Hi all, I'm using Evan Simpsons' XXX-PythonMethods with great results (after a few false starts due to my ignorance!). However, in Guarded.py we have the following; # BEWARE OF THE LEOPARD! # Set 'do_XXX' true to allow creation of XXXPythonMethods # and ADD A MASSIVE GAPING SECURITY HOLE to Zope. # DON'T DO THIS unless you use secure connections for ALL OF # YOUR ADMINISTRATION or are RECKLESS and/or FEARLESS. # Even if you DON'T create ANY XXXPythonMethods, just turning this # on will PUT YOU AT RISK BIGTIME! Of course, I then set do_XXX=1 :) I only ever run my Zope servers under a non-priviledged account. Can anyone explain what sort of leopards I should look out for, as I can see that I'd want to use XXX-PythonMethods for a lot more things. Tone ps the icon for the XXX-PythonMethod object is way cool! :) ------ Dr Tony McDonald, FMCC, Networked Learning Environments Project http://nle.ncl.ac.uk/ The Medical School, Newcastle University Tel: +44 191 222 5888 Fingerprint: 3450 876D FA41 B926 D3DD F8C3 F2D0 C3B9 8B38 18A2
----- Original Message ----- From: "Tony McDonald" <tony.mcdonald@ncl.ac.uk> [Unmistakable fierce-as-I-could-make-it warning omitted]
Of course, I then set do_XXX=1 :)
Noooo!! <crash><snarl><rip> Aeeii!!! <rattle>
I only ever run my Zope servers under a non-priviledged account.
Can anyone explain what sort of leopards I should look out for, as I can see that I'd want to use XXX-PythonMethods for a lot more things.
Think of it this way: under normal circumstances if someone hostile got full access to your Zope management interface, through a bug or password sniffing perhaps, your Data.fs would be toast. That's what backups are for, of course. Put XXXPythonMethods in the picture and your entire Zope installation, any filesystem areas writable by the Zope-process user, and any services accessible to that user are subject to abuse. Some of this can also be handled by backups, but subtle subversion over a period long enough to render backups worthless is a much greater possibility. You might end up as a CPU server for arbitrary Python programs. You might not. LOOK OUT, IT'S BEHIND Y..<glurk>
ps the icon for the XXX-PythonMethod object is way cool! :)
They had to have *something* positive going for them :-) Cheers, Evan @ 4-am & digicool
At 9:55 pm -0500 14/3/00, Evan Simpson wrote:
----- Original Message ----- From: "Tony McDonald" <tony.mcdonald@ncl.ac.uk> [Unmistakable fierce-as-I-could-make-it warning omitted]
Of course, I then set do_XXX=1 :)
Noooo!! <crash><snarl><rip> Aeeii!!! <rattle>
:(
You might end up as a CPU server for arbitrary Python programs. You might not. LOOK OUT, IT'S BEHIND Y..<glurk>
ps the icon for the XXX-PythonMethod object is way cool! :)
They had to have *something* positive going for them :-)
<sigh> Ok, I probably shouldn't use them then. </sigh> But (you knew there was going to be a but :). They are *so* useful. E.g. I've got a XXXMethod that imports the following; import os, sys, string, mimetypes, stat import DocumentTemplate from Acquisition import Implicit from OFS.Image import File from OFS.content_types import guess_content_type setting do_XXX=0 gives me; <!-- Error type: ImportError Error value: __import__ not found --> Which is fair enough as the docs on the Zope site say import is controlled. Can you please be a bit more explicit and let me know *what* I can import? The Python code is a bit over my head... <compromise> Would you say that you could use a XXX PythonMethod to debug code that is going to become an External Method? </compromise> Thanks for the help Evan, it's much appreciated. Tone. ------ Dr Tony McDonald, FMCC, Networked Learning Environments Project http://nle.ncl.ac.uk/ The Medical School, Newcastle University Tel: +44 191 222 5888 Fingerprint: 3450 876D FA41 B926 D3DD F8C3 F2D0 C3B9 8B38 18A2
----- Original Message ----- From: Tony McDonald <tony.mcdonald@ncl.ac.uk>
<sigh> Ok, I probably shouldn't use them then. </sigh>
Don't let me discourage you too much. If you can isolate your Zope, you're pretty safe. That means a private or development installation only. If you are the only person allowed to touch the management interface, and you really bite the bullet and do all of your administration through SSL, you *might* be safe in production.
But (you knew there was going to be a but :). They are *so* useful. [snip] Which is fair enough as the docs on the Zope site say import is controlled. Can you please be a bit more explicit and let me know *what* I can import? The Python code is a bit over my head...
Right now, they are controlled into oblivion; I have vague plans to allow some sort of safe import, but no clear idea what would truly be safe other than trivial "you can use import as another way to spell x = self.foo" stuff.
<compromise> Would you say that you could use a XXX PythonMethod to debug code that is going to become an External Method? </compromise>
That should work well. XXXPythonMethods and External Methods have very similar semantics. Cheers, Evan @ digicool & 4-am
participants (2)
-
Evan Simpson -
Tony McDonald