[Zope] The Ascetic Superuser

Chris McDonough chrism@digicool.com
Tue, 5 Sep 2000 19:20:49 -0400 (EDT) 

On Tue, 5 Sep 2000, ethan mindlace fremen wrote:
> Now every object excecutes according to the permision of the owner,
> *not* the viewer. It can also run as a proxy role.  The
> super-bootstrap-user lives outside of "normal" zope authentication & has
> permission to do anything save that which NotEvenGodShouldDo. 
> Therefore, it shouldn't own objects.

Methods actually now execute with the effective intersection of the
permissions granted to the AUTHENTICATED_USER and the permissions
granted to the method's owner.  If a proxy role is specified, the method
executes with permissions restricted to those roles assigned by the proxy
role.

This is unarguably a good thing.  What's not entirely clear is *why*
super can't own, which is a separate issue.  The power it has beyond
that of a normal management user is the ability to traverse the site
unrestricted by the security machinery.  I actually don't think
there's an answer to this question that has to do with method
execution.  I think the ultimate answer is one or a few of the
following: "because," "shrug," "for audit trail purposes," or "so you
don't shoot yourself in the foot," or "be quiet."  :-) Alternately,
the answer might lie in an unobvious implementation detail that none
of us really want to think about.

> This is *quite* important, and needs to stay.  I don't know how to
> emphasize enough that this is a well thought out correction to an
> extremely deadly class of security problems that still (afaik) plagues
> many "other" through-the-web management systems.

I just can't think of any situations where having a method execute with
the effective intersection of the permissions granted to superuser and
the permissions granted to another user would cause more damage
than a method executing with the effective intersection of the permissions
granted to a normal management user and another user.  Can you? 

> The newbie pain, however, could probably be mitigated- don't call it a
> Super user, since it hardly deserves the S or the cape.  Have a user in
> the default install.  Something like that.

I agree.  This should happen soon.

Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org