restrict content can be accessed.
Is there a way to configure Zope of localFS to limit access to files in file system?
Thanks for any help.
Alexandre A. Drummond Barroso Extranet Software Engineer Intelligenesis Corp.