[Zope] Automatically import a zexp

Mike Renfro renfro@tntech.edu
Wed, 23 Jan 2002 09:42:32 -0600


On Tue, Jan 22, 2002 at 06:17:48PM +0100, Oliver Bleutgen wrote:

> > wget --proxy=off --http-user=${ZOPEUSER} --http-pass=${PASSWD} \
> >     http://${HOST}:${PORT}/Control_Panel/Products/${prod}/manage_importObject?file=${IMPORT}
> > 
> > but I think I really do not have to tell you that this can not be the
> > recommended way to go.
> > 
> 
> Dumb question, why not? What (linux-) priviledge level does one need to 
>    install a new package?
> If you think that installing filesystem products the way you described 
> is secure, then I don't see why using this shellscript isn't, provided 
> it is only readable by the right user(s).

Assuming the server has non-administrative users with login
priveleges, if they run 'ps auxwww' at just the right time, they've
captured all your command line arguments to wget... including your
Zope administrative username and password. Python product installation
doesn't carry that particular risk.

One way to eliminate that possibility would be to use a browser other
than wget, something that can prompt for the administrative username
and password when needed, or read them from a protected file.

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu