[Zope-dev] Xron and security

Steve Alexander steve@cat-box.net
Tue, 22 Aug 2000 21:01:04 +0100


Hi Loren,

> I'd be glad to listen to well considered proposals for how Xron should
> handle security.

Consider this a "straw man".


On installation, Xron creates a user in the root user folder called
"XronUser".

Xron is resonsible for setting this user's password. Therefore, it is
known to both the Xron product, and also to the root user folder.

When a Xron method is run, there is a property that indicates whether it
is called anonymously, or authenticated as XronUser.

The Xron product could change the password of XronUser every day to a
new random value.

The domains associated with XronUser could be just localhost.localdomain
(not sure about this). Or based on whatever the machine's host-name is
(probably better).

Site administrators can assign local roles to XronUser as necessary.

If Phillip Eby's proposed changes to the access file get included in
some future version of Zope, XronUser could be included as one of these
bootstrap users by simply writing to a file.

--
Steve Alexander
Software Engineer
Cat-Box ltd
http://www.cat-box.net