[Zope] The Ascetic Superuser
Chris McDonough
chrism@digicool.com
Tue, 5 Sep 2000 19:20:49 -0400 (EDT)
On Tue, 5 Sep 2000, ethan mindlace fremen wrote:
> Now every object excecutes according to the permision of the owner,
> *not* the viewer. It can also run as a proxy role. The
> super-bootstrap-user lives outside of "normal" zope authentication & has
> permission to do anything save that which NotEvenGodShouldDo.
> Therefore, it shouldn't own objects.
Methods actually now execute with the effective intersection of the
permissions granted to the AUTHENTICATED_USER and the permissions
granted to the method's owner. If a proxy role is specified, the method
executes with permissions restricted to those roles assigned by the proxy
role.
This is unarguably a good thing. What's not entirely clear is *why*
super can't own, which is a separate issue. The power it has beyond
that of a normal management user is the ability to traverse the site
unrestricted by the security machinery. I actually don't think
there's an answer to this question that has to do with method
execution. I think the ultimate answer is one or a few of the
following: "because," "shrug," "for audit trail purposes," or "so you
don't shoot yourself in the foot," or "be quiet." :-) Alternately,
the answer might lie in an unobvious implementation detail that none
of us really want to think about.
> This is *quite* important, and needs to stay. I don't know how to
> emphasize enough that this is a well thought out correction to an
> extremely deadly class of security problems that still (afaik) plagues
> many "other" through-the-web management systems.
I just can't think of any situations where having a method execute with
the effective intersection of the permissions granted to superuser and
the permissions granted to another user would cause more damage
than a method executing with the effective intersection of the permissions
granted to a normal management user and another user. Can you?
> The newbie pain, however, could probably be mitigated- don't call it a
> Super user, since it hardly deserves the S or the cape. Have a user in
> the default install. Something like that.
I agree. This should happen soon.
Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org