[Zope] Zope application offline - how to apply a license ptotection?

Gabriel Genellina gagenellina at softlab.com.ar
Thu Aug 14 16:12:03 EDT 2003


At 14/8/2003 10:40, you wrote:

> > Our company is developing an application, supposed  to be run under
>dedicated
> > zope server, placed offline in our customers corporate environment and
> > requested via LAN.
>
> > What would be the right way to protect this mechanism from hacking,
>provied
> > that zope is an open-source platform, so any code is hypothetically
> > accessable by the customer and apllication is run completely offline with
>no
> > intercation  with our information system?
> >
> > The required level of protection is not really high, but  we need to be
>safe
> > from attempts to hack the application by modest programmers at least.
>
>1. use dedicated server with crypted FS (eg., Linux), does not share ANY
>passwords.
>2. does not allow to users gone above specified hierarchy of folders.
>3. disable for all other access than "view" all DTML Methods and
>code-critical DTML documents.
>etc...

Except 1) the other measures protect against thru-the-web access, but not 
from local access.
Anyone who can read data.fs can see the user passwords, which the standard 
UserFolder stores without encryption by default, and then can log in as 
Manager and change anything.
And anyone with write permission to the filesystem can create an emergency 
user, log in as such, and modify all objects inside Zope (the emergency 
user can do almost anything without restrictions, just can't create new 
objects).
Zope may have a good shield from web attacks but I think it is very 
vulnerable for local intrusion or sabotage.


Gabriel Genellina
Softlab SRL




More information about the Zope mailing list