[ZODB-Dev] ZEO and Security

Bill Anderson bill@libc.org
07 May 2001 16:33:41 -0600 

On 07 May 2001 15:42:47 -0400, Andrew Kuchling wrote:
> "Jeremy Hylton" <jeremy@digicool.com> wrote:
> > controlling access to the database.  For any interesting application,
> > however, there needs to be some real access control machinery.
> > Something like Python's rexec, which can be used to force a client to
> > use an object's official interface, seems like the right place to
> > start.
> >
> > On the whole, it seems like a big project.
> 
> I'm doubtful that it can be made convincingly secure, though, because
> there's no obvious small core of code to be audited.  Right now if you
> wanted to put a ZEO server up for open access from anywhere on the
> Internet, you'd need to examine ZEO and the ZODB and the storage in
> use and asyncore and ExtensionClass and cPickle.  Are all of these
> components secure against malicious input?  How many of them have been
> carefully audited by people experienced with security?  (I'll bet
> 'none', because I don't know of anyone in the Python community with
> security experience.)  That's a large amount of complicated code to
> audit, and a single error might mean that the security is illusory.
> Adding another big glob of access control machinery may help,
> depending on where it's added, but it might also just add another set
> of code that needs auditing.  

And how is this different than say, Zope?

> 
> Somewhere Bruce Schneier wrote about partial security being worse than
> no security, because it encourages doing riskier things, making the
> damage from a breach more serious when one does happen.  If you
> document the ZODB and ZEO as being unsafe, then people will simply
> have to design their systems in a way that protects the ZODB from
> being exposed to the outside world.

well, in osm erespects, it is true that some is worse than more, but
your documentation arguement applies just as well to some. For example,
if we were to have a basic challenge/response mechainism, we could
document it just the same as if we had nothing.

"ZEO has absolutely ZErO security features."
... is not much (if any) different than 
"ZEO has only a simple challenge/response mechanism,which as not been
fully audited"?

Actually there is one difference. With no thoguhts to security, those in
the openSource community that _would_ audit the code, will not be
interested. Why bother auditing the code if it is already wide open?

HHTP's BasicAuth is insecure as hell, and everyoine knows it. that's why
they put SSL over the top of it if they want to do anything 'secure'.
It's not like we are doing this for the NSA ;)

Bill