[Zope] Re: superuser confusion
Chris McDonough
chrism@digicool.com
Tue, 5 Sep 2000 03:06:15 -0400 (EDT)
On Tue, 5 Sep 2000, Evan Simpson wrote:
> > I've got to say I agree with you here. I'm still not 100% sure why the
> > superuser or bootstrap user can't own anything.
>
> It's due to a combination of the trojan horse issue and the sticky
> authentication issue, I think. You really don't want to be authenticated as
> super very often, because while you are, if you visit a page someone else
> wrote, they can make your browser do evil things to your site. This is also
> true of Managers, but less so. Similarly, a page owned by non-super has
> tighter permissions than one owned by the super would.
Yes... the PDG security chapter has all of this in it, but it would seem
that neither Chris W or I are completely satisfied by these answers. :-)
It seems a matter of diminishing returns, especially when newbies hit the
wall during install, since we haven't provided them with an airbag yet.
Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org