On 28 Jul 2004, Ken Manheimer wrote:
That's key, though. Your application is going to be a less attractive target for attacks than zope to the degree that it is a less prevalent application than zope. This doesn't mean that you shouldn't be careful to make your application secure - but it does mean that you have a lot more lattitude than zope, the application, to provide for your special local-host security concerns.
I agree with you. But what if i am implementing a file manager? With capabilities like upload/downloading any file in all filesystems? Even if i implement a privileged XML-RPC server which only listens requests from the local host (from Zope that is), i don't think security is tighter. If someone breaks into [the non-privileged] Zope, he can still use the privileged server to do as much harm as he pleases. I believe it comes down to what exactly are the privileged actions. If it is simply a very specific task that would not compromise the whole system security, that model is a "must". But if the privileged actions are more generic, with abilities to harm the whole system, then running Zope as root is of no importance. Thanks for your answer, Vangelis