Zopistas and MikeP, I'm trying to use etcUserFolder, and I want it to actually authenticate off of /etc/shadow. saying /etc/shadow as the Password File doesn't work, presumably because Zope is running as nobody. Is there any way I can let just etcUserFolder run as shadow? On a similar note, am I doing something terribly stupid/compromising here? -- http://mindlace.net __________________ mindlace@imeme.net I don't want The Truth but I wouldn't mind a Big Analogy.
mindlace wrote:
Zopistas and MikeP,
I'm trying to use etcUserFolder...
And I can't get it to work at all. etcUserFolder.py says to put a file in a directory called etcUsers in the root zope folder. OK, I made a folder zope/etcUsers/, and copied my /etc/shadow to there. Then I edited it to just have a few names:passwords. then I chowned nobody. This wasn't working. I copied it to the directory of the product- lib/python/Products/etcUserFolder. No juice. while from crypt import crypt worked on the command line, I still copied cryptmodule.so to my zope directory. No dice. So I copied it to etc's directory. No juice. etcUserFolder still tells me there are no users whatsoever. what am I doing wrong? -- http://mindlace.net __________________ mindlace@imeme.net I don't want The Truth but I wouldn't mind a Big Analogy.
mindlace wrote:
mindlace wrote:
I'm trying to use etcUserFolder...
And I can't get it to work at all.
I etcUserFolder works for me now, but my prior question (how can I get it to use /etc/shadow?) still stands. -- http://mindlace.net __________________ mindlace@imeme.net I don't want The Truth but I wouldn't mind a Big Analogy.
On Mon, 20 Mar 2000, mindlace wrote:
mindlace wrote:
mindlace wrote:
I'm trying to use etcUserFolder...
And I can't get it to work at all.
I etcUserFolder works for me now, but my prior question (how can I get it to use /etc/shadow?) still stands.
You can't, unless Zope runs as root (which would be a very bad thing). This is by design. The best you can do is: 1) Setup Zope to run as its own user (eg. user 'zope') instead of user 'nobody' 2) Add a crontab job to copy the /etc/shadow file to where Zope can see it, changing ownership to user zope and removing group and other permissions. If you run Zope as the nobody user, then the encrypted passwords will need to be visible to this user, as well as any other processes that run as user nobody which is not a good thing. -- ___ // Zen (alias Stuart Bishop) Work: zen@cs.rmit.edu.au // E N Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au //__ Computer Science, RMIT WWW: http://www.cs.rmit.edu.au/~zen
1) Setup Zope to run as its own user (eg. user 'zope') instead of user 'nobody' 2) Add a crontab job to copy the /etc/shadow file to where Zope can see it, changing ownership to user zope and removing group and other permissions.
This makes the shadow password suite worthless. Assuming readonly access to /etc/shadow it's better to use a simple wrapper program that can do the access. This program should be carefully designed to not allow arbitrary input to compromise security. One example is checkpassword (not for non-root programs) which is located at http://cr.yp.to/checkpwd.html It's designed primarily to get a simple interface to various authentication schemes, but my be used as an example. Regards, Frank
mindlace wrote:
mindlace wrote:
mindlace wrote:
I'm trying to use etcUserFolder...
And I can't get it to work at all.
I etcUserFolder works for me now, but my prior question (how can I get it to use /etc/shadow?) still stands.
You can't. As security policy, we do not write code that lets Zope open files outside of the Zope directory. You can, of course, do this in your own code, but we do not recommend it. My first version of etcUserFolder actually was able to open files anywhere (hence the name) but I was enlightened by Jim that this is a possible secuirty hazzard. -Michel
participants (4)
-
Frank Tegtmeyer -
Michel Pelletier -
mindlace -
Stuart 'Zen' Bishop