[Zope] Re: [Zope-dev] Introspection, managing External Methods?

Andreas Kostyrka andreas@mtg.co.at
Tue, 20 Jul 1999 15:44:25 +0200 (CEST) 

On Mon, 19 Jul 1999, Robin Becker wrote:

> I'm fairly sure I agree with 99% of your reply. It may be that Zope is
> secure; it's certainly too large for me to verify easily. As you say the
> net connection is insecure; this was almost always the case for unix
That depends upon your security policy. Just remove telnetd from
inetd.conf, forbid nonanonymous ftp logins, and don't use POP3 with
login accounts.
Actually, in our case, with the exception of the root account (and the
nonroot account of the root), no login accounts carry any passwords. Only
way to access the box for priviledged users (meaning they DO have login
access) is by providing the correct private ssh key.
> style logins. I quite like the validation approach of the monitor which
> again allows direct access to everything. If as you assert the net is
> insecure then I merely have to spy out a root password or two or get
But you don't spy out root passwords nowadays. And if you do, the admin
in question deserves all the bullshit that will come his way :)

There are at least the following ``free'' ways to protect against
Internet sniffers:
-) ssh1.
-) telnet-ssl.
-) vpnd.
> admin privileges or whatever. I intended no criticism of the zope
> security model other than 1) the passwords are in a meaningfully named
> file, 2) the file is unencrypted and 3) there is a standard initial
> manager login and password. These are not serious holes, but would get
> you shown the door by the more paranoid.
ad 3) Ok, changing the standard superuser password is natural. Perhaps it
      should be random generated.
ad 2) Well Zope security works on a different level. Having access to the
      files constituting the Zope installation is equivalent to being the
      super user of this installation. Differently put, Zope users are
      ``subusers'' of the Unix Zope super user (the uid used to run Zope).
ad 1) see 2.
> 
> OK I give up. Given the Monitor I can get at the source of any module so
> I can edit/replace etc. This allows remote internals management without
> breaking the Zope security policy.
Again, Monitor access is equivalent with Unix login level access. The
shell just happens to be called python, not /bin/sh ;)

Andreas
-- 
Win95: n., A huge annoying boot virus that causes random spontaneous system
     crashes, usually just before saving a massive project.  Easily cured by
     UNIX.  See also MS-DOS, IBM-DOS, DR-DOS, Win 3.x, Win98.