Re: [Zope-dev] zope and UNIX permissions
Chris McDonough wrote: > > > > Hmmm... thanks for trying it. This doesn't seem much of a > > risk, does > > > it? > > > > Not that I can see off-hand. It is only a socket, a means for > > communicating with Zope. The 'risk' would only lie in Zope's Security > > mechanisms. ;-) > > > > The only possible risk would be a DoS type manuever if random > > user could > > rewrite the pcgi.soc socket. You could control this through var > > directory permissions, will try this out and report back. > > You're the coolest! Thanks.. OK, it appears that Zope can handle it if: the var directory (for Zope) is rwx for user and group AND pcgi.soc is 777. This makes sense, of course. I was primarily making sure that Zope didn't try to access it as a non-user (as some apps do). So, in conclusion, the paranoid can make certain the directory containing pcgi.soc is only writeable/executable to user/group owned by the Zope process (and by the WebServer!!) with little fear of other son the system accessing it willy-nilly. YYMV, offer void in some states, yadda yadda yadda. Bill -- "Linux: the operating system with a CLUE... Command Line User Environment". seen in a posting on comp.software.testing ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] zope and UNIX permissions
> > Hmmm... thanks for trying it. This doesn't seem much of a > risk, does > > it? > > Not that I can see off-hand. It is only a socket, a means for > communicating with Zope. The 'risk' would only lie in Zope's Security > mechanisms. ;-) > > The only possible risk would be a DoS type manuever if random > user could > rewrite the pcgi.soc socket. You could control this through var > directory permissions, will try this out and report back. You're the coolest! Thanks.. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope and UNIX permissions
Chris McDonough wrote: > > > > The other file (pcgi.soc) is a unix domain socket... it > > gets created > > > when you run "python w_pcgi" as a Zope install command from > > the source > > > distribution. I'm not sure of the danger of having this get created > > > 777. It might be worthwhile to look into what could be done to it. > > > > Well, other than zope not responding over pcgi if it isn't 777? > > I just tried this out of curiousity. No response through pcgi. > > Hmmm... thanks for trying it. This doesn't seem much of a risk, does > it? Not that I can see off-hand. It is only a socket, a means for communicating with Zope. The 'risk' would only lie in Zope's Security mechanisms. ;-) The only possible risk would be a DoS type manuever if random user could rewrite the pcgi.soc socket. You could control this through var directory permissions, will try this out and report back. Bill -- "Linux: the operating system with a CLUE... Command Line User Environment". seen in a posting on comp.software.testing ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] zope and UNIX permissions
> > The other file (pcgi.soc) is a unix domain socket... it > gets created > > when you run "python w_pcgi" as a Zope install command from > the source > > distribution. I'm not sure of the danger of having this get created > > 777. It might be worthwhile to look into what could be done to it. > > Well, other than zope not responding over pcgi if it isn't 777? > I just tried this out of curiousity. No response through pcgi. Hmmm... thanks for trying it. This doesn't seem much of a risk, does it? ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope and UNIX permissions
Chris McDonough wrote: > > Bill Anderson wrote: > > He seemed to be mostly griping about files that were wide open (777). On > > 2.2.0b4 the only ones I get are: > > lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZEO/cPickle.so > > -> ../cPickle.so > > lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZServer -> > > ../../ZServer > > srwxrwxrwx1 root root 0 Jul 11 02:08 var/pcgi.soc > > > > Notes: > > o All but one of these are symbolic links. > > No way around 777 on them. > > No cause for alarm on them either. > > o The two symlinks are from ZEO, and thus would > > not be in a default tarball.> > > Now, I do *nix security for a living, and I don't have any issues with > > these few, unexposed 777's. I'd be interested to hear what the concerns, > > and how to avoid them are. > > The other file (pcgi.soc) is a unix domain socket... it gets created > when you run "python w_pcgi" as a Zope install command from the source > distribution. I'm not sure of the danger of having this get created > 777. It might be worthwhile to look into what could be done to it. Well, other than zope not responding over pcgi if it isn't 777? I just tried this out of curiousity. No response through pcgi. Bill -- "Linux: the operating system with a CLUE... Command Line User Environment". seen in a posting on comp.software.testing ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope and UNIX permissions
Bill Anderson wrote: > He seemed to be mostly griping about files that were wide open (777). On > 2.2.0b4 the only ones I get are: > lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZEO/cPickle.so > -> ../cPickle.so > lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZServer -> > ../../ZServer > srwxrwxrwx1 root root 0 Jul 11 02:08 var/pcgi.soc > > Notes: > o All but one of these are symbolic links. > No way around 777 on them. > No cause for alarm on them either. > o The two symlinks are from ZEO, and thus would > not be in a default tarball.> > Now, I do *nix security for a living, and I don't have any issues with > these few, unexposed 777's. I'd be interested to hear what the concerns, > and how to avoid them are. The other file (pcgi.soc) is a unix domain socket... it gets created when you run "python w_pcgi" as a Zope install command from the source distribution. I'm not sure of the danger of having this get created 777. It might be worthwhile to look into what could be done to it. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope and UNIX permissions
One way to deal with this (as with any tarball) is to not preserve ownership on an untar. As I mentioned before, if the user you untar as is the root user, gnutar preserves ownership *by default* (see the --preserve-permissions option to gnutar). On the other hand, if you don't untar as root, file ownership is set to the user who does the untarring for all files in the tarball. The 'nobody' user doesn't exist on all UNIX variants, and for the ones in which it does exist, it does not necessarily have the same UID. As a result, changing the ownership of the files in the source tarball to our 'nobody' UID (built on RH Linux) would be not completely adequate for other UNIX variants and as so is not really a solution. The problem is client-side and is defintely not Zope specific. The solution is to not preserve ownership when untarring the file. This means *don't untar as root*. This goes for all tarred file collections you install (not just Zope). Leonardo Kenji Shikida wrote: > > this is also what I am talking about! > > - Original Message - > From: Alexandre A. Drummond Barroso <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, July 11, 2000 7:59 PM > Subject: [Zope-dev] Zope 2.1.6 packages > > > It would be a good idea to change the user/group that owns any file in the > Zope tree to nobody.nobody before packaging the product > > (src and linux packages) instead of delivering with user 509. When this > user number is already used, and someone is testing Zope as > > a simple user (not root) the user can loose the control of the files when > unpack the package. > > Anyway, it's a simple task and will take almost no time from you. > > > > Thanks in advance, > > > > Alexandre A. Drummond Barroso > > IT Software Engineer > > Intelligenesis Corporation > > > > > > > > > > ___ > > Zope-Dev maillist - [EMAIL PROTECTED] > > http://lists.zope.org/mailman/listinfo/zope-dev > > ** No cross posts or HTML encoding! ** > > (Related lists - > > http://lists.zope.org/mailman/listinfo/zope-announce > > http://lists.zope.org/mailman/listinfo/zope ) > > > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope and UNIX permissions
Chris McDonough wrote: > > Using gnutar, untarring as the root user preserves ownership on > expansion by default. Not sure if FreeBSD uses gnutar (I imagine not), > but this is the case with gnutar under Linux. I think this is what > happened to him... he said he could not use the RPM release and was > working with the source distribution, so I don't think the problem is > with the RPM. He seemed to be mostly griping about files that were wide open (777). On 2.2.0b4 the only ones I get are: lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZEO/cPickle.so -> ../cPickle.so lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZServer -> ../../ZServer srwxrwxrwx1 root root 0 Jul 11 02:08 var/pcgi.soc Notes: o All but one of these are symbolic links. No way around 777 on them. No cause for alarm on them either. o The two symlinks are from ZEO, and thus would not be in a default tarball. Now, I do *nix security for a living, and I don't have any issues with these few, unexposed 777's. I'd be interested to hear what the concerns, and how to avoid them are. Zope is actually one of the two places I avoid the RPMs (The other being Kernel RPMs), adn always stick to source, so I can't vouch for the permissions of files in the RPM As I read his post, btw, it looked like he avoided the RPMs dues to the problems, and was looking for source. I have a copy of the 2.1.6 source; I'll look at that tonight for permissions. Bill -- "Linux: the operating system with a CLUE... Command Line User Environment". seen in a posting on comp.software.testing ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] zope and UNIX permissions
Using gnutar, untarring as the root user preserves ownership on expansion by default. Not sure if FreeBSD uses gnutar (I imagine not), but this is the case with gnutar under Linux. I think this is what happened to him... he said he could not use the RPM release and was working with the source distribution, so I don't think the problem is with the RPM. > -Original Message- > From: R. David Murray [mailto:[EMAIL PROTECTED]] > Sent: Monday, July 10, 2000 10:55 PM > To: Chris McDonough > Cc: 'Leonardo Kenji Shikida'; [EMAIL PROTECTED] > Subject: RE: [Zope-dev] zope and UNIX permissions > > > On Mon, 10 Jul 2000, Chris McDonough wrote: > > Which files? Know that if you untar as root, the files > will be 'owned' > > by whoever tarred it up on our side. Untar it as a normal > user. Reset > > the permissions of the ones you find too permissive. Then > let us know > > so we can change the distribution. > > On FreeBSD at least, this is not true. Unless you specify the 'p' > (preserve) flag, untaring as root will leave all the files owned > by root. I just untared the b4 source distrabution, and the file > permissions all look good to me. > > The original poster mentioned an RPM and looking for a source release, > so perhaps the problem is with the RPM. > > --RDM > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] zope and UNIX permissions
On Mon, 10 Jul 2000, Chris McDonough wrote: > Which files? Know that if you untar as root, the files will be 'owned' > by whoever tarred it up on our side. Untar it as a normal user. Reset > the permissions of the ones you find too permissive. Then let us know > so we can change the distribution. On FreeBSD at least, this is not true. Unless you specify the 'p' (preserve) flag, untaring as root will leave all the files owned by root. I just untared the b4 source distrabution, and the file permissions all look good to me. The original poster mentioned an RPM and looking for a source release, so perhaps the problem is with the RPM. --RDM ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] zope and UNIX permissions
Which files? Know that if you untar as root, the files will be 'owned' by whoever tarred it up on our side. Untar it as a normal user. Reset the permissions of the ones you find too permissive. Then let us know so we can change the distribution. -Original Message- From: Leonardo Kenji Shikida [mailto:[EMAIL PROTECTED]] Sent: Monday, July 10, 2000 7:15 PM To: [EMAIL PROTECTED] Subject: [Zope-dev] zope and UNIX permissions We tried to install zope using its tar.gz file and it created a lot of files with non-default users and with very permissive permissions on a linux box (like 777 permissions for many files). This is a HUGE security hole. We couldn't install the RPMs files on our webserver. Is there any decent zope source code distribution? thanks in advance K. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
