[ZODB-Dev] ZEO and Security

[Andrew Kuchling]

"Jeremy Hylton" <jeremy@digicool.com> wrote:
> controlling access to the database.  For any interesting application,
> however, there needs to be some real access control machinery.
> Something like Python's rexec, which can be used to force a client to
> use an object's official interface, seems like the right place to
> start.
>
> On the whole, it seems like a big project.

I'm doubtful that it can be made convincingly secure, though, because
there's no obvious small core of code to be audited.  Right now if you
wanted to put a ZEO server up for open access from anywhere on the
Internet, you'd need to examine ZEO and the ZODB and the storage in
use and asyncore and ExtensionClass and cPickle.  Are all of these
components secure against malicious input?  How many of them have been
carefully audited by people experienced with security?  (I'll bet
'none', because I don't know of anyone in the Python community with
security experience.)  That's a large amount of complicated code to
audit, and a single error might mean that the security is illusory.
Adding another big glob of access control machinery may help,
depending on where it's added, but it might also just add another set
of code that needs auditing.  

Somewhere Bruce Schneier wrote about partial security being worse than
no security, because it encourages doing riskier things, making the
damage from a breach more serious when one does happen.  If you
document the ZODB and ZEO as being unsafe, then people will simply
have to design their systems in a way that protects the ZODB from
being exposed to the outside world.

--amk