RE: [Zope-dev] zope and UNIX permissions
The other file (pcgi.soc) is a unix domain socket... it gets created when you run "python w_pcgi" as a Zope install command from the source distribution. I'm not sure of the danger of having this get created 777. It might be worthwhile to look into what could be done to it. Well, other than zope not responding over pcgi if it isn't 777? I just tried this out of curiousity. No response through pcgi. Hmmm... thanks for trying it. This doesn't seem much of a risk, does it? ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope and UNIX permissions
Chris McDonough wrote: The other file (pcgi.soc) is a unix domain socket... it gets created when you run "python w_pcgi" as a Zope install command from the source distribution. I'm not sure of the danger of having this get created 777. It might be worthwhile to look into what could be done to it. Well, other than zope not responding over pcgi if it isn't 777? I just tried this out of curiousity. No response through pcgi. Hmmm... thanks for trying it. This doesn't seem much of a risk, does it? Not that I can see off-hand. It is only a socket, a means for communicating with Zope. The 'risk' would only lie in Zope's Security mechanisms. ;-) The only possible risk would be a DoS type manuever if random user could rewrite the pcgi.soc socket. You could control this through var directory permissions, will try this out and report back. Bill -- "Linux: the operating system with a CLUE... Command Line User Environment". seen in a posting on comp.software.testing ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] zope and UNIX permissions
Hmmm... thanks for trying it. This doesn't seem much of a risk, does it? Not that I can see off-hand. It is only a socket, a means for communicating with Zope. The 'risk' would only lie in Zope's Security mechanisms. ;-) The only possible risk would be a DoS type manuever if random user could rewrite the pcgi.soc socket. You could control this through var directory permissions, will try this out and report back. You're the coolest! Thanks.. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope and UNIX permissions
Chris McDonough wrote: Using gnutar, untarring as the root user preserves ownership on expansion by default. Not sure if FreeBSD uses gnutar (I imagine not), but this is the case with gnutar under Linux. I think this is what happened to him... he said he could not use the RPM release and was working with the source distribution, so I don't think the problem is with the RPM. He seemed to be mostly griping about files that were wide open (777). On 2.2.0b4 the only ones I get are: lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZEO/cPickle.so - ../cPickle.so lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZServer - ../../ZServer srwxrwxrwx1 root root 0 Jul 11 02:08 var/pcgi.soc Notes: o All but one of these are symbolic links. No way around 777 on them. No cause for alarm on them either. o The two symlinks are from ZEO, and thus would not be in a default tarball. Now, I do *nix security for a living, and I don't have any issues with these few, unexposed 777's. I'd be interested to hear what the concerns, and how to avoid them are. Zope is actually one of the two places I avoid the RPMs (The other being Kernel RPMs), adn always stick to source, so I can't vouch for the permissions of files in the RPM As I read his post, btw, it looked like he avoided the RPMs dues to the problems, and was looking for source. I have a copy of the 2.1.6 source; I'll look at that tonight for permissions. Bill -- "Linux: the operating system with a CLUE... Command Line User Environment". seen in a posting on comp.software.testing ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope and UNIX permissions
Bill Anderson wrote: He seemed to be mostly griping about files that were wide open (777). On 2.2.0b4 the only ones I get are: lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZEO/cPickle.so - ../cPickle.so lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZServer - ../../ZServer srwxrwxrwx1 root root 0 Jul 11 02:08 var/pcgi.soc Notes: o All but one of these are symbolic links. No way around 777 on them. No cause for alarm on them either. o The two symlinks are from ZEO, and thus would not be in a default tarball. Now, I do *nix security for a living, and I don't have any issues with these few, unexposed 777's. I'd be interested to hear what the concerns, and how to avoid them are. The other file (pcgi.soc) is a unix domain socket... it gets created when you run "python w_pcgi" as a Zope install command from the source distribution. I'm not sure of the danger of having this get created 777. It might be worthwhile to look into what could be done to it. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope and UNIX permissions
Chris McDonough wrote: Bill Anderson wrote: He seemed to be mostly griping about files that were wide open (777). On 2.2.0b4 the only ones I get are: lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZEO/cPickle.so - ../cPickle.so lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZServer - ../../ZServer srwxrwxrwx1 root root 0 Jul 11 02:08 var/pcgi.soc Notes: o All but one of these are symbolic links. No way around 777 on them. No cause for alarm on them either. o The two symlinks are from ZEO, and thus would not be in a default tarball. Now, I do *nix security for a living, and I don't have any issues with these few, unexposed 777's. I'd be interested to hear what the concerns, and how to avoid them are. The other file (pcgi.soc) is a unix domain socket... it gets created when you run "python w_pcgi" as a Zope install command from the source distribution. I'm not sure of the danger of having this get created 777. It might be worthwhile to look into what could be done to it. Well, other than zope not responding over pcgi if it isn't 777? I just tried this out of curiousity. No response through pcgi. Bill -- "Linux: the operating system with a CLUE... Command Line User Environment". seen in a posting on comp.software.testing ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] zope and UNIX permissions
Which files? Know that if you untar as root, the files will be 'owned' by whoever tarred it up on our side. Untar it as a normal user. Reset the permissions of the ones you find too permissive. Then let us know so we can change the distribution. -Original Message- From: Leonardo Kenji Shikida [mailto:[EMAIL PROTECTED]] Sent: Monday, July 10, 2000 7:15 PM To: [EMAIL PROTECTED] Subject: [Zope-dev] zope and UNIX permissions We tried to install zope using its tar.gz file and it created a lot of files with non-default users and with very permissive permissions on a linux box (like 777 permissions for many files). This is a HUGE security hole. We couldn't install the RPMs files on our webserver. Is there any decent zope source code distribution? thanks in advance K. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] zope and UNIX permissions
On Mon, 10 Jul 2000, Chris McDonough wrote: Which files? Know that if you untar as root, the files will be 'owned' by whoever tarred it up on our side. Untar it as a normal user. Reset the permissions of the ones you find too permissive. Then let us know so we can change the distribution. On FreeBSD at least, this is not true. Unless you specify the 'p' (preserve) flag, untaring as root will leave all the files owned by root. I just untared the b4 source distrabution, and the file permissions all look good to me. The original poster mentioned an RPM and looking for a source release, so perhaps the problem is with the RPM. --RDM ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] zope and UNIX permissions
Using gnutar, untarring as the root user preserves ownership on expansion by default. Not sure if FreeBSD uses gnutar (I imagine not), but this is the case with gnutar under Linux. I think this is what happened to him... he said he could not use the RPM release and was working with the source distribution, so I don't think the problem is with the RPM. -Original Message- From: R. David Murray [mailto:[EMAIL PROTECTED]] Sent: Monday, July 10, 2000 10:55 PM To: Chris McDonough Cc: 'Leonardo Kenji Shikida'; [EMAIL PROTECTED] Subject: RE: [Zope-dev] zope and UNIX permissions On Mon, 10 Jul 2000, Chris McDonough wrote: Which files? Know that if you untar as root, the files will be 'owned' by whoever tarred it up on our side. Untar it as a normal user. Reset the permissions of the ones you find too permissive. Then let us know so we can change the distribution. On FreeBSD at least, this is not true. Unless you specify the 'p' (preserve) flag, untaring as root will leave all the files owned by root. I just untared the b4 source distrabution, and the file permissions all look good to me. The original poster mentioned an RPM and looking for a source release, so perhaps the problem is with the RPM. --RDM ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )