[Zope] Re: ZEO Client space was:

sean.upton@uniontrib.com sean.upton@uniontrib.com
Fri, 25 May 2001 12:02:26 -0700


Right: there is no box root exploit issue, but if the ODB has a method that
connects to your RDB and flushes out a table, in a non-transactional rdb,
you are screwed if someone can, from an arbitrary client do this sort of
thing.

Also, I would think that ZEO CS->ZSS type traffic would be best run on its
own switched VLAN for security and performance reasons.

Sean

-----Original Message-----
From: Jerome Alet [mailto:alet@unice.fr]
Sent: Friday, May 25, 2001 11:16 AM
To: Bill Anderson
Cc: zope@zope.org
Subject: Re: [Zope] Re: ZEO Client space was:


On Fri, May 25, 2001 at 11:39:54AM -0600, Bill Anderson wrote:
> 
> So, you give a user you presumably trust, ssh/ssl access to use ZShell.
> They comment this code out, or the code that even botehrs to check for
> permssion to do anything, and now they now '0WNZ Y0ur z0p3 sist3m'.

Except that in this particular case the user would also have to have 
got filesystem write access to the Extensions directory and a 
Manager role in /Control_Panel in order for him to be able to 
comment out the code and restart Zope, because ZShell
is currently an external method.

Anyway I tend to agree with you, it shouldn't be possible to bypass 
the security mechanism.

bye,

Jerome Alet

_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )