[Zope] Major security flaw in Zope 2.3.2
Farrell, Troy
troy.farrell@wcg.com
Wed, 6 Jun 2001 08:41:06 -0500
That's all well and good, but users should be able to reasonably expect that
their passwords be secure from prying administrators. Sure, an admin could
brute force or guess a *nix password, but they aren't cleartext. The only
easy way for an admin to get a user's passwd is to chage it (nevermind the
'su username' act). Zope stores it's data in a database, with a seperate
security system from the filesystem. These passwords should not be
cleartext anymore than you would select the cleartext option for your
inituser or access file.
Troy
-----Original Message-----
From: Frank Tegtmeyer [mailto:fte@lightwerk.com]
Sent: Wednesday, June 06, 2001 8:26 AM
To: zope@zope.org
Subject: Re: [Zope] Major security flaw in Zope 2.3.2
On Wed, Jun 06, 2001 at 02:43:48PM +0200, Jerome Alet wrote:
> * make Data.fs and Data.fs.old only readable by a user every
> other user on the system can't run commands as.
Anyone out there who does *not* do that?
Regards, Frank
_______________________________________________
Zope maillist - Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )