[Zope-dev] Security-Problem

Shane Hathaway shane@zope.com
Wed, 19 Feb 2003 10:01:29 -0500 

Steve Alexander wrote:
> 
> Shane Hathaway <shane@zope.com> wrote:
> 
>>> Do you not want foo to have the Manager role?
>>
> 
> Andre Schubert wrote:
> 
>> No, because he is no longer in our company.
> 
> 
> Shane Hathaway <shane@zope.com> wrote:
> 
>>> I think you're asking for a "find + chown" utility, right?  I don't 
>>> know of one, but it sure would be nice to have. :-)
>>
> 
> Andre Schubert wrote:
> 
>> It would be very nice to have such a tool :)
>>
>> BTW: Thanks for the quick answers, you help me to understand the problem.
>>      I take the ownership of all objects where foo was the owner
>>      and the problems should go away :)
> 
> 
> Andre,
> 
> Don't treat this so lightly! When you take ownership of objects where 
> foo is the owner, you are telling Zope that you take responsibility for 
> those objects.
> 
> For example, let's say foo had written a python script for removing all 
> of her files older than one day.
> 
> Here's some pseudocode:
> 
>   For all files older than one day:
>     try:
>       remove the file
>     except PermissionError:
>       pass
> 
> This will work, provided foo has rights to delete only foo's files.
> If you take ownership of such a script, and you run it, then it will 
> very different effects.
> 
> Also, if you are a Manager (or in another privaleged role), and you take 
> ownership of such a script, you may be allowing others to delete their 
> own files when they run that script, whereas before nothing much would 
> have happened.

To clarify, those users still need to have the privilege of deleting 
those files.  Executable ownership only reduces privileges.

> In 99% of cases, none of this will be a problem. However, you should 
> take care when taking ownership of objects, especially objects that 
> represent code such as python scripts and dtml methods and page templates.

I feel like Zope doesn't present the concept of executable ownership 
properly to the user.  I've run into this issue myself--the lifetime of 
executables frequently extends beyond the life of the associated 
username.  You never know when deleting a user or removing user roles 
will break code throughout the site.  Like Andre, all I wanted to do was 
restore the privileges the code had before.

So for Zope 3 I've pondered some way of separating executables from 
usernames, while retaining the properties we have today.  It seems like 
executables should rely on a different service for determining 
executable privileges than the user database.

Shane