Ty Sarna wrote:

My nightly security scan turned up two files in the distribution with the SGID bit set:

Checking setuid files and devices: Setuid additions: -rw-r-S--- 1 tsarna devel 605 Aug 12 06:03:46 1998 /endicor/home/tsarna/work/netbsd/pkgsrc/www/zope/work/Zope-1.9b1-src/lib/python/App/Setup -rw-r-S--- 1 tsarna devel 833 Aug 14 11:49:53 1998 /endicor/home/tsarna/work/netbsd/pkgsrc/www/zope/work/Zope-1.9b1-src/lib/python/OFS/Setup

Harmless, but should be fixed anyway :^)

Weird. My checked out (from CVS) version doesn't have this setting but the release does. I'm not going to think hard about it. I just removed these. They aren't used anymore anyway.

Also, I've noticed a tendancy for Zope to throw up a lot more exceptions, even in "success" situations. Maybe this is just an extra knob that's turned on for betas, or maybe it's a difference in python 1.5 exception handling. Shutdown, for example, works and gives the familiar message, but then shows:

Traceback (innermost last): File /usr/pkg/zope/lib/python/ZPublisher/Publish.py, line 861, in publish_module File /usr/pkg/zope/lib/python/ZPublisher/Publish.py, line 583, in publish (Info: /Control_Panel/manage_shutdown) File /usr/pkg/zope/lib/python/App/ApplicationManager.py, line 216, in manage_shutdown (Object: Navigation) SystemExit: 0

A similar thing happens if I enter the management password incorrectly. I get the usual message, but then a traceback as well.

These were always "exceptions". When you click on the shutdown button, the application calls sys.exit, which raises a SystemExit. This has always been the case, but you didn't notice because tracebacks were in HTML comments. Similarly, authorization failures are triggered by raising "Unauthorized". Your PCGI info file probably has: BOBO_DEBUG_MODE=1 which turns on a number of debugging features, including the non-hiding of tracebacks. BTW, we need to change this to "ZOPE_DEBUG". :)

Also, I copied over the data from a sandbox Principia that I'd been playing with here recently, and it worked except for two folder's I couln't enter (from the management interface, that is).

Note that we aren't yet asserting that Principia databases are supported. They will be supported by the second or third beta. OTOH, we are glad when folks do try using them and report problems.

One contained some Aqueduct stuff, the other was my TinyTable testing folder. Since those products weren't installed I didn't expect them to work. ;-) However, I expected to see something like what happend with the SwRI site's license file problems, when the icons for ExternalMethods changed to a broken document and the title became "this is a broken object". However, with Zope the entire folder's manage_main became inacessable:

Traceback (innermost last): File /usr/pkg/zope/lib/python/ZPublisher/Publish.py, line 861, in publish_module File /usr/pkg/zope/lib/python/ZPublisher/Publish.py, line 583, in publish (Info: /Testing/manage_main) File /usr/pkg/zope/lib/python/Globals.py, line 222, in __call__ (Object: manage_main) File /usr/pkg/zope/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: manage_main) File /usr/pkg/zope/lib/python/DocumentTemplate/DT_In.py, line 675, in renderwob (Object: objectItems) File /usr/pkg/zope/lib/python/OFS/SimpleItem.py, line 144, in title_and_id (Object: Item) AttributeError: id

The machinery for creating "Broken" objects seems to be failing here. I'll look into it. Jim -- Jim Fulton mailto:jim@digicool.com Technical Director (540) 371-6909 Python Powered! Digital Creations http://www.digicool.com http://www.python.org Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email address may not be added to any commercial mail list with out my permission. Violation of my privacy with advertising or SPAM will result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.