RE: [Zope] Re: [Crew] External Methods?
I understand the security problems inherent in ExternalMethods; unfortunately, without them, Zope is merely an "also-ran" in the web applicaton race, from my perspective. DTML in isolation is not an "ASP-killer."
I'm CC'ing the Zope list, in hopes that someone there can either allay or slay our fears.
It seems to me that the security problem is that ExternalMethods can get access to "sibling objects" of the object on which they are invoked, right? I mean, if we could make the siblings inaccessible, and acquired properties read-only, then we should be ok, no? Ugh, I don't grok acquisition well enough to tackle that myself, I fear.
Well, it's actually deeper than that. You are correct in saying that DTML alone is not an ASP-killer. Consider the similarities between Zope and, for example, ASP/COM (though the same holds true for practically any other system as well): ASP lets you use the services provided by (COM) objects, which may be provided by the server or provided independently. I'm sure that MS tries to make the server-provided objects fairly safe, but there is _nothing_ stopping a programmer from writing and installing a COM object with an evil() method that wipes out your C: drive, except the fact that presumably the sysadmin exercises some control over making these independent services available. The same holds true for Zope (and any other app server out there). Like ASP/COM, External Methods give you the ability to provide more powerful services for use by your application. It also gives you exactly the same problems (though I'm sure that evil() method could be developed in a quarter of the time in Python :) Basically, with power comes responsibility, and I can't really imagine any system that could _safely_ allow possibly-untrusted people to write (basically) arbitrary code. It's not even really a matter of what services are or are not available to those people. I'm sure that many, many hours and much brain-power went into the design of Java's security mechanisms. Even so, if I were a web site manager I still couldn't let untrusted users write their own arbitrary java code to run in my web or app server. Even after I had figured out a way to wall off every service I could think of that could possibly be harmful, the user could still probably just do the Java equivalent of: while 1: pass Zope DTML goes to a good deal of trouble to minimize these problems in DTML itself, and we would certainly consider any concrete ideas on how to make External Methods safer. Can you give me some examples of other app servers that you feel deal with safety of external services in a better way? I'd be happy to do some looking into how others are dealing with this. Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com
On 02-Mar-99 Brian Lloyd wrote:
Zope DTML goes to a good deal of trouble to minimize these problems in DTML itself, and we would certainly consider any concrete ideas on how to make External Methods safer. Can you give me some examples of other app servers that you feel deal with safety of external services in a better way? I'd be happy to do some looking into how others are dealing with this.
There absolutely does need to be an "unprotected mode" available though - the system designers might *need* it to do scary destructive things like deleting files. Zope should not get in the way. --- Julian Morrison Programmer (Zereau Ltd)
Brian Lloyd wrote:
It seems to me that the security problem is that ExternalMethods can get access to "sibling objects" of the object on which they are invoked, right? I mean, if we could make the siblings inaccessible, and acquired properties read-only, then we should be ok, no? Ugh, I don't grok acquisition well enough to tackle that myself, I fear.
Well, it's actually deeper than that. You are correct in saying that DTML alone is not an ASP-killer. Consider the similarities between Zope and, for example, ASP/COM (though the same holds true for practically any other system as well):
Please don't ge me wrong: I _like_ ExternalMethod / Product as a way to extend Zope. My comment is in the context of not (currently) being able to add ExternalMethods to my Zope demesne on starship, given the (quite legitimate) security concerns of the Zopemeister.
ASP lets you use the services provided by (COM) objects, which may be provided by the server or provided independently. I'm sure that MS tries to make the server-provided objects fairly safe, but there is _nothing_ stopping a programmer from writing and installing a COM object with an evil() method that wipes out your C: drive, except the fact that presumably the sysadmin exercises some control over making these independent services available.
I looked at the ExternalMethod source last night a bit: the actual method execution is done via an apply() call, after loading and compiling the code for the function. We might be able to come up with an alternate product which used a carefully tuned rexec() (Bastion? I plead ignorance), operating on Python code stored in the Zbase itself. The particulars of my case are that the control structures of DTML are not quite powerful enough to accomplish my task; of course, strengthening them, even in a "sandbox" model, still leaves open the possibility for buggy/malicious code to do ugly things (like your example below).
The same holds true for Zope (and any other app server out there). Like ASP/COM, External Methods give you the ability to provide more powerful services for use by your application. It also gives you exactly the same problems (though I'm sure that evil() method could be developed in a quarter of the time in Python :)
Basically, with power comes responsibility, and I can't really imagine any system that could _safely_ allow possibly-untrusted people to write (basically) arbitrary code. It's not even really a matter of what services are or are not available to those people. I'm sure that many, many hours and much brain-power went into the design of Java's security mechanisms. Even so, if I were a web site manager I still couldn't let untrusted users write their own arbitrary java code to run in my web or app server.
Even after I had figured out a way to wall off every service I could think of that could possibly be harmful, the user could still probably just do the Java equivalent of:
while 1: pass
Zope DTML goes to a good deal of trouble to minimize these problems in DTML itself, and we would certainly consider any concrete ideas on how to make External Methods safer. Can you give me some examples of other app servers that you feel deal with safety of external services in a better way? I'd be happy to do some looking into how others are dealing with this.
Any Turing machine can do "while 1: pass", so no sufficiently general syntax is "safe" from this attack. Actually, the possibility which seemed most interesting was Doug Wyatt's suggestion of "federating" a set of independent Zbases under one (at least apparently one) server. Then any damage my ExternalMethod did would be to the Zbase would be on my own head, at least. If that server were actually a process running as me, then standard system security procedures should probably be fine. -- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com
On Tue, Mar 02, 1999 at 01:43:10PM -0600, Tres Seaver wrote:
I looked at the ExternalMethod source last night a bit: the actual method execution is done via an apply() call, after loading and compiling the code for the function. We might be able to come up with an alternate product which used a carefully tuned rexec() (Bastion? I plead ignorance), operating on Python code stored in the Zbase itself.
This was an idea I'd proffered, but honestly haven't looked at enough yet to know whether it would work... it SHOULD work, but it might require some modifications to the aquisition code, but I've not looked neough yet.
The particulars of my case are that the control structures of DTML are not quite powerful enough to accomplish my task; of course, strengthening them, even in a "sandbox" model, still leaves open the possibility for buggy/malicious code to do ugly things (like your example below).
Well, it might help if you offered what control strucuture you need, we might be able to come up wit han interim solution.
Actually, the possibility which seemed most interesting was Doug Wyatt's suggestion of "federating" a set of independent Zbases under one (at least apparently one) server. Then any damage my ExternalMethod did would be to the Zbase would be on my own head, at least. If that server were actually a process running as me, then standard system security procedures should probably be fine.
TO me this is just a hack to get around it near term, and doesn't fix the problem. Also if you have 100 users, do you have 100 instances of zope running under 1 ZServer? That sounds like a true administrative nightmare... And substantial overkill. Chris -- | Christopher Petrilli ``Television is bubble-gum for | petrilli@amber.org the mind.''-Frank Lloyd Wright
Christopher G. Petrilli wrote:
On Tue, Mar 02, 1999 at 01:43:10PM -0600, Tres Seaver wrote:
The particulars of my case are that the control structures of DTML are not quite powerful enough to accomplish my task; of course, strengthening them, even in a "sandbox" model, still leaves open the possibility for buggy/malicious code to do ugly things (like your example below).
Well, it might help if you offered what control strucuture you need, we might be able to come up wit han interim solution.
Ok, the "teeth-cutting" example I am trying to implement generates math-facts problems for my five year old. In Python, two trivial functions: I _think_ this one is easy in DTML: def problem( max_term, operators ) : """ Generate a single math-fact problem whose terms are within range( max_term + 1 ), using one of the supplied operators. """ lhs = random.randrange( max_term + 1 ) rhs = random.randrange( max_term + 1 ) operation = operators[ random.randrange( len( operators ) ) ] return ( lhs, operation, rhs ) But not this one: def gen_problem( max_term, operators ) : """ Generate a math-fact problem whose terms and results are all within range( max_term ), using the supplied operators. """ while 1 : # Arbitrary looping! (could benefit from # the dreaded assignment-in-conditional :) probStr = "%d %s %d" % problem( max_term, operators ) result = eval( probStr ) if 0 <= result and result <= max_term : return probStr And of course, the DTML syntax for something like this is going to be ugly.
Actually, the possibility which seemed most interesting was Doug Wyatt's suggestion of "federating" a set of independent Zbases under one (at least apparently one) server. Then any damage my ExternalMethod did would be to the Zbase would be on my own head, at least. If that server were actually a process running as me, then standard system security procedures should probably be fine.
TO me this is just a hack to get around it near term, and doesn't fix the problem. Also if you have 100 users, do you have 100 instances of zope running under 1 ZServer? That sounds like a true administrative nightmare... And substantial overkill.
One instance per "sandbox", not one per user (although on starship this is a distinction without a difference). The "content manager only" applications will do fine in a single Zope instance, as now. -- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com
In my experience many situations where external methods are needed do not require access to the Zope data tree, like the math test example you presented. One approach is to use a second server that does XML-RPC (Fredrik Lundh has already written a client and a simple server) and set an account/folder where everybody can upload their scripts and access them through XML-RPC calls from their Zope environment. I suppose we can write a product that provides the client site of the XML-RPC based on Fredrik's implementation. As for the server site Jim once mentioned that the support should go in ZPublisher but initially a simple server based on python standard libraries will be adequate. Or use the newly released asyncore libs though I suspect a multithreading server will be better in this situation. If however one requires access to the 'self' argument of an external method such an approach will not be adequate. Usually though one can collect the relevant parameters by using DTML calls and send them to the XML-RPC server for processing. Pavlos On Tue, 2 Mar 1999, Tres Seaver wrote:
Christopher G. Petrilli wrote:
On Tue, Mar 02, 1999 at 01:43:10PM -0600, Tres Seaver wrote:
The particulars of my case are that the control structures of DTML are not quite powerful enough to accomplish my task; of course, strengthening them, even in a "sandbox" model, still leaves open the possibility for buggy/malicious code to do ugly things (like your example below).
Well, it might help if you offered what control strucuture you need, we might be able to come up wit han interim solution.
Ok, the "teeth-cutting" example I am trying to implement generates math-facts problems for my five year old. In Python, two trivial functions:
I _think_ this one is easy in DTML:
def problem( max_term, operators ) : """ Generate a single math-fact problem whose terms are within range( max_term + 1 ), using one of the supplied operators. """ lhs = random.randrange( max_term + 1 ) rhs = random.randrange( max_term + 1 ) operation = operators[ random.randrange( len( operators ) ) ] return ( lhs, operation, rhs )
But not this one:
def gen_problem( max_term, operators ) : """ Generate a math-fact problem whose terms and results are all within range( max_term ), using the supplied operators. """
while 1 : # Arbitrary looping! (could benefit from # the dreaded assignment-in-conditional :)
probStr = "%d %s %d" % problem( max_term, operators ) result = eval( probStr )
if 0 <= result and result <= max_term : return probStr
And of course, the DTML syntax for something like this is going to be ugly.
Actually, the possibility which seemed most interesting was Doug Wyatt's suggestion of "federating" a set of independent Zbases under one (at least apparently one) server. Then any damage my ExternalMethod did would be to the Zbase would be on my own head, at least. If that server were actually a process running as me, then standard system security procedures should probably be fine.
TO me this is just a hack to get around it near term, and doesn't fix the problem. Also if you have 100 users, do you have 100 instances of zope running under 1 ZServer? That sounds like a true administrative nightmare... And substantial overkill.
One instance per "sandbox", not one per user (although on starship this is a distinction without a difference). The "content manager only" applications will do fine in a single Zope instance, as now.
-- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
participants (5)
-
Brian Lloyd -
Christopher G. Petrilli -
julian@zereau.net -
Pavlos Christoforou -
Tres Seaver