[Zope] Re: External Methods, Proxy Roles, and Executable Security
Tres Seaver
tseaver at palladion.com
Tue Nov 22 16:51:04 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jens Vagelpohl wrote:
>
> On 22 Nov 2005, at 20:08, Dieter Maurer wrote:
>
>> You have lost the thread's start:
>>
>> George's problem has been that he could not move an object
>> in an *EXTERNAL METHOD*, i.e. in trusted filesystem code.
>>
>> He would have the same problem in a filesystem product.
>>
>> The problem is that "CopySupport" performs a local security
>> check (in "_verifyObjectPaste") independent from its caller
>> (it does not matter whether the rename/move/copy was
>> called from trusted or untrusted code).
>>
>> With appropriate proxy roles, an untrusted Python Script can
>> perform some
>> rename/move/copy that trusted code is unable to perform.
>>
>> I assume you can agree that this is a somewhat unsane situation...
>
>
> Yes, that's very odd... thanks for reminding me of the thread's start!
The actual problem here is a confusion of "authorization" with
"containment constraints": the CopySupport code is using a single check
to test both, which makes it impossible to do the Right Thing (TM):
either the proxy roles should be taken into account, in which case the
containment constraint may be violated, or they shouldn't, in which case
a proxy-role-granted script cannot be used to perform a "controlled"
paste which would otherwise not be authorized.
Tres.
- --
===================================================================
Tres Seaver +1 202-558-7113 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDg5LI+gerLs4ltQ4RAtblAJwNsXuSMgrSmuk5Jkx2dNvq5XcF+ACfVfli
kWb4OErhWp0Zm95oGrNK+6o=
=Thwe
-----END PGP SIGNATURE-----
More information about the Zope
mailing list