[Zope] root privileges required

Vangelis Mihalopoulos mihalop at VTrip.NET
Wed Jul 28 05:54:25 EDT 2004



Michael Ekstrand wrote:

>On Tuesday 27 July 2004 12:22, Vangelis Mihalopoulos wrote:
>  
>
>>Well, i agree with you. But, still, using suid python scripts for
>>half of my app is a problem... believe me, it will be much easier for
>>someone to find a security flaw in my app than is Zope... :)
>>    
>>
>
>Another idea... don't know how worthy it is, feel free to shoot it 
>down... (but I'd appreciate knowing what's wrong with it for my own 
>education :-)).
>
>What if you encapsulated your code that must run as root in some kind of 
>daemon that listens locally only? Either network, and protected by a 
>file, or maybe use a Unix domain socket or similar mechanism. Either 
>use a proprietary protocol, or maybe have it serve up XML-RPC. Force 
>all interaction between Zope and this code to use a defined interface. 
>It would give you a place to do sanity checking on the commands being 
>fed to the privileged code, and I would think it would provide some 
>protection of the root code from a Zope compromise. To exploit your 
>code, an attacker must first compromise Zope, and then figure out how 
>to get your code to misbehave.
>  
>

well, my code doesn't have to "misbehave" to cause damage... if zope 
security is compromised, then the whole system is compromised, so i 
don't think your idea is applicable on my case. nevertheless, what you 
propose is a nice architecture which could be used in other cases.
For example, a "file manager" with root privileges doesn't have to be 
compromised. If one bypasses zope security, he can do all the damage he 
wants :)



More information about the Zope mailing list