Re: [Zope-dev] security problem in an monkey-patch
Joachim Schmitz wrote at 2007-9-19 11:54 +0200: >and > >../portal_catalog/getBypassQueue >displays a 1 This looks like a security bug. You should not be able to "call" something via the ZPublisher what you cannot call in a script. Maybe, you file a bug report? -- Dieter ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security-Problem
Steve Alexander wrote: Shane Hathaway <[EMAIL PROTECTED]> wrote: Do you not want foo to have the Manager role? Andre Schubert wrote: No, because he is no longer in our company. Shane Hathaway <[EMAIL PROTECTED]> wrote: I think you're asking for a "find + chown" utility, right? I don't know of one, but it sure would be nice to have. :-) Andre Schubert wrote: It would be very nice to have such a tool :) BTW: Thanks for the quick answers, you help me to understand the problem. I take the ownership of all objects where foo was the owner and the problems should go away :) Andre, Don't treat this so lightly! When you take ownership of objects where foo is the owner, you are telling Zope that you take responsibility for those objects. For example, let's say foo had written a python script for removing all of her files older than one day. Here's some pseudocode: For all files older than one day: try: remove the file except PermissionError: pass This will work, provided foo has rights to delete only foo's files. If you take ownership of such a script, and you run it, then it will very different effects. Also, if you are a Manager (or in another privaleged role), and you take ownership of such a script, you may be allowing others to delete their own files when they run that script, whereas before nothing much would have happened. To clarify, those users still need to have the privilege of deleting those files. Executable ownership only reduces privileges. In 99% of cases, none of this will be a problem. However, you should take care when taking ownership of objects, especially objects that represent code such as python scripts and dtml methods and page templates. I feel like Zope doesn't present the concept of executable ownership properly to the user. I've run into this issue myself--the lifetime of executables frequently extends beyond the life of the associated username. You never know when deleting a user or removing user roles will break code throughout the site. Like Andre, all I wanted to do was restore the privileges the code had before. So for Zope 3 I've pondered some way of separating executables from usernames, while retaining the properties we have today. It seems like executables should rely on a different service for determining executable privileges than the user database. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security-Problem
Shane Hathaway <[EMAIL PROTECTED]> wrote: Do you not want foo to have the Manager role? Andre Schubert wrote: No, because he is no longer in our company. Shane Hathaway <[EMAIL PROTECTED]> wrote: I think you're asking for a "find + chown" utility, right? I don't know of one, but it sure would be nice to have. :-) Andre Schubert wrote: It would be very nice to have such a tool :) BTW: Thanks for the quick answers, you help me to understand the problem. I take the ownership of all objects where foo was the owner and the problems should go away :) Andre, Don't treat this so lightly! When you take ownership of objects where foo is the owner, you are telling Zope that you take responsibility for those objects. For example, let's say foo had written a python script for removing all of her files older than one day. Here's some pseudocode: For all files older than one day: try: remove the file except PermissionError: pass This will work, provided foo has rights to delete only foo's files. If you take ownership of such a script, and you run it, then it will very different effects. Also, if you are a Manager (or in another privaleged role), and you take ownership of such a script, you may be allowing others to delete their own files when they run that script, whereas before nothing much would have happened. In 99% of cases, none of this will be a problem. However, you should take care when taking ownership of objects, especially objects that represent code such as python scripts and dtml methods and page templates. -- Steve Alexander ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security-Problem
On Tue, 18 Feb 2003 12:01:45 -0500 Shane Hathaway <[EMAIL PROTECTED]> wrote: > On 02/18/2003 09:16 AM, Andre Schubert wrote: > > I try to explain what happens. Lets say i have a user called foo who > > has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to > > a folder called bar and foobar. foobar is called from inside bar > > (). He also created a Role MSAdmin. bar is > > accessible and visible by Anonymous Users. foobar is accessible and > > visible by MSAdmin and Manager. If i view bar and login as a user > > with MSAdmin-Roles everything works fine. But if i remove the > > Manager-Role from foo who has created the two DTMLMethods i get the > > above error. > > Do you not want foo to have the Manager role? No, because he is no longer in our company. > > > I have the same problem with a really big Zope-Site where i have the > > remove Manager-Roles from a specific user. The only solution i have > > found is to recreate the DTMLMethods, but it is very hard to > > reacreate all DTMLMethods created by foo. > > I think you're asking for a "find + chown" utility, right? I don't know > of one, but it sure would be nice to have. :-) > It would be very nice to have such a tool :) BTW: Thanks for the quick answers, you help me to understand the problem. I take the ownership of all objects where foo was the owner and the problems should go away :) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security-Problem
Andre Schubert wrote at 2003-2-18 15:16 +0100: > ... > Error Type: Unauthorized > Error Value: The owner of the executing script does not have the required >permission. Access to 'foobar' of (Folder instance at 932b600) denied. Access >requires View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The >executing script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles >['Authenticated', 'Owner']. > > I try to explain what happens. > Lets say i have a user called foo who has Manager-Roles across a Zope-site. > foo has added 2 DTMLMethods to a folder called bar and foobar. > foobar is called from inside bar (). > He also created a Role MSAdmin. > bar is accessible and visible by Anonymous Users. > foobar is accessible and visible by MSAdmin and Manager. > If i view bar and login as a user with MSAdmin-Roles everything works fine. > But if i remove the Manager-Role from foo who has created the two DTMLMethods i get >the above error. That is precisely, as it should be. You may consider to take ownership of your executing script and give it to a user with role "MSAdmin". Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security-Problem
Andre Schubert schrieb: Hi all, i have a little Security-Problem which results in the following Error reported by Shane Hathaway's nice VerboseSecurity: Error Type: Unauthorized Error Value: The owner of the executing script does not have the required permission. Access to 'foobar' of (Folder instance at 932b600) denied. Access requires View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The executing script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles ['Authenticated', 'Owner']. I try to explain what happens. Lets say i have a user called foo who has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to a folder called bar and foobar. foobar is called from inside bar (). He also created a Role MSAdmin. bar is accessible and visible by Anonymous Users. foobar is accessible and visible by MSAdmin and Manager. If i view bar and login as a user with MSAdmin-Roles everything works fine. But if i remove the Manager-Role from foo who has created the two DTMLMethods i get the above error. I have the same problem with a really big Zope-Site where i have the remove Manager-Roles from a specific user. The only solution i have found is to recreate the DTMLMethods, but it is very hard to reacreate all DTMLMethods created by foo. I hope somebody has another hint for me. :) Non-authoritative answer: As far as I know the problem is ownership. If you want to access objects whose owner is gone you get into trouble. So there are probably two solutions: a) DO NOT delete the owner b) Let somebody else take over the ownership -- iuveno AG Joachim Werner _ Wittelsbacherstr. 23b 90475 Nürnberg [EMAIL PROTECTED] www.iuveno.de Tel.: +49 (0) 911/ 9 88 39 84 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security-Problem
On 02/18/2003 09:16 AM, Andre Schubert wrote: I try to explain what happens. Lets say i have a user called foo who has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to a folder called bar and foobar. foobar is called from inside bar (). He also created a Role MSAdmin. bar is accessible and visible by Anonymous Users. foobar is accessible and visible by MSAdmin and Manager. If i view bar and login as a user with MSAdmin-Roles everything works fine. But if i remove the Manager-Role from foo who has created the two DTMLMethods i get the above error. Do you not want foo to have the Manager role? I have the same problem with a really big Zope-Site where i have the remove Manager-Roles from a specific user. The only solution i have found is to recreate the DTMLMethods, but it is very hard to reacreate all DTMLMethods created by foo. I think you're asking for a "find + chown" utility, right? I don't know of one, but it sure would be nice to have. :-) Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )