[Zope] localfs, how to secure for homedirs...

Jim Penny jpenny@universal-fasteners.com
Thu, 20 Mar 2003 16:26:45 -0500

On Thu, Mar 20, 2003 at 03:52:45PM -0500, Meehan, Francois wrote:
> Hi all,
> I want to implement localfs to give users remote access to their home
> directories. I want to create a localfs object per user. How can I secure
> this, so a given user can only see his own stuff and prevent the others for
> accessing it?
> Are roles the answers?


Localfs objects have to be readable (at least) by the userid that zope
is running as.  Zope should not be run as root, for a variety of good
reasons.  Presumably your users own their own files, and in a modern
system, are proably in individual groups.

This gives you two options; neither inherently secure.  Either you can
write some kind of suid root program to read/write the files, or you can
put zope's groupid in the group of each individual user.

In either case, you are intentionally creating an agent that can bypass
normal filesystem security.  This means that this agent has to be
simple, rock solid, and totally paranoid.  It has to check that each
user has the right to access the directory/file he is trying to access
for the purpose that he is accessing it.

And this gets into tough policy decisions.  Do you read /etc/passwd to
determine the home directory of each user?  Do you know how zope userids
correspond to system userids?  Where is this kept?  Do you honor umask
settings?  Can you find them?  Do you honor read bits, if you are using
a suid root program, that is, can joe read a chmod 000 file in his own
home directory?

Then you implement the policy in your own code.  Fun, eh?

Jim Penny

> Francois
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )