[Zope] Re: [Crew] External Methods?

Tres Seaver tseaver@palladion.com
Tue, 02 Mar 1999 00:05:10 -0600 

Christopher G. Petrilli wrote:
> 
> On Mon, Mar 01, 1999 at 07:43:04PM -0800, Greg Stein wrote:
> > Christopher G. Petrilli wrote:
> > > On Mon, Mar 01, 1999 at 09:32:07PM -0600, Tres Seaver wrote:
> > > > As one who comes down firmly on the "weenie" side of the great "content manager"
> > > > vs. "web weenie" divide, I am naturally inclined to code up Zopoids as
> > > > ExternalMethods.  The docs say to put them under the $ZOPEROOT/lib/python, but
> > > > that seems icky for a "shared" Zope like the one on starship.
> > > Well, right now that's the only way it's supported... it's not really
> > > inteded for an ISP situation with hundereds of "untrusted" users, which
> > > is kinda how we're using it right now.  FOr now, unfortunately, I'm
> > > makign the executive decision that ExternalMethods are verbotten until
> > > we can figure out a way to isolate them from one-anohter.  If someone
> > > wants to develop a derived ExternalMethod that uses rexec or some such
> > > to control it's access to the database, that'd be great.
> > > 
> > > > Whither should such gems be placed?
> > > 
> > > Well, unfortunatly all of them would run wit the permissions of "root"
> > > as far as I understand it... someone else correct me, but this is how it
> > > was explained to me... basically they'd be able to do anything.
> >
> > Can't you run Zope as another user? That could eliminate a number of
> > issues.
> 
> I'm sorry, I wasn't clear ;-)  What I meant was that the method has
> unlimited abilities to peruse the object database... it doesn't have any
> abilities outside it that aren't avilable to the zope process itself
> (which in this case runs as uid 'zope').
> 
> The concern is taht it would be able to circumvent other user's security
> since it wouldn't be enforced against the ExternalMethod.

I understand the security problems inherent in ExternalMethods; unfortunately,
without them, Zope is merely an "also-ran" in the web applicaton race, from my
perspective.  DTML in isolation is not an "ASP-killer."

I'm CC'ing the Zope list, in hopes that someone there can either allay or slay
our fears.

It seems to me that the security problem is that ExternalMethods can get access
to "sibling objects" of the object on which they are invoked, right?  I mean, if
we could make the siblings inaccessible, and acquired properties read-only, then
we should be ok, no?  Ugh, I don't grok acquisition well enough to tackle that
myself, I fear.

-- 
=========================================================
Tres Seaver         tseaver@palladion.com    713-523-6582
Palladion Software  http://www.palladion.com