[Zope] Xron and Security [was ZScheduler and Pack]
Loren Stafford
lstaffor@dynalogic.com
Tue, 22 Aug 2000 11:23:06 -0700
From: "Marcus Mendes" <mvmendes@emdata.com.br>
> Is it a security risk to leave the Zscheduler pack my Data.fs?
I don't have an answer, but I can clarify the risk. We can use packing
Data.fs as an example application, but the question about security is more
general.
Xron (formerly ZScheduler) does not currently provide any features that deal
with security. Scheduled methods are called thru the Client.py interface
(i.e. by handing a URL to Zope as if it had come from a browser client).
For example, suppose you have a scheduled method "Packer" in the root folder
that calls the management method that packs your database. The URL that the
Dispatcher of Xron uses to execute that method is simply:
http://www.mysite.com/Packer/trigger
Client.py is capable of passing authentication information in the request;
but because Xron does not (yet) supply authentication information, a
scheduled method must be executable by an unauthenticated user.
If the scheduled method performs any privileged functions, then the method
must have proxy roles that give it sufficient privilege. (I'm not sure what
role is required for manage_pack, but there must be one.)
Therefore, any user (who happens to know about your method and about Xron's
calling convention) can pack your Data.fs simply by keying
http://www.mysite.com/Packer/trigger into a browser.
Suppose an unscrupulous person (who happens to know about your method and
about Xron's calling convention) created a program that would make a request
to http://www.mysite.com/Packer/trigger once every N seconds (easy to do
with Xron!). Could that bring your system to its knees? ...any worse so than
any other repeated request? I don't know the answer. If I were you I'd try
it out.
Can anyone see any other security vulnerabilities here?
I'd be glad to listen to well considered proposals for how Xron should
handle security.
-- Thanks
-- Loren