Re: [Zope-dev] security problem in an monkey-patch

2007-09-19 Thread Dieter Maurer
Joachim Schmitz wrote at 2007-9-19 11:54 +0200:
>and
>
>../portal_catalog/getBypassQueue
>displays a 1

This looks like a security bug.

You should not be able to "call" something via the ZPublisher
what you cannot call in a script.

Maybe, you file a bug report?



-- 
Dieter
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security-Problem

2003-02-19 Thread Shane Hathaway
Steve Alexander wrote:


Shane Hathaway <[EMAIL PROTECTED]> wrote:


Do you not want foo to have the Manager role?




Andre Schubert wrote:


No, because he is no longer in our company.



Shane Hathaway <[EMAIL PROTECTED]> wrote:


I think you're asking for a "find + chown" utility, right?  I don't 
know of one, but it sure would be nice to have. :-)



Andre Schubert wrote:


It would be very nice to have such a tool :)

BTW: Thanks for the quick answers, you help me to understand the problem.
 I take the ownership of all objects where foo was the owner
 and the problems should go away :)



Andre,

Don't treat this so lightly! When you take ownership of objects where 
foo is the owner, you are telling Zope that you take responsibility for 
those objects.

For example, let's say foo had written a python script for removing all 
of her files older than one day.

Here's some pseudocode:

  For all files older than one day:
try:
  remove the file
except PermissionError:
  pass

This will work, provided foo has rights to delete only foo's files.
If you take ownership of such a script, and you run it, then it will 
very different effects.

Also, if you are a Manager (or in another privaleged role), and you take 
ownership of such a script, you may be allowing others to delete their 
own files when they run that script, whereas before nothing much would 
have happened.

To clarify, those users still need to have the privilege of deleting 
those files.  Executable ownership only reduces privileges.

In 99% of cases, none of this will be a problem. However, you should 
take care when taking ownership of objects, especially objects that 
represent code such as python scripts and dtml methods and page templates.

I feel like Zope doesn't present the concept of executable ownership 
properly to the user.  I've run into this issue myself--the lifetime of 
executables frequently extends beyond the life of the associated 
username.  You never know when deleting a user or removing user roles 
will break code throughout the site.  Like Andre, all I wanted to do was 
restore the privileges the code had before.

So for Zope 3 I've pondered some way of separating executables from 
usernames, while retaining the properties we have today.  It seems like 
executables should rely on a different service for determining 
executable privileges than the user database.

Shane


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security-Problem

2003-02-19 Thread Steve Alexander

Shane Hathaway <[EMAIL PROTECTED]> wrote:

Do you not want foo to have the Manager role?


Andre Schubert wrote:

No, because he is no longer in our company.


Shane Hathaway <[EMAIL PROTECTED]> wrote:

I think you're asking for a "find + chown" utility, right?  I don't know 
of one, but it sure would be nice to have. :-)

Andre Schubert wrote:

It would be very nice to have such a tool :)

BTW: Thanks for the quick answers, you help me to understand the problem.
 I take the ownership of all objects where foo was the owner
 and the problems should go away :)


Andre,

Don't treat this so lightly! When you take ownership of objects where 
foo is the owner, you are telling Zope that you take responsibility for 
those objects.

For example, let's say foo had written a python script for removing all 
of her files older than one day.

Here's some pseudocode:

  For all files older than one day:
try:
  remove the file
except PermissionError:
  pass

This will work, provided foo has rights to delete only foo's files.
If you take ownership of such a script, and you run it, then it will 
very different effects.

Also, if you are a Manager (or in another privaleged role), and you take 
ownership of such a script, you may be allowing others to delete their 
own files when they run that script, whereas before nothing much would 
have happened.


In 99% of cases, none of this will be a problem. However, you should 
take care when taking ownership of objects, especially objects that 
represent code such as python scripts and dtml methods and page templates.

--
Steve Alexander


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security-Problem

2003-02-18 Thread Andre Schubert
On Tue, 18 Feb 2003 12:01:45 -0500
Shane Hathaway <[EMAIL PROTECTED]> wrote:

> On 02/18/2003 09:16 AM, Andre Schubert wrote:
> > I try to explain what happens. Lets say i have a user called foo who
> > has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to
> > a folder called bar and foobar. foobar is called from inside bar
> > (). He also created a Role MSAdmin. bar is
> > accessible and visible by Anonymous Users. foobar is accessible and
> > visible by MSAdmin and Manager. If i view bar and login as a user
> > with MSAdmin-Roles everything works fine. But if i remove the
> > Manager-Role from foo who has created the two DTMLMethods i get the
> > above error.
> 
> Do you not want foo to have the Manager role?

No, because he is no longer in our company.

> 
> > I have the same problem with a really big Zope-Site where i have the
> > remove Manager-Roles from a specific user. The only solution i have
> > found is to recreate the DTMLMethods, but it is very hard to
> > reacreate all DTMLMethods created by foo.
> 
> I think you're asking for a "find + chown" utility, right?  I don't know 
> of one, but it sure would be nice to have. :-)
> 

It would be very nice to have such a tool :)

BTW: Thanks for the quick answers, you help me to understand the problem.
 I take the ownership of all objects where foo was the owner
 and the problems should go away :)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security-Problem

2003-02-18 Thread Dieter Maurer
Andre Schubert wrote at 2003-2-18 15:16 +0100:
 > ...
 > Error Type: Unauthorized
 > Error Value: The owner of the executing script does not have the required 
 >permission. Access to 'foobar' of (Folder instance at 932b600) denied. Access 
 >requires View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The 
 >executing script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles 
 >['Authenticated', 'Owner'].
 > 
 > I try to explain what happens.
 > Lets say i have a user called foo who has Manager-Roles across a Zope-site.
 > foo has added 2 DTMLMethods to a folder called bar and foobar.
 > foobar is called from inside bar ().
 > He also created a Role MSAdmin.
 > bar is accessible and visible by Anonymous Users.
 > foobar is accessible and visible by MSAdmin and Manager.
 > If i view bar and login as a user with MSAdmin-Roles everything works fine.
 > But if i remove the Manager-Role from foo who has created the two DTMLMethods i get 
 >the above error.

That is precisely, as it should be.

You may consider to take ownership of your executing script and
give it to a user with role "MSAdmin".


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )



Re: [Zope-dev] Security-Problem

2003-02-18 Thread Joachim Werner
Andre Schubert schrieb:

Hi all,

i have a little Security-Problem which results in the following Error
reported by Shane Hathaway's nice VerboseSecurity:

Error Type: Unauthorized
Error Value: The owner of the executing script does not have the required permission. Access to 'foobar' of (Folder instance at 932b600) denied. Access requires View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The executing script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles ['Authenticated', 'Owner'].

I try to explain what happens.
Lets say i have a user called foo who has Manager-Roles across a Zope-site.
foo has added 2 DTMLMethods to a folder called bar and foobar.
foobar is called from inside bar ().
He also created a Role MSAdmin.
bar is accessible and visible by Anonymous Users.
foobar is accessible and visible by MSAdmin and Manager.
If i view bar and login as a user with MSAdmin-Roles everything works fine.
But if i remove the Manager-Role from foo who has created the two DTMLMethods i get the above error.

I have the same problem with a really big Zope-Site where i have the remove Manager-Roles
from a specific user. The only solution i have found is to recreate the DTMLMethods, but
it is very hard to reacreate all DTMLMethods created by foo.

I hope somebody has another hint for me. :)


Non-authoritative answer:

As far as I know the problem is ownership. If you want to access objects 
whose owner is gone you get into trouble.

So there are probably two solutions:

a) DO NOT delete the owner
b) Let somebody else take over the ownership



--

iuveno AG

Joachim Werner

_

Wittelsbacherstr. 23b
90475 Nürnberg

[EMAIL PROTECTED]
www.iuveno.de

Tel.: +49 (0) 911/ 9 88 39 84


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Security-Problem

2003-02-18 Thread Shane Hathaway
On 02/18/2003 09:16 AM, Andre Schubert wrote:

I try to explain what happens. Lets say i have a user called foo who
has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to
a folder called bar and foobar. foobar is called from inside bar
(). He also created a Role MSAdmin. bar is
accessible and visible by Anonymous Users. foobar is accessible and
visible by MSAdmin and Manager. If i view bar and login as a user
with MSAdmin-Roles everything works fine. But if i remove the
Manager-Role from foo who has created the two DTMLMethods i get the
above error.


Do you not want foo to have the Manager role?


I have the same problem with a really big Zope-Site where i have the
remove Manager-Roles from a specific user. The only solution i have
found is to recreate the DTMLMethods, but it is very hard to
reacreate all DTMLMethods created by foo.


I think you're asking for a "find + chown" utility, right?  I don't know 
of one, but it sure would be nice to have. :-)

Shane


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )