Hello, as a Debian maintainer I wonder if there is any clean method to import zexp products by a script (not using the import method from a browser). The idea is that installing Python products is simple by copying the python code to the right place and restart zope. Works fine in the Debian postinst script. But what to do with zexp products. I tried a very dirty hack like ZOPEUSER="<place the name of Zope administrator here>" PASSWD="<and his password>" ## For sure this is insecure. ## You should find a secure way using debconf to maintain this!!!! IMPORT=<product-name>.zexp LC_ALL=en_EN HOST=localhost PORT=9673 wget --proxy=off --http-user=${ZOPEUSER} --http-pass=${PASSWD} \ http://${HOST}:${PORT}/Control_Panel/Products/${prod}/manage_importObject?file=${IMPORT} but I think I really do not have to tell you that this can not be the recommended way to go. Any other idea? Kind regards Andreas.
Tille, Andreas wrote:
Hello,
as a Debian maintainer I wonder if there is any clean method to import zexp products by a script (not using the import method from a browser). The idea is that installing Python products is simple by copying the python code to the right place and restart zope. Works fine in the Debian postinst script. But what to do with zexp products. I tried a very dirty hack like
ZOPEUSER="<place the name of Zope administrator here>" PASSWD="<and his password>" ## For sure this is insecure. ## You should find a secure way using debconf to maintain this!!!!
IMPORT=<product-name>.zexp
LC_ALL=en_EN
HOST=localhost PORT=9673
wget --proxy=off --http-user=${ZOPEUSER} --http-pass=${PASSWD} \ http://${HOST}:${PORT}/Control_Panel/Products/${prod}/manage_importObject?file=${IMPORT}
but I think I really do not have to tell you that this can not be the recommended way to go.
Dumb question, why not? What (linux-) priviledge level does one need to install a new package? If you think that installing filesystem products the way you described is secure, then I don't see why using this shellscript isn't, provided it is only readable by the right user(s). If you are able to install products, you can vaporize zope's security anyway AFAIK, so I don't see why this should be more insecure. cheers, oliver
as a Debian maintainer I wonder if there is any clean method to import zexp products by a script (not using the import method from a browser). The idea is that installing Python products is simple by copying the python code to the right place and restart zope. Works fine in the Debian postinst script. But what to do with zexp products. I tried a very dirty hack like
ZOPEUSER="<place the name of Zope administrator here>" PASSWD="<and his password>" ## For sure this is insecure. ## You should find a secure way using debconf to maintain this!!!! IMPORT=<product-name>.zexp LC_ALL=en_EN HOST=localhost PORT=9673 wget --proxy=off --http-user=${ZOPEUSER} --http-pass=${PASSWD} \
http://${HOST}:${PORT}/Control_Panel/Products/${prod}/manage_importObject?file=${IMPORT}
The best way would be to write a Python script that makes the necessary API calls. Note that there is already code for that, sinc eyou can install ZEXP products directly from a Product. BTW, the easiest way would be to create a distribution of your Zope ZClass product. All you need to do is to drop it in the Products directory and it will be added in the ZODB Products Folder. Regards, Stephan -- Stephan Richter CBU - Physics and Chemistry Student Web2k - Web Design/Development & Technical Project Management
On Tue, 22 Jan 2002, Stephan Richter wrote:
The best way would be to write a Python script that makes the necessary API calls. Note that there is already code for that, sinc eyou can install ZEXP products directly from a Product. Right, but I do not have the knowledge to implement that.
BTW, the easiest way would be to create a distribution of your Zope ZClass product. All you need to do is to drop it in the Products directory and it will be added in the ZODB Products Folder. You are completely right. The problem is that we do not talk about *my* product but about products like for instance
http://www.zope.org/Members/Barabbas/EventFolder/ Should I ask the upstream author to change this to let the install procedure become more easy? Kind regards Andreas.
"Tille, Andreas" <TilleA@rki.de> writes:
On Tue, 22 Jan 2002, Stephan Richter wrote:
The best way would be to write a Python script that makes the necessary API calls. Note that there is already code for that, sinc eyou can install ZEXP products directly from a Product. Right, but I do not have the knowledge to implement that.
Hi Andreas - there is some code to do this in ZWiki/__init__.py . As for the issues with the command-line approach, would curl -n help ? -Simon
On Tue, Jan 22, 2002 at 06:17:48PM +0100, Oliver Bleutgen wrote:
wget --proxy=off --http-user=${ZOPEUSER} --http-pass=${PASSWD} \ http://${HOST}:${PORT}/Control_Panel/Products/${prod}/manage_importObject?file=${IMPORT}
but I think I really do not have to tell you that this can not be the recommended way to go.
Dumb question, why not? What (linux-) priviledge level does one need to install a new package? If you think that installing filesystem products the way you described is secure, then I don't see why using this shellscript isn't, provided it is only readable by the right user(s).
Assuming the server has non-administrative users with login priveleges, if they run 'ps auxwww' at just the right time, they've captured all your command line arguments to wget... including your Zope administrative username and password. Python product installation doesn't carry that particular risk. One way to eliminate that possibility would be to use a browser other than wget, something that can prompt for the administrative username and password when needed, or read them from a protected file. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
Mike Renfro wrote:
Assuming the server has non-administrative users with login priveleges, if they run 'ps auxwww' at just the right time, they've captured all your command line arguments to wget... including your Zope administrative username and password. Python product installation doesn't carry that particular risk.
One way to eliminate that possibility would be to use a browser other than wget, something that can prompt for the administrative username and password when needed, or read them from a protected file.
Ahh, this I forgot, this is indeed a problem. Thanks. cheers, oliver
as a Debian maintainer I wonder if there is any clean method to import zexp products by a script (not using the import method from a browser). The idea is that installing Python products is simple by copying the python code to the right place and restart zope. Works fine in the Debian postinst script.
You could simply use something like what load_site is doing, namely: import ZPublisher.Client ob=ZPublisher.Client.Object(url, username=user, password=password) ob.manage_somethingOrOther(id=name, file=open(fname, 'rb')) Or even, without starting Zope: import Zope root = Zope.app() ob = root.path.to.your.object ob.manage_blabla get_transaction().commit() All untested of course :-) Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 10 http://nuxeo.com mailto:fg@nuxeo.com
participants (6)
-
Florent Guillaume -
Mike Renfro -
Oliver Bleutgen -
Simon Michael -
Stephan Richter -
Tille, Andreas