Re: [Zope-dev] Security/Acquisition Bug? (take two)

2000-11-12 Thread Charlie Wilkinson

On Sun, Nov 12, 2000 at 11:42:32PM +0100, Dieter Maurer waxed eloquent:
 
 I tried it on my ZopeCVS installation.
 The Python parts are quite new. The C-part is about 2 weeks old.
 
 I can not observe what you describe.
 "/index_html" can be viewed as "Annonymous" without any
 change in permissions.

Hi Dieter,
Thanks for investigating.  I also gave it another try, with the same
results as my previous attempts.  Maybe I'm doing something dumb?
I have followed exactly these steps (as a regular user):

1. mkdir Zope2

2. cvs -z7 -d :pserver:[EMAIL PROTECTED]:/cvs-repository checkout Zope2

3. cd Zope2

4. python wo_pcgi.py

5. python zpasswd.py -u XX -p XX access

6. Edit start file (for port change and stupid log):

#! /bin/sh
reldir=`dirname $0`
PYTHONHOME=`cd $reldir; pwd`
export PYTHONHOME
exec /usr/bin/python \
 $PYTHONHOME/z2.py -P 9000 \
 -D "$@" STUPID_LOG_FILE=$PYTHONHOME/zope.log

7. ./start 

8. Visit http://www.boinklabs.com:9080/index_html

8. Get BASICAUTH login box...  ??

Box is Redhat 6.0 with updates, Python 1.5.2 from source.  CVS is v1.10.5.
The only bit I left out was setting up the CVS login on a prior occasion:

cvs -d :pserver:[EMAIL PROTECTED]:/cvs-repository login

-cw-

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! http://spam.abuse.net/
   Join!! http://www.cauce.org/
~
QOTD:
Al Gore: Please, just concede.  I can't handle another four years of
whiney Republican bumper stickers!

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] Security/Acquisition Bug? (take two)

2000-11-12 Thread Charlie Wilkinson

I should have included this in my previous reply - this is the Zope
error I am getting after failing out of BASICAUTH login:

--
Zope Error

Zope has encountered an error while publishing this resource. 

Unauthorized

You are not authorized to access this resource.

No Authorization header found. 

Traceback (innermost last):
  File /share4/Zope2/lib/python/ZPublisher/Publish.py, line 222, in publish_module
  File /share4/Zope2/lib/python/ZPublisher/Publish.py, line 187, in publish
  File /share4/Zope2/lib/python/ZPublisher/Publish.py, line 162, in publish
  File /share4/Zope2/lib/python/ZPublisher/BaseRequest.py, line 463, in traverse
  File /share4/Zope2/lib/python/ZPublisher/HTTPResponse.py, line 569, in unauthorized
Unauthorized: (see above)
--

Does that provide any (additional) clues?

-cw-

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! http://spam.abuse.net/
   Join!! http://www.cauce.org/
~
QOTD:
Al Gore: Please, just concede.  I can't handle another four years of
whiney Republican bumper stickers!

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




[Zope-dev] Security/Acquisition Bug? (take two)

2000-11-10 Thread Charlie Wilkinson

I had posted about this previously, but no one has tackled this one,
it seems to be a pretty serious issue, plus I've done a *lot* of poking
around and learned a few things since I first reported it.  What I have
*not* found (or been told) is that the below described behavior is normal.

First a simple exercise for those who would like to avoid my laborious
novice Zoper description and just ferret out the likely bug:

Create a fresh CVS copy of Zope on your *nix box.  Build it (python
wo_pcgi.py), configure 'start' with the ports of your choosing, set a
superuser password, start Zope and try to visit the /index_html page.

What I'm getting at that point is a BASICAUTH login box.  One has to
explicitly enable anonymous permissions on the index_html page in order
to view it without logging in.  I've read through all the security
model discussion I could find, but saw no discussion of this issue.
If somehow this behavior is intentional, I would greatly appreciate a clue
to that effect.  (Some response either way would be nice, actually...)

Based on my recent flailings with LoginManager and finally, stock
acl_users in Zope v2.2.cvs, it seems there this problem relates to the
"scope" of acl_users and/or its parent folder not including the objects
within.  The security settings of the parent folder are apparently not
regarded in determining access to objects within.  Instead, acl_users is
only impacting its sibling objects (and presumably their child objects).

Apologies if I'm making the wrong noises in the wrong place in the
wrong way.  Any help or pointers welcome.

-cw-

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! http://spam.abuse.net/
   Join!! http://www.cauce.org/
~
QOTD:
"Bush is a big corporation disguised as a human being running for president."
-- Ralph Nader on David Letterman (9/28/00)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )