[Zope-Coders] Re: [Zope-Checkins] CVS: Zope/lib/python/AccessControl - ZopeGuards.py:1.13

R. David Murray rdmurray@bitdance.com
Tue, 17 Dec 2002 14:37:29 -0500 (EST) 

In gmane.comp.web.zope.coders you write:
>Shane Hathaway wrote:
>>> How so?
>> 
>> It is not safe to let untrusted users import arbitrary modules.

>Why not?

Because one of the fundamentals of security is that you deny things
by default, and allow them in particular.  ie: allow an import
only of a module you have reviewed and marked as safe.

>> Not true.  You need only import a module that has a side effect or which 
>> assumes it runs only from the command line.

>Can you give me an example?

He doesn't need to.  The point is that if *any* import is allowed,
then some future code (say a 3rd party Product from someone not
paying attention to security) could be installed by an admin who
doesn't happen to notice that the module is not secure for non-trusted
users to import, and he's screwed without knowing it.  This is
*exactly* the kind of bug that shows up on BUGTRAQ eventually, when
some hacker figures out how to compromise your system with it.
(That said, such a bug would probably fall into the category of
"difficult to exploit", I suspect, since you'd have to get a fairly
weird chain of consequences from an insecure side effect to, say,
get your zope account compromised).

The point is that security needs to be the default posture, 
and you have to think of it in terms of defense-in-depth:
make every layer as secure as you can while still providing
the functions required.

>I'm loath to remove the fix until a proper solution is found. This one works for 
>me, but if you (or anyone else) can give me some pointers as to how it _should_ 
>be fixed then I'm happy to do the work.

And I'm much *more* loath to introduce a security hole to fix a problem
that doesn't stop Zope from working, and I suspect a lot of other
people will agree with me.

I hate to suggest yet-another-environment-variable, but maybe you could
have your modification be active only if the admin sets a flag,
so that he has to take action to lower the security posture of his
site in order to get the functionality.  Pending a better fix.

--RDM