[Zope-dev] Server Side Trojan Issue really dead?

[Steve Alexander]

Steve Alexander wrote:
> 
> When I write a product that allows users to edit executable content, I
> have an extra responsibility to collaborate with the new security model.
> 
> I reckon that it is up to the ZWiki product to change ownership
> appropriately if the page is edited. The zope security system can't
> possibly know about what constitutes editing executable content and what
> does not. Only a product author can know that.
> 
> As a general princliple, executable content should never be editable by
> users with lower permissions than the owner of the content. This is the
> same principle system administrators use on a Unix system to know never
> to have a root-owned file that is executable by root, and also writable
> by others.
> 
> The problem with applying this principle in Zope is that the roles and
> permissions system is very expressive, and it is complex to know when
> one user has lower permissions than another.

However... the zope security system could help with this. Here's an ill
thought out idea for your consideration :-)

Have a function that takes two sets of permissions, and returns the
intersection of these sets. Then, use some sort of local permissions
combination to make the wiki page that's been edited have the resultant
lowest-common-denominator permissions, even for the owner.

Make this kind of thing a standard feature of the security system, and
write some guidelines to help out authors of products that allow editing
content that is also executable.

--
Steve Alexander
Software Engineer
Cat-Box limited
http://www.cat-box.net