Password function to manager screen broke?
Zope folks, Several times now I've tried to get into the manager screen from the zope home page (both http://localhost.localdomain and the actual hostname.domain of this box) without any luck. I tried the user & passwd given after the install and that didn't work. So I "cd /usr/share/zope" and "python2.1 zpasswd.py access", go through the prompts. Here's the access file: admin:password That's it. There's not even a CR at the end of the one line. Because I chose "cleartext" for encoding, you can see the user is "admin" and the password is "password". At the prompt for "Domain restrictions:" I just hit "Enter" (though I tried other things... don't really know what this prompt is asking for anyway). Nothing has worked. I even restarted zope a few times in between some of these attempts. What else can I do so I can log into the manager screen? thanks, ken
Zope from my rpms?
From the RPM-README :-)
"Initial Administrator Username and Password: ------------------------------------------- The default administrator username is 'admin' and password is '123'. These are set in the /var/zope/inituser file. Zope imports this user account into the ZODB and then deletes the inituser file on startup. The old /var/zope/access method is not implemented by this package." Adam On Tue, 2002-12-17 at 18:22, ken wrote:
Zope folks,
Several times now I've tried to get into the manager screen from the zope home page (both http://localhost.localdomain and the actual hostname.domain of this box) without any luck.
I tried the user & passwd given after the install and that didn't work. So I "cd /usr/share/zope" and "python2.1 zpasswd.py access", go through the prompts. Here's the access file:
admin:password
That's it. There's not even a CR at the end of the one line. Because I chose "cleartext" for encoding, you can see the user is "admin" and the password is "password". At the prompt for "Domain restrictions:" I just hit "Enter" (though I tried other things... don't really know what this prompt is asking for anyway). Nothing has worked. I even restarted zope a few times in between some of these attempts.
What else can I do so I can log into the manager screen?
thanks, ken
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Hi Adam, --On Dienstag, 17. Dezember 2002 18:43 -0500 Adam Manock <abmanock@earthlink.net> wrote:
Zope from my rpms?
From the RPM-README :-)
"Initial Administrator Username and Password: -------------------------------------------
The default administrator username is 'admin' and password is '123'. These are set in the /var/zope/inituser file. Zope imports this user account into the ZODB and then deletes the inituser file on startup.
The old /var/zope/access method is not implemented by this package."
If rpm supports user interaction during installation you schould probably let the user input its own credentials instead of this default. Someone could get the idea of scanning the web for new installed zopes with default passwords. Is it a good idea to disable the emergency user? What if the user kills her acl_user object or similar? Regards Tino
If rpm supports user interaction during installation you schould probably let the user input its own credentials instead of this default. Someone could get the idea of scanning the web for new installed zopes with default passwords.
Yes. I forget that not everyone runs deny all / explicit allow firewall policies, even at home. :-) I shouldn't assume that additional layers of security exist to protect against exploitation of this... I'll look into what's required to setup the inituser interactively. Right now the inituser is set during the "build" stage. Even if I don't end up changing the package so that it is set interactively, I'll at least make sure Zope only binds to the loopback address by default, thus reducing the impact, and I'll add a security note to the README in either case.
The old /var/zope/access method is not implemented by this package."
Is it a good idea to disable the emergency user? What if the user kills her acl_user object or similar?
"python2.1 /usr/share/zope/zpasswd.py /var/zope/access" will work to create an emergency user. Guess that one needs clarification. Even if I don't implement /var/zope/access in the package, that doesn't mean that the underlying Zope install doesn't support a user creating and using an emergency user.. I will update the docs accordingly..... Thanks for the feedback, Adam
participants (3)
-
Adam Manock -
ken -
Tino Wildenhain