[Zope-dev] startup security status (say that five times fast... well, ok, it wasn't so tough after all)
Leonardo Rochael Almeida
leo@hiper.com.br
Wed, 24 Oct 2001 16:31:50 -0200
Behrens Matt - Grand Rapids wrote:
> [snipped enlightening description of the zope user writable z2.pid problem]
>
> Solutions:
>
> 1. Have the stop script check ownership of the pid file to make sure
> it's still root's baby. This solution seems easiest, but something
> about it doesn't seem right to me. When something doesn't feel right to
> me, there's probably a way to fool it...
>
> 2. Enforce the sticky bit on the var directory. From Solaris' chmod(2)
> manpage:
>
> If a directory is writable and has S_ISVTX (the sticky bit)
> set, files within that directory can be removed or renamed
> only if one or more of the following is true (see unlink(2)
> and rename(2)):
>
> o the user owns the file
>
> o the user owns the directory
>
> o the file is writable by the user
>
> o the user is a privileged user
>
> (Privileged user means 'root'.) We only need to enforce the sticky bit
> if we start as root and are doing the requisite setuid(). My patch
> already has a test for this.
>
> 3. Have the pid file written into another directory that only root can
> write to.
>
I don't like 1 either because it looks too complicated for a security
issue solution. Security solutions should be extremely simple so that
they can be made easily debugable and ... (/me looks at Zope security
machinery source code)... never mind :-)
Anyway, 3 looks more aesthetically pleasing to me, mainly because it
requires the least amount of code, but I can live with number 2.
Overall, I like the way you are going with this patch. Keep the good
work :-)
cheers, Leo