[Zope] Zope+Python source-code security

Paul Winkler pw_lists@slinkp.com
Mon, 29 Apr 2002 21:06:50 -0400


On Mon, Apr 29, 2002 at 11:32:28PM +0200, Pawel Lewicki wrote:
> > All you need to do is copy the zope directory, run zpasswd.py on the new
> > zope instance, start it up on  a new machine or new port, and they can
> > see anything in the ZODB that they want to.  They wouldn't have the
> > ability to modify the Zope that you provided, at least without you
> > knowing that the password changed, but I don't know if that matters.
> >
> > Sorry, I know that's not the answer you wanted.
> 
> :) You're right. Will it be the same with a folder with unchecked "Acquire
> permission settings" and no user folder?

Yup, the password generated by zpasswd.py is nominally for emergency
maintenance purposes; but once you have it, you can get anywhere in
the data.fs, user folders or no.


-- 

Paul Winkler
home:  http://www.slinkp.com
"Muppet Labs, where the future is made - today!"