Re: [Zope] Regaining lost privileges
+---[ Dieter Maurer ]-- | Andrew Kenneth Milton writes: | > Is there anyway to regain 'root' privs from inside a zope product? | > | > Using the -u flag to start causes the privs to be permanently gone because | > z2.py uses setuid + setgid (and python doesn't seem to define sete[ug]id, at | > least not on my system). | > | > Other than running zope as root permanently (which I really would like to | > avoid), does anyone have any quick ideas on how to achieve this? | The same trick could be used by any process to gain root privileges | | It is easy to implement a Python wrapper for the | sete[ug]id. I'm happy to write the wrapper, and also modify the Z2.py script to only use seteuid if explicitly requested on the command line. There's not much point in really doing so if there's only two people who want to use it :-) -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068|[EMAIL PROTECTED]| ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Regaining lost privileges
Andrew Kenneth Milton writes: > Is there anyway to regain 'root' privs from inside a zope product? > > Using the -u flag to start causes the privs to be permanently gone because > z2.py uses setuid + setgid (and python doesn't seem to define sete[ug]id, at > least not on my system). > > Other than running zope as root permanently (which I really would like to > avoid), does anyone have any quick ideas on how to achieve this? The same trick could be used by any process to gain root privileges It is easy to implement a Python wrapper for the sete[ug]id. Dieter ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Regaining lost privileges
On Mon, 04 Sep 2000, you wrote: > You are intrinsically reducing the platforms your software will run on as > soon as you start trying to use external programs. If you only care about > Linux, then that's all well and good. True! I'd like to find some method which is a little more portable, or at least external programs that run on multiple Unix versions. I guess, possibly unadvisedly, that any platform where Zope is running wouldn't be an impossible target for some of the other tools too. Except of course the various windows versions - but then the Admin tasks are completely different anyway, as is the security policy and mechanism. On the other hand the very nature of an admin tool means that its functions are likely to be system specific to some degree ... > If you have a transaction database for polling, you may as well run > another Zope as root, that only listens on the loopback device, and post > the transactions into the root zope across SSL. At least that way you can > share code. Hhhm. But is all the 'baggage' of a full Zope needed in this context? I can also share the python methods which would almost certainly have to do the bulk of the work in a Zope anyway. -- Nigel Head Houbits Hi-Tech Servers [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Regaining lost privileges
+---[ Nigel Head ]-- | Hi Andrew! | | On Fri, 01 Sep 2000, you wrote | ... | > I saw people asking about building 'admin' systems using Zope, this isn't | > going to be trivially possible without super user privs. | | That people was me. Having looked into things a little further (but not | actually started the admin tool yet due to "day job" pressures) I've decided | to go the route (root?!) of using something like 'sudo' or 'runas' which | allow you to provide a selection of suid scripts and specify which users are | allowed to run them (zope, in my case, I suppose). | | I'm still considering the relative merits of using a sort of 'quarantine' | file/database where zope will dump requests to do things and a cron job will | poll it periodically to grab things out again and execute them. | | As I wrote that, I realise dthat it would be interesting to see if that file | couldn't be made a ZODB storage so I could transfer | structured information 'tween Zope and a python admin backend; perhaps make it | a mountable storage from the zope point of view? This would have the added | advantage of a little mild 'security through obscurity' for the file format for | casual hackers who may get near to it one day ... You are intrinsically reducing the platforms your software will run on as soon as you start trying to use external programs. If you only care about Linux, then that's all well and good. If you have a transaction database for polling, you may as well run another Zope as root, that only listens on the loopback device, and post the transactions into the root zope across SSL. At least that way you can share code. At least if you stick with the python API, you can cover most of the platforms that python covers. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068|[EMAIL PROTECTED]| ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Regaining lost privileges
Hi Andrew! On Fri, 01 Sep 2000, you wrote ... > I saw people asking about building 'admin' systems using Zope, this isn't > going to be trivially possible without super user privs. That people was me. Having looked into things a little further (but not actually started the admin tool yet due to "day job" pressures) I've decided to go the route (root?!) of using something like 'sudo' or 'runas' which allow you to provide a selection of suid scripts and specify which users are allowed to run them (zope, in my case, I suppose). I'm still considering the relative merits of using a sort of 'quarantine' file/database where zope will dump requests to do things and a cron job will poll it periodically to grab things out again and execute them. As I wrote that, I realise dthat it would be interesting to see if that file couldn't be made a ZODB storage so I could transfer structured information 'tween Zope and a python admin backend; perhaps make it a mountable storage from the zope point of view? This would have the added advantage of a little mild 'security through obscurity' for the file format for casual hackers who may get near to it one day ... -- Nigel Head Houbits Hi-Tech Servers [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Regaining lost privileges
Is there anyway to regain 'root' privs from inside a zope product? Using the -u flag to start causes the privs to be permanently gone because z2.py uses setuid + setgid (and python doesn't seem to define sete[ug]id, at least not on my system). Other than running zope as root permanently (which I really would like to avoid), does anyone have any quick ideas on how to achieve this? I saw people asking about building 'admin' systems using Zope, this isn't going to be trivially possible without super user privs. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068|[EMAIL PROTECTED]| ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
