Zope+Python source-code security
Hallo, I was asked to make a web-application that seems to be perfect to be built in Zope and Python. And it is also the great opportunity to get to know the second one :) But the main issue is the security of the source-code. I was browsing the archive and haven't found yes/no answer if it is possible. There are a few security layers: 1. Zope management (I suppose the easiest) 2. Data.fs (Can you pull the stored objects and browse externally?) 3. Secure encryption of external Python modules and methods. If at least one of 1-2/3 elements are possible to protect it might be enough as the part of business logic would be put there. In my case the licensing issue is not a problem. The problem is how to protect the developed solution not to be copied and modified by a "naughty" customer. Unfortunately the application would have to be running on his server. How to convince my boss and myself that Zope is the best solution? Or maybe it is not? :( Pawel Lewicki P.S. Please copy the answer to my address as I have the-whole-day-subscription.
On Mon, Apr 29, 2002 at 12:16:54PM +0200, Pawel Lewicki wrote:
Hallo, I was asked to make a web-application that seems to be perfect to be built in Zope and Python. And it is also the great opportunity to get to know the second one :) But the main issue is the security of the source-code. I was browsing the archive and haven't found yes/no answer if it is possible. There are a few security layers: 1. Zope management (I suppose the easiest) 2. Data.fs (Can you pull the stored objects and browse externally?)
Yes, should be possible. AFAIK Data.fs is just a big pickle dump, so all you'd need to explore it is a python interpreter.
3. Secure encryption of external Python modules and methods.
There's been some discussion of this on comp.lang.python. I've never had to do it, so I'm not the guy to ask, but here's some reading material: do a groups.google.com search on "source code encryption". Sort by date. --PW "Welcome to Muppet Labs, where the future is made - today!"
On Monday 29 April 2002 2:36 pm, Paul Winkler wrote:
On Mon, Apr 29, 2002 at 12:16:54PM +0200, Pawel Lewicki wrote:
Hallo, I was asked to make a web-application that seems to be perfect to be built in Zope and Python. And it is also the great opportunity to get to know the second one :) But the main issue is the security of the source-code. I was browsing the archive and haven't found yes/no answer if it is possible. There are a few security layers: 1. Zope management (I suppose the easiest) 2. Data.fs (Can you pull the stored objects and browse externally?)
Yes, should be possible. AFAIK Data.fs is just a big pickle dump, so all you'd need to explore it is a python interpreter.
I don't think it's *just* a big pickle dump, although yes I think the data is pickled Python objects stored in a file. It's a bit more organised than just dumping everything to a file though. You can access the ZODB through just Python now, I think. I hear a lot of work has gone into making ZODB a standalone Python product. If you want to access data stored in that Data.fs through something other than Zope, I suggest you look at the ZODB source/docs. HarryW
If the Zope is installed on a machine that someone else has superuser access to, then I'd say that they can see the source to any of your objects. All you need to do is copy the zope directory, run zpasswd.py on the new zope instance, start it up on a new machine or new port, and they can see anything in the ZODB that they want to. They wouldn't have the ability to modify the Zope that you provided, at least without you knowing that the password changed, but I don't know if that matters. Sorry, I know that's not the answer you wanted. What will you use if you don't use Zope? -Paul Harry Wilkinson wrote:
On Monday 29 April 2002 2:36 pm, Paul Winkler wrote:
On Mon, Apr 29, 2002 at 12:16:54PM +0200, Pawel Lewicki wrote:
Hallo, I was asked to make a web-application that seems to be perfect to be built in Zope and Python. And it is also the great opportunity to get to know the second one :) But the main issue is the security of the source-code. I was browsing the archive and haven't found yes/no answer if it is possible. There are a few security layers: 1. Zope management (I suppose the easiest) 2. Data.fs (Can you pull the stored objects and browse externally?)
Yes, should be possible. AFAIK Data.fs is just a big pickle dump, so all you'd need to explore it is a python interpreter.
I don't think it's *just* a big pickle dump, although yes I think the data is pickled Python objects stored in a file. It's a bit more organised than just dumping everything to a file though.
You can access the ZODB through just Python now, I think. I hear a lot of work has gone into making ZODB a standalone Python product. If you want to access data stored in that Data.fs through something other than Zope, I suggest you look at the ZODB source/docs.
HarryW
All you need to do is copy the zope directory, run zpasswd.py on the new zope instance, start it up on a new machine or new port, and they can see anything in the ZODB that they want to. They wouldn't have the ability to modify the Zope that you provided, at least without you knowing that the password changed, but I don't know if that matters.
Sorry, I know that's not the answer you wanted.
:) You're right. Will it be the same with a folder with unchecked "Acquire permission settings" and no user folder?
What will you use if you don't use Zope?
The task is to build an application with www front-end building structure in xml (not necessarily) and building dynamic sql queries. It should run on many platforms (Windows/Unix). I have no experience with scripting languages except for VB so the effort taken to get experience with any chosen platform would be comparable. The problem is that the number of supported solutions given in Python and Zope would allow to focus on software architecture not low level programming. What would you suggest? Pawel Lewicki
On Mon, Apr 29, 2002 at 11:32:28PM +0200, Pawel Lewicki wrote:
All you need to do is copy the zope directory, run zpasswd.py on the new zope instance, start it up on a new machine or new port, and they can see anything in the ZODB that they want to. They wouldn't have the ability to modify the Zope that you provided, at least without you knowing that the password changed, but I don't know if that matters.
Sorry, I know that's not the answer you wanted.
:) You're right. Will it be the same with a folder with unchecked "Acquire permission settings" and no user folder?
Yup, the password generated by zpasswd.py is nominally for emergency maintenance purposes; but once you have it, you can get anywhere in the data.fs, user folders or no. -- Paul Winkler home: http://www.slinkp.com "Muppet Labs, where the future is made - today!"
Pawel Lewicki wrote:
What will you use if you don't use Zope?
The task is to build an application with www front-end building structure in xml (not necessarily) and building dynamic sql queries. It should run on many platforms (Windows/Unix). I have no experience with scripting languages except for VB so the effort taken to get experience with any chosen platform would be comparable. The problem is that the number of supported solutions given in Python and Zope would allow to focus on software architecture not low level programming. What would you suggest?
Pawel Lewicki
I've never been involved in a project where the client wasn't allowed to see the source code... It sounds like you need to use something that is both compiled and not decompileable. This eliminates Java, Python, PHP, Perl, ruby. It probably also eliminates .Net - you could ship just the intermediate language stuff, but then they could see and possibly modify that. In my world, that leaves you with C and C++, which aren't real great for web development, because of development time and potential core dumps. I suppose that you could write a few python extensions in C/C++ that do some critical database access or some core business logic, that would return python structures to Zope for formatting/display. Sounds like a tough position to be in. Good luck, -Paul
On Tue, Apr 30, 2002 at 09:16:31AM -0600, Paul Erickson wrote: | It sounds like you need to use something that is both compiled and not | decompileable. No such thing exists. Actually cat </dev/random >the_app.exe will provide such a thing, but obviously it won't solve the customer's problem <0.5 wink>. | This eliminates Java, Python, PHP, Perl, ruby. It probably also | eliminates .Net - you could ship just the intermediate language | stuff, but then they could see and possibly modify that. | | In my world, that leaves you with C and C++, which aren't real great for | web development, because of development time and potential core dumps. Someone with determination can still disassemble the resultant binary. | Sounds like a tough position to be in. It sounds like a social solution is needed for this social problem. Have your company's lawyers develop a suitable license/contract that provides ways for you to determine whether or not the customer has stolen your product and provides a means for prosecuting. -D -- The light of the righteous shines brightly, but the lamp of the wicked is snuffed out. Proverbs 13:9 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg
Pawel Lewicki writes:
... source code security ... 1. Zope management (I suppose the easiest) Do not know what you mean...
2. Data.fs (Can you pull the stored objects and browse externally?) You could modify "cpickle" to write and read encrypted pickles...
3. Secure encryption of external Python modules and methods. You could modify Python's "importModule" to handle encrypted files.
Of course, the key must be somewhere. A true hacker will find it... Dieter
Pawel Lewicki writes:
... source code security ... 1. Zope management (I suppose the easiest) Do not know what you mean... I mean to disable management permissions
2. Data.fs (Can you pull the stored objects and browse externally?) You could modify "cpickle" to write and read encrypted pickles... I there any mature solution?
3. Secure encryption of external Python modules and methods. You could modify Python's "importModule" to handle encrypted files. The same question as above.
Pawel Lewicki
On Tue, Apr 30, 2002 at 05:48:34PM +0200, Pawel Lewicki wrote: | | > Pawel Lewicki writes: | > > ... source code security ... | > > 1. Zope management (I suppose the easiest) | > Do not know what you mean... | | I mean to disable management permissions Yes, but then the customer (root@their_machine) can change the emergency user's password and bypass those permission restrictions. | > > 2. Data.fs (Can you pull the stored objects and browse externally?) | > You could modify "cpickle" to write and read encrypted pickles... | | I there any mature solution? | | > > 3. Secure encryption of external Python modules and methods. | > You could modify Python's "importModule" to handle | > encrypted files. | | The same question as above. For now assume you have this solution, it is mature, I'm your customer and I want to be naughty. (note the key there: "I want to be naughty") I can make a script that runs in your interpreter, imports (via your "encrypted import" hook) your code, then run the decompile function on it and print out the result. The underlying principle is If the instructions for the CPU are available (in some way), a determined person can extract that information and do what they please with it. A _really_ determined person could put a scope on the CPU's contacts and read all the instructions and data travelling between the CPU and the rest of the system and record it on an unencumbered system to rebuild your product. It's the same issue with "copy protected" audio CDs and DVDs. If you give them the data you can not prevent them from having the data. Instead a social solution is needed. (for example the music industry should prosecute copyright violators rather than trying to copy-protect cds) HTH, -D -- It took the computational power of three Commodore 64s to fly to the moon. It takes at least a 486 to run Windows 95. Something is wrong here. GnuPG key : http://dman.ddts.net/~dman/public_key.gpg
Hi list, I use a short python script to get a list of objects (folder (with property "menue") or documents) to build a navigation tree: ## Script (Phyton) "menueobjects" results=[] for object in context.objectValues(['Folder', 'DTML Document']): if object.hasProperty('menue') and object.menue: results.append(object) return results This script lies within the root folder. I then use a DTML method to call this script: <dtml-tree branches="menueobjects" skip_unauthorized="1"> <a href="&dtml-absolute_url;"><dtml-var title></a> </dtml-tree> My problem is, that I want to get ALL the tree from the root. So far, whenever I go one level down the tree the navigation is shorted by that level. Any idea how to avoid that? Thanx in advance! Regards Joerg Wagenknecht
instead of context in the following line for object in context.objectValues(['Folder', 'DTML Document']): use container Robert ----- Original Message ----- From: "Joerg Wagenknecht" <Wagenknecht@justFX.com> To: <zope@zope.org> Sent: Tuesday, April 30, 2002 7:31 PM Subject: [Zope] python-generated navigation..
Hi list,
I use a short python script to get a list of objects (folder (with property "menue") or documents) to build a navigation tree:
## Script (Phyton) "menueobjects"
results=[] for object in context.objectValues(['Folder', 'DTML Document']): if object.hasProperty('menue') and object.menue: results.append(object) return results
This script lies within the root folder. I then use a DTML method to call this script:
<dtml-tree branches="menueobjects" skip_unauthorized="1"> <a href="&dtml-absolute_url;"><dtml-var title></a> </dtml-tree>
My problem is, that I want to get ALL the tree from the root. So far, whenever I go one level down the tree the navigation is shorted by that level.
Any idea how to avoid that?
Thanx in advance!
Regards Joerg Wagenknecht
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Joerg Wagenknecht writes:
... <dtml-tree branches="menueobjects" skip_unauthorized="1"> <a href="&dtml-absolute_url;"><dtml-var title></a> </dtml-tree>
My problem is, that I want to get ALL the tree from the root. So far, whenever I go one level down the tree the navigation is shorted by that level. Try:
<dtml-let root="PARENTS[-1]"> <dtml-tree root .... ... </dtml-tree> </dtml-let> Dieter
Pawel Lewicki writes:
Pawel Lewicki writes:
2. Data.fs (Can you pull the stored objects and browse externally?) You could modify "cpickle" to write and read encrypted pickles... I there any mature solution?
3. Secure encryption of external Python modules and methods. You could modify Python's "importModule" to handle encrypted files. The same question as above. The "you" above was meant personally:
You, personnaly, need to come up with a solution. At least, I do not know of one you can simple use. In the early days, DC tried to hide their code. They may have an solution (probably unmaintained). Dieter
Thank you very much for all pieces of advice. As I can see there is no fully protected solution :) Somehow this is an advantage because I can use whatever I want (Zope+Python :) Pawel Lewicki
In my case the licensing issue is not a problem. The problem is how to protect the developed solution not to be copied and modified by a "naughty" customer. Unfortunately the application would have to be running on his server.
With any database backed solution there is a strong possibility that a customer will find a way to access the database directly. Often, the schema of the back- end database represents about half of the work required to recreate the app. The developer's analysis of the data set, and a large part of the requirements for the app can be reverse engineered from good a 3NF or 5NF schema. With Zope, hiding the source code of the application and presentation layers will be a problem too... The solutions to this problem fall into the categories of legal and technical: Technical: Lease an application server "appliance" to your customer. Keep it current with vendor security patches, etc, back it up for them, don't give the customer root, or even a shell at all! Or sell your app as a hosted service, charge per month per user for access ;-) Legal: Get a non-disclosure / non-competitive contract to make you feel better. Often this kind of contract is put in place when source is to be delivered for a particular contracting or subbing arrangement. Strict clauses about how, when, where and for what the source may be used for are the norm. A contract to cover your concerns is nothing new, good IT lawyers should already be familiar with them as they've probably done a few hundred.... Conclusion: I personally prefer the software as a service idea, as it produces a nice constant, possibly never ending cash flow, removes the need to create nice pretty install routines for the software or any patches.... Your marketing dept won't be bugging you to completely re-design the interface every six months so that they can sell a visibly new "upgrade" either. Don't forget about the SLA double edge sword, it can be used to make the customer feel better about the availability of your service, but can also be used to limit your liability in the event of a server or network outage.... Better to refund $50 for a day of downtime than get sued for $5M 'cause your customer lost a contract while your server was down that day.... Adam
participants (9)
-
Adam Manock -
Dieter Maurer -
dman -
Harry Wilkinson -
Joerg Wagenknecht -
Paul Erickson -
Paul Winkler -
Pawel Lewicki -
Robert Rottermann