[Zope] Re: Zope Security

Tres Seaver tseaver at palladion.com
Thu Jan 12 12:40:44 EST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

michael nt milne wrote:
> Hi
> 
> Just a quick query about Zope security etc. I've got an installation on a
> Windows server using Apache, which also hosts internal email/data etc. This
> is behind a router/firewall. Just wondering if there are any Zope security
> issues that I should be aware of? How secure is Zope?
> 
> Thanks
> 
> Michael
> 
> PS This is a re-send as it bounced the first time round.

I would rate Zope overall as a reasonably secure platform.  Because the
builk of it, including all the socket handling code, is written in
Python, it does not suffer from buffer overflow problems.  If you look
at the list of security alerts ("hotfixes", see

you will note that the *vast* majority of them have been relevant only
for sites which allow less-than-fully-trusted users to write
through-the-web code, a use case which most sites do not have.

Zope's own security model is used to protect data within the ZODB from
improper access by site visitors.  It is possible to configure the model
for *very* fine-grained access control;  OTOH, such safely using such
power requires mastering a good deal of complexity.  Other frameworks
build atop Zope (CMF, Plone, Silva, CPS) present reduced views of that
flexibility, tailored to well-understood patterns.

For machines which handle both Zope and other sensitive data:

 - Zope is a long-running process:  the user-as-whom-Zope-runs (UAWZR),
   should ideally be a dedicated account, with read access to the Zope
   instance directory ("INSTANCE_HOME"), Zope software directorie, and
   neccesary system libraries, and write access only to the directories
   where it writes its data and logfiles (the '$INSTANCE_HOME/var').

 - Zope's own security model trusts the filesystem code implicitly,
   which means that you *don't* want to give arbitrary access to the
   software directory or the instance home.  You should probably block
   even read access to the 'var' subdirectory, as the database files
   there might expose sensitive data to prying eyes.

Note that none of this advice is Windows-specific.  One bit shich is:

  - When running a ZEO storage server, you need to protect the socket
    on which it listens from unauthorized access.  On a Unix box, you
    can make it a Unix-domain socket, which can be protected with
    appropriate filesystem permissions.  If using a TCP socket (required
    on Windows), you need to configure it to listen only on "trusted"
    interfaces, e.g., localhost, or an IP address which is in a
    carefully firewalled submet.


Tres.
- --
===================================================================
Tres Seaver          +1 202-558-7113          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDxpSc+gerLs4ltQ4RAsxiAJ95KNhuahs581czEGzOYI4QJwPWHwCgxWbk
iTbs+bHf6ZngwFW3lCaboCY=
=+1h3
-----END PGP SIGNATURE-----

More information about the Zope mailing list