localfs, how to secure for homedirs...
Hi all, I want to implement localfs to give users remote access to their home directories. I want to create a localfs object per user. How can I secure this, so a given user can only see his own stuff and prevent the others for accessing it? Are roles the answers? Francois
On Thu, Mar 20, 2003 at 03:52:45PM -0500, Meehan, Francois wrote:
Hi all,
I want to implement localfs to give users remote access to their home directories. I want to create a localfs object per user. How can I secure this, so a given user can only see his own stuff and prevent the others for accessing it?
Are roles the answers?
I'd use the "Owner" role. Set the permissions on each user's stuff so that Owner can do the necessary stuff, and make that user the owner. But there's another problem. Do you mean "home directory" as in /home/some_user on unix? That's risky. The zope process runs as a user - the userr that starts the process - and in order to read things in different directories under /home you'd have to make them all readable (and, if you want to be able to add stuff to each LocalFS, writeable!) by that one user. Making it writable is bad. If a malicious user were to gain managment privileges of your zope, they would then have read/write access to ANY user's home directory! -- Paul Winkler http://www.slinkp.com Look! Up in the sky! It's ANTI GOD! (random hero from isometric.spaceninja.com)
On Thu, Mar 20, 2003 at 03:52:45PM -0500, Meehan, Francois wrote:
Hi all,
I want to implement localfs to give users remote access to their home directories. I want to create a localfs object per user. How can I secure this, so a given user can only see his own stuff and prevent the others for accessing it?
Are roles the answers?
No. Localfs objects have to be readable (at least) by the userid that zope is running as. Zope should not be run as root, for a variety of good reasons. Presumably your users own their own files, and in a modern system, are proably in individual groups. This gives you two options; neither inherently secure. Either you can write some kind of suid root program to read/write the files, or you can put zope's groupid in the group of each individual user. In either case, you are intentionally creating an agent that can bypass normal filesystem security. This means that this agent has to be simple, rock solid, and totally paranoid. It has to check that each user has the right to access the directory/file he is trying to access for the purpose that he is accessing it. And this gets into tough policy decisions. Do you read /etc/passwd to determine the home directory of each user? Do you know how zope userids correspond to system userids? Where is this kept? Do you honor umask settings? Can you find them? Do you honor read bits, if you are using a suid root program, that is, can joe read a chmod 000 file in his own home directory? Then you implement the policy in your own code. Fun, eh? Jim Penny
Francois
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
participants (3)
-
Jim Penny -
Meehan, Francois -
Paul Winkler