Re: [Zope-dev] security problem in an monkey-patch
Joachim Schmitz wrote at 2007-9-19 11:54 +0200: and ../portal_catalog/getBypassQueue displays a 1 This looks like a security bug. You should not be able to call something via the ZPublisher what you cannot call in a script. Maybe, you file a bug report? -- Dieter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security-Problem
Shane Hathaway [EMAIL PROTECTED] wrote: Do you not want foo to have the Manager role? Andre Schubert wrote: No, because he is no longer in our company. Shane Hathaway [EMAIL PROTECTED] wrote: I think you're asking for a find + chown utility, right? I don't know of one, but it sure would be nice to have. :-) Andre Schubert wrote: It would be very nice to have such a tool :) BTW: Thanks for the quick answers, you help me to understand the problem. I take the ownership of all objects where foo was the owner and the problems should go away :) Andre, Don't treat this so lightly! When you take ownership of objects where foo is the owner, you are telling Zope that you take responsibility for those objects. For example, let's say foo had written a python script for removing all of her files older than one day. Here's some pseudocode: For all files older than one day: try: remove the file except PermissionError: pass This will work, provided foo has rights to delete only foo's files. If you take ownership of such a script, and you run it, then it will very different effects. Also, if you are a Manager (or in another privaleged role), and you take ownership of such a script, you may be allowing others to delete their own files when they run that script, whereas before nothing much would have happened. In 99% of cases, none of this will be a problem. However, you should take care when taking ownership of objects, especially objects that represent code such as python scripts and dtml methods and page templates. -- Steve Alexander ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security-Problem
On 02/18/2003 09:16 AM, Andre Schubert wrote: I try to explain what happens. Lets say i have a user called foo who has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to a folder called bar and foobar. foobar is called from inside bar (dtml-call foobar). He also created a Role MSAdmin. bar is accessible and visible by Anonymous Users. foobar is accessible and visible by MSAdmin and Manager. If i view bar and login as a user with MSAdmin-Roles everything works fine. But if i remove the Manager-Role from foo who has created the two DTMLMethods i get the above error. Do you not want foo to have the Manager role? I have the same problem with a really big Zope-Site where i have the remove Manager-Roles from a specific user. The only solution i have found is to recreate the DTMLMethods, but it is very hard to reacreate all DTMLMethods created by foo. I think you're asking for a find + chown utility, right? I don't know of one, but it sure would be nice to have. :-) Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security-Problem
Andre Schubert schrieb: Hi all, i have a little Security-Problem which results in the following Error reported by Shane Hathaway's nice VerboseSecurity: Error Type: Unauthorized Error Value: The owner of the executing script does not have the required permission. Access to 'foobar' of (Folder instance at 932b600) denied. Access requires View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The executing script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles ['Authenticated', 'Owner']. I try to explain what happens. Lets say i have a user called foo who has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to a folder called bar and foobar. foobar is called from inside bar (dtml-call foobar). He also created a Role MSAdmin. bar is accessible and visible by Anonymous Users. foobar is accessible and visible by MSAdmin and Manager. If i view bar and login as a user with MSAdmin-Roles everything works fine. But if i remove the Manager-Role from foo who has created the two DTMLMethods i get the above error. I have the same problem with a really big Zope-Site where i have the remove Manager-Roles from a specific user. The only solution i have found is to recreate the DTMLMethods, but it is very hard to reacreate all DTMLMethods created by foo. I hope somebody has another hint for me. :) Non-authoritative answer: As far as I know the problem is ownership. If you want to access objects whose owner is gone you get into trouble. So there are probably two solutions: a) DO NOT delete the owner b) Let somebody else take over the ownership -- iuveno AG Joachim Werner _ Wittelsbacherstr. 23b 90475 Nürnberg [EMAIL PROTECTED] www.iuveno.de Tel.: +49 (0) 911/ 9 88 39 84 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security-Problem
On Tue, 18 Feb 2003 12:01:45 -0500 Shane Hathaway [EMAIL PROTECTED] wrote: On 02/18/2003 09:16 AM, Andre Schubert wrote: I try to explain what happens. Lets say i have a user called foo who has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to a folder called bar and foobar. foobar is called from inside bar (dtml-call foobar). He also created a Role MSAdmin. bar is accessible and visible by Anonymous Users. foobar is accessible and visible by MSAdmin and Manager. If i view bar and login as a user with MSAdmin-Roles everything works fine. But if i remove the Manager-Role from foo who has created the two DTMLMethods i get the above error. Do you not want foo to have the Manager role? No, because he is no longer in our company. I have the same problem with a really big Zope-Site where i have the remove Manager-Roles from a specific user. The only solution i have found is to recreate the DTMLMethods, but it is very hard to reacreate all DTMLMethods created by foo. I think you're asking for a find + chown utility, right? I don't know of one, but it sure would be nice to have. :-) It would be very nice to have such a tool :) BTW: Thanks for the quick answers, you help me to understand the problem. I take the ownership of all objects where foo was the owner and the problems should go away :) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )