Jonathan Stoneman wrote:
Hi,
We have a Zope server that out customers can have space on. We provide them with an folder containing a User Folder which contains their user. They can then do whatever they want within this space. We do not want to place any un-necessary limitations on what they can do.
The problem is that we want to install the LocalFS product on the server. If the customers have permissions that allow them to create or edit LocalFS objects, then they can access any part of the local file system that the zope user can.
We can stop them from creating and editing LocalFS objects by removing the Add Local File Systems and Change Local File System Properties permissions from their roles in the root folder. The customers would then have to contact us to have a LocalFS object created or edited but this would be an acceptable solution.
The problem with this solution is that they can change the role that their user has, or change the permissions of their folder. Either way they can get permission to create / edit LocalFS objects. We could stop them from doing this by taking away their Manage Users and Change Permissions permissions, but this is not really acceptable.
Is there any other way that we can install the LocalFS product and stop users from creating / editing instances of that object?
Thanks... JOn
How about modifying the localfs product to not allow arbitrary paths? Like always prepending /home/yourlocaluseraccount/ to what they type in, this is the simplest method coming to my mind. Other involve chroots and such stuff which will get very nasty. But you'll have to seriously think about it, because you'll have to prevent the user from configuring LocalFS with ../../../etc/passwd and that stuff. Maybe filtering out '..' should do it?
HTH, oliver
Thanks for your help, I had actually considered doing this, but was hoping there was a simple way of doing it that I had missed. Time to start looking at the LocalFS source then.. :) Thanks again... JOn. -- Jonathan Stoneman - Programmer - Frontier Internet Services Limited Tel: 02920 820045 Fax: 02920 820038 http://www.frontier.net.uk All statements made are subject to Frontier's Terms and Conditions of Business which are available upon request.