[Zope] Import from file via management-interface

Tino Wildenhain tino@wildenhain.de
Sat, 09 Sep 2000 15:54:25 +0200


Martijn Pieters wrote:
> On Sat, Sep 09, 2000 at 09:39:33AM +0200, Tino Wildenhain wrote:
> > Terry Kerr wrote:
> > >
> > > you can write anything destructive, whether it is an external method, a DTML
> > > Method, or basically anything.  At least if the only way you can import .zexp's
> > > is from the import directory, then only people with access to the zope file
> > > structure can import stuff...that will usually be restricted to system
> > > administrators or superuser people.
> >
> > Hm. I dont see the point here. First you can restrict the ability to
> > Export/Import in the users role.
> > Second, the either the superuser has to be bothered with imports or
> > you have to grant all the people access to the file system.
> > This would be much lesser security as beeing able to import via web.
> >
> > May be I schould have a deeper look at the ownership-problem.
> >
> > Giving the importing user ownership over all objects (s)he imports
> > as long it is not the superuser, schould do the trick.
> The problem is not so much ownership of the objects imported, but the type
> of objects that can be instanciated from a pickle (the export format
> wether XML or binary, consists of pickled classes).
> You can create _everything_ from a pickle, as long as there is a class
> definition for it; including a monitor client. I can open up a high port
> on your machine that'll let me connect to your Zope process in a python
> interpreter prompt. Then your server is my oister.

Thats badly true, but importing of a whole bunch of objects is also 
often needed. IIRC does pickle only handle instance data but not
class code. (although I see using of marshal in the import code
which does in fact import code as oposite to pickle)
Importing instance data schould not be a problem since it can only work
if the user in question has access to the classes. 
This access is already handled by permissions.

Moreover we could restrict importing via web to the superuser at all.

> Allowing imports from arbitrary paths will let me exploit security holes
> in other internet daemons on your machine to create a pickle file for
> import; preferably the /tmp directory as it is world writeable.
> Restricting imports to one directory allows you to be much more
> restrictive as to who can write there.
> You can set up restricted FTP access or even only allow scp (ssh encrypted
> file transfer) for trusted people to upload exports to the Zope import
> directory if you need to give others import rights.

Uh, do you know any ssh-daemon for windows? ;-)

Regards ;-)