[Zope-dev] Membership Security Update

Bill Anderson bill@libc.org
Wed, 09 Aug 2000 19:01:06 -0600


A day or so ago, I made an announcement that there may be a problem with Zope storing passwords for members in the clear
in the SystemProperties propertysheet.

After som einvestigation, it does exactly what it is supposed to do. That is, store them encrypted with crypt by
default. The catch is, if crypt is not importable for some reason, it stores them in plain text.

Systems tested
 Linux, RedHat 6.2: Crypt works fine
 HP-UX 11.0: Crypt does not import, thus it stores them as plaintext.


If you install the Membership product, add a user, and then look at the property sheets for the user (see the wiki), you
can verify whether your platform encrypts correctly or not. If your system is not on the list above, please let me know
the results. Odds are all the current Linux distributions work fine.

Otherwise, it works fine. :^)=

Bill


--
Do not meddle in the affairs of sysadmins, for they are easy to annoy,
and have the root password.