[Zope-dev] DTML Syntax contd. + rant
Evan Simpson
evan@tokenexchange.com
Thu, 11 Nov 1999 11:09:16 -0600
From: Andrew M. Kuchling <akuchlin@mems-exchange.org>
> This leads on to a security-related, I think. DC staff have said in
> the past that Python code isn't stored in the database for security
> reasons. PythonMethods change this; someone who gets your manager
> password can create a Python method that makes a setuid copy of your
> shell or whatever. (Disclaimer: I haven't actually gotten around to
> trying out PythonMethods yet.)
The latest release of the PythonMethod Product has two kinds of
PythonMethod: regular and XXX. A switch in the source code allows you to
turn "XXXPythonMethod"s on and off, and they are off by default. XXXPMs are
wild, unsafe, and unrestricted, with (lack of) security equivalent to
External Methods. The only limit on them (under *nix, anyway) is that
they're likely to be running as user "nobody". Regular PMs, on the other
hand, are meant to be completely safe, and subject to all the same
restrictions as DTML, although this goal has not yet been acheived. Any
holes in regular PM security, however, only give improper access to Zope
objects, *not* the system at large.
> Question: Is there a way we can reconcile these two conflicting
> drives? If some solution can be found, then maybe PythonMethods could
> be added to the products that come with basic Zope. Suggestions?
The DC folks have started talking with me about this. I'm optimistic.
> 1) Perhaps PythonMethods could be enabled or disabled when you install
> Zope; if people are going to be using Zope over insecure links, and
> shouldn't be using PythonMethods, don't install them..
Substitute "XXXPythonMethods" for "PythonMethods", and I agree. Already
done, too :-)
> 2) Perhaps they could use the rexec module or Zope's existing sandbox
> to run their code (but would the sandbox limit their usefulness? --
> maybe not, if you take the attitude that serious Python code should
> still be in a product or ExternalMethod).
XXXPythonMethods should never be used on a system with untrusted clients, or
which is accessed via an unsecure link. People will anyway, of course, but
they've been warned. Regular PMs with proxy roles and External Methods
should be the norm.
Cheers,
Evan @ 4-am