[ZODB-Dev] ZEO Server Security (long)

[Jeremy Hylton]

>>>>> "TD" == Toby Dickenson <tdickenson@geminidataloggers.com> writes:

  TD> On Tuesday 07 January 2003 9:04 am, Toby Dickenson wrote: <snip>

  >> Unfortunately the current ZEO *server* performs an unpickle
  >> operation on data provided by the client in several places. This
  >> means that any client can unconditionally compromise the ZEO
  >> server by sending a trojan pickle.  This attack can be launched
  >> by anything that can connect to the ZEO server, and is unaffected
  >> by precautions such as server-side read-only flags, and server
  >> authentication.

Agreed.  The ZEO server is not secure.  A large system configuration
must use other means to address security issues (for better or worse).

  TD> Fixing this completely is harder than I thought. Server-side
  TD> conflict resolution needs to be able to unpickle aribtrary
  TD> client-supplied pickles.  Fortunately this cant be used to
  TD> bypass a read-only flag or authentication.

This seems like the killer issue to me.  Most ZEO databases will
depend on being able to trust the pickles sent by the client because
there's a chance that the client will cause conflict resolution to be
invoked.  Any attack on the protocol could be launched just as easily
from an unmodified client that justs sends trojan pickles.

But a client can already do arbitrary damage to a database.  It can
delete objects by committing new objects and calling pack.  While this
attack can be observed and corrected (hey! I didn't expect the
database to get packed now), it's easy to imagine that this goes
unnoticed until it is too late.

Another related attack would be to modify crucial database records to
depend on classes that aren't installed on other clients.

I find it hard to get excited about pickle security given all the
other problems with the system.

Jeremy