[Zope] no accounts in root user folder?
JPenny at ykksnap-america.com
JPenny at ykksnap-america.com
Thu Aug 10 14:59:49 EDT 2006
zope-bounces+jpenny=ykksnap-america.com at zope.org wrote on 08/10/2006
02:02:28 PM:
> Vangelis Mihalopoulos wrote at 2006-8-10 10:58 +0300:
> >I have a zope app in a folder and have an exUserFolder in there to
> >authenticate the app's users. The app is working fine and i get
> >authenticated by the exUserFolder and everything works. I tried to
> >delete the single "admin" account (with Manager privileges) from the
> >root standard user folder and the app breaks with:
> >
> >Unauthorized: You are not allowed to access 'call_backend' in this
context
> >
> >where 'call_backend' is an External Method called by a Python Script.
> >All objects in zope are owned by the "admin". Could this be causing the
> >problem?
>
> Others already answered "yes".
>
> I just would like to add that this is due to the "executable owner"
> feature, introduced in Zope 2.2 to make Trojan horse attacks much
> more difficult. You may still be able to find the corresponding
> documentation (maybe even in the Zope Book (2.7 edition on "Plope.org").
>
>
I would also add. It is usually a real good idea to put only
admin users in the root folder anyway.
This gives you additional protection from several problems: it makes
database connection methods much harder to see, it protects you from
bugs in add-on acl_user products, it keeps people from doing things
like adding a siteroot to your root folder, and it keeps people out of
the Control_Panel.
The only thing that I can imagine that you would want non admins to have
access to in the root folder is the error_log.
In a large organization, I could see that you would want programmers
who do not have admin rights to be able to see it. That might take some
special handling, but I suspect that you could use a proxy role or
even just set its access to Anonymous (although that may lead to
unintended information leakage).
jim penny
>
> --
> Dieter
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
More information about the Zope
mailing list