[Zope] Password function to manager screen broke?

Adam Manock abmanock@earthlink.net
18 Dec 2002 11:15:27 -0500


> If rpm supports user interaction during installation you schould
> probably let the user input its own credentials instead of this
> default. Someone could get the idea of scanning the web for new
> installed zopes with default passwords.

Yes. I forget that not everyone runs deny all / explicit allow firewall
policies, even at home. :-) I shouldn't assume that additional layers of
security exist to protect against exploitation of this... 

I'll look into what's required to setup the inituser interactively.
Right now the inituser is set during the "build" stage. Even if I don't
end up changing the package so that it is set interactively, I'll at
least make sure Zope only binds to the loopback address by default, thus
reducing the impact, and I'll add a security note to the README in
either case.

>> The old /var/zope/access method is not implemented by this package."

> Is it a good idea to disable the emergency user? What if the
> user kills her acl_user object or similar?


"python2.1 /usr/share/zope/zpasswd.py /var/zope/access" will work to
create an emergency user.

Guess that one needs clarification. Even if I don't implement 
/var/zope/access in the package, that doesn't mean that the 
underlying Zope install doesn't support a user creating and using 
an emergency user.. I will update the docs accordingly.....

Thanks for the feedback,

Adam