[Zope-dev] Re: Unsecure design of ExternalFile

Wei He hewei@ied.org.cn
Fri, 22 Nov 2002 15:51:25 +0800 (CST)


On Fri, 8 Nov 2002, Craeg K Strong wrote:

> OK
> 
> How about this for the TODO list for ExternalFile:
> 

Hope it isn't too late discussing this issue.

I have tested this product and gave up because of
security considerations. And now I have to use
it for large files.

There is another aspect that this discussion so
far has not reached, multi-users, regardless
of what mechanism is going to be used.

Say my Zope system provides virtual hosting
for webmasters (or users in my point of
view) of different websites.

Not all webmasters want their ExternalFile-linked
file be freely accessed to the public. So how if
a webmaster links a file belonging to another website?

I have an idea, but don't know whether it is possible:
set uid.

If there is a way Zope server can change uid to a predefined
one before accessing an externally linked file, each webmaster
will have permission to their own home directory plus some 
shared directories to which all webmasters have permission.

Then I can create system accounts for each webmaster,
and map them to the Zope users using a product
like SystemUserFolder (is there one?)

And if also add the 'jail' option (or chroot to the
the webmasters home directory), it will be perfect.

Back one step, even there is no way to actually change
the uid, we can at least check again it before adding
an external file.

I'm talking about Unix, I think their are eqivalent way
on Windows NT.

BTW, I think a similar product, ZFS, is facing the same 
securiy issue. 

Wei He