[Zope] root privileges required
Vangelis Mihalopoulos
mihalop at VTrip.NET
Wed Jul 28 05:54:25 EDT 2004
Michael Ekstrand wrote:
>On Tuesday 27 July 2004 12:22, Vangelis Mihalopoulos wrote:
>
>
>>Well, i agree with you. But, still, using suid python scripts for
>>half of my app is a problem... believe me, it will be much easier for
>>someone to find a security flaw in my app than is Zope... :)
>>
>>
>
>Another idea... don't know how worthy it is, feel free to shoot it
>down... (but I'd appreciate knowing what's wrong with it for my own
>education :-)).
>
>What if you encapsulated your code that must run as root in some kind of
>daemon that listens locally only? Either network, and protected by a
>file, or maybe use a Unix domain socket or similar mechanism. Either
>use a proprietary protocol, or maybe have it serve up XML-RPC. Force
>all interaction between Zope and this code to use a defined interface.
>It would give you a place to do sanity checking on the commands being
>fed to the privileged code, and I would think it would provide some
>protection of the root code from a Zope compromise. To exploit your
>code, an attacker must first compromise Zope, and then figure out how
>to get your code to misbehave.
>
>
well, my code doesn't have to "misbehave" to cause damage... if zope
security is compromised, then the whole system is compromised, so i
don't think your idea is applicable on my case. nevertheless, what you
propose is a nice architecture which could be used in other cases.
For example, a "file manager" with root privileges doesn't have to be
compromised. If one bypasses zope security, he can do all the damage he
wants :)
More information about the Zope
mailing list