[Zope3-dev] security problems with database adapters (second edition)

Velko Ivanov dachev at nove.bg
Mon Aug 29 08:54:52 EDT 2005 

I forgot to add cc: for the list, sorry


Dmitry Vasiliev wrote:

 >> Looking at the code, the ZopeConnection object is created by the 
ZopeDatabaseAdapter class in zope.app.rdb (inherited by the actual 
DatabaseAdapter) with a simple call - 
self._v_connection = ZopeConnection(self._connection_factory(), self)
 >> and the ZopeConnection class does not have anything, that deals with 
security, as far as I can see.
 >
 >
 >
 > See zope/app/rdb/configure.zcml for security declarations.
 >

I mean - I see in the zcml configuration, that zope.ManageContent 
permission is required for ZopeConnection, but I don't see what in the 
ZopeConnection object could provide it for the user. So my explanation 
is that the security policy simply allows one special kind of user in 
all cases, without ever checking permission and actually I found exactly 
the code, that does that, by seeing if the user is system_user and just 
granting access if yes. I didn't go deep enough to confirm that a user 
with zope.Manager granted _from principals.zcml_ is assigned that 
property, it's just my guess. However, it seems to me that when the 
zope.Manager role is granted by the UI grant tool, the user doesn't get 
system_user, permissions are cheked, a proxy is not found for the 
ZopeConnection and access is denied in all cases.

I can eventually create a functional test to demonstrate, but it will 
take too much effort to browse around for the bits I need (since it is a 
really good framework and code, but it is a complete nightmare for the 
newcommer to follow the logic trough it).

The problem is easy to reproduce in a few simple steps - assuming clean 
installation from the .tgz release, here is what I do:

1. create an instance (of course), zope.Manager granted principal is 
crated by the mkzopeinstance script.
2. uncomment the sample zope.Member principal 'frodo' in principals.zcml 
and run zope
-- using the browser from now on:
3. login with the zope.Manager principal use the grant tool to grant 
zope.Manager role at the top of the site to the 'frodo' principal
4. go to manage site -> site management and add a database adapter, 
gadfly will do, dbi is something in the form of dbi://dbname;dir=/tmp, 
or any other dir as apropriate
5. login as frodo and go to /++etc++site/tools/yourdbaname
6. select the test page and just click on 'execute'
7. unauthorized
8. if you try (5),(6) with the zope.Manager principal, you will see the 
database adapter working as expected (producing an error in this example 
actually, but not 'unauthorized' exception)

 >
 >
 > Can you repeat all this experiments on clean Z3 setup (without any 
additional components and without your old Data.fs file, check also for 
all possibly conflicting modules on the PYTHONPATH)?
 >

I just downloaded Zope-3.1.0c2, installed it clean and got the same 
behaviour. I am using python 2.4.1 and I will check with 2.3.5 if 
needed, but I saw enough Zope3 code already and I don't think this will 
change anything.

I don't have much idea what module could be conflicting in the case of 
Zope3 and database adapters. The setup is clean, the test machine is 
freshly configured and I don't see what could get in the way, but I will 
check that more carefully too, if you can not reproduce the error at 
your side.

Regards,
Velko Ivanov


P.s.:
I changed the permissions for ZopeConnection, ZopeCursor and ZopeRow in 
zope/app/rdb/configure.zcml to zope.Public and it of course works, but 
that is again by going around the security policy, as with the 
system_user - it is just unconditionally allowing acces if the 
permission is zope.Public

More information about the Zope3-dev mailing list