External / Internal Methods
I vaguely recall this being discussed in the past, but I can't find it in my archives... Has anyone tried to make a comparable thing to an "External Method" but that is contained in the database itself? The reason is this... we've set up Zope on the Starship, and some people would like to experiment with ExternalMethods, BUT... that requires access on the file system to stuff that we'd rather not open up, or a hueg amount of administrative overhead. Ideas? Chris -- | Christopher Petrilli ``Television is bubble-gum for | petrilli@amber.org the mind.''-Frank Lloyd Wright
I vaguely recall this being discussed in the past, but I can't find it in my archives...
Has anyone tried to make a comparable thing to an "External Method" but that is contained in the database itself?
The reason is this... we've set up Zope on the Starship, and some people would like to experiment with ExternalMethods, BUT... that requires access on the file system to stuff that we'd rather not open up, or a hueg amount of administrative overhead.
Ideas?
You could write an External Method that would put the file in the extensions directory :) I think they only need to be there while the Python Method is created since you have to update them from within Zope every time they change. This would be a **HUGE** security hole though! You could log them but I don't know if there is anything you could do to make it safe. Phil. ----------------------------------------------------------- Philip Aylesworth mailto:purple@mnsi.net
"Christopher G. Petrilli" wrote:
I vaguely recall this being discussed in the past, but I can't find it in my archives...
Has anyone tried to make a comparable thing to an "External Method" but that is contained in the database itself?
I believe that this was rejected by DC because of security issues. Letting people store and run Python code directly in the database is essentially the same as giving someone complete access to the system. Michael Bernstein.
On 26-Feb-99 Michael Bernstein wrote:
"Christopher G. Petrilli" wrote:
I vaguely recall this being discussed in the past, but I can't find it in my archives...
Has anyone tried to make a comparable thing to an "External Method" but that is contained in the database itself?
I believe that this was rejected by DC because of security issues. Letting people store and run Python code directly in the database is essentially the same as giving someone complete access to the system.
Does python have anything equivalent to Perl's taint mode? Because if it does then this could be used. That and restricting allowable APIs from internal methods - again, if this is possible. --- Julian Morrison Programmer (Zereau Ltd)
On Mon, Mar 01, 1999 at 10:16:18AM -0000, julian@zereau.net wrote:
On 26-Feb-99 Michael Bernstein wrote:
"Christopher G. Petrilli" wrote:
I vaguely recall this being discussed in the past, but I can't find it in my archives...
Has anyone tried to make a comparable thing to an "External Method" but that is contained in the database itself?
I believe that this was rejected by DC because of security issues. Letting people store and run Python code directly in the database is essentially the same as giving someone complete access to the system.
Does python have anything equivalent to Perl's taint mode? Because if it does then this could be used. That and restricting allowable APIs from internal methods - again, if this is possible.
I don't want to get into a language war, but as someone who lives and breathes security, taint mode is a joke. Python's rexec module would be great (as would Bastion), but this is going to require a much higher level of ZopeZen to implement than I currently have. Yes I know my proposal was wrought with huge security problems, but regardless it is valuable to a some people in the near term (such as those of us on the STarship). BTW, requiring write access to the file system is only trivially more secure. Chris -- | Christopher Petrilli ``Television is bubble-gum for | petrilli@amber.org the mind.''-Frank Lloyd Wright
participants (4)
-
Christopher G. Petrilli -
julian@zereau.net -
Michael Bernstein -
Philip Aylesworth