[Zope] Zope+Python source-code security

Paul Erickson erickson@kaivo.com
Mon, 29 Apr 2002 10:59:12 -0600


If the Zope is installed on a machine that someone else has superuser 
access to, then I'd say that they can see the source to any of your objects.

All you need to do is copy the zope directory, run zpasswd.py on the new 
zope instance, start it up on  a new machine or new port, and they can 
see anything in the ZODB that they want to.  They wouldn't have the 
ability to modify the Zope that you provided, at least without you 
knowing that the password changed, but I don't know if that matters.

Sorry, I know that's not the answer you wanted.  

What will you use if you don't use Zope?  

-Paul


Harry Wilkinson wrote:

>On Monday 29 April 2002 2:36 pm, Paul Winkler wrote:
>  
>
>>On Mon, Apr 29, 2002 at 12:16:54PM +0200, Pawel Lewicki wrote:
>>    
>>
>>>Hallo,
>>>I was asked to make a web-application that seems to be perfect to be
>>>built in Zope and Python. And it is also the great opportunity to get to
>>>know the second one :) But the main issue is the security of the
>>>source-code. I was browsing the archive and haven't found yes/no answer
>>>if it is possible. There are a few security layers:
>>>1. Zope management (I suppose the easiest)
>>>2. Data.fs (Can you pull the stored objects and browse externally?)
>>>      
>>>
>>Yes, should be possible. AFAIK Data.fs is just a big pickle dump,
>>so all you'd need to explore it is a python interpreter.
>>
>>    
>>
>
>I don't think it's *just* a big pickle dump, although yes I think the data is 
>pickled Python objects stored in a file.  It's a bit more organised than just 
>dumping everything to a file though.
>
>You can access the ZODB through just Python now, I think.  I hear a lot of 
>work has gone into making ZODB a standalone Python product.  If you want to 
>access data stored in that Data.fs through something other than Zope, I 
>suggest you look at the ZODB source/docs.
>
>
>HarryW
>
>
>
>  
>