subject:"Re\: \[Zope\-dev\] zope and UNIX permissions"

RE: [Zope-dev] zope and UNIX permissions

2000-07-12 Thread Chris McDonough


  The other file (pcgi.soc) is a unix domain socket...  it 
 gets created
  when you run "python w_pcgi" as a Zope install command from 
 the source
  distribution.  I'm not sure of the danger of having this get created
  777.  It might be worthwhile to look into what could be done to it.
 
 Well, other than zope not responding over pcgi if it isn't 777?
 I just tried this out of curiousity. No response through pcgi.

Hmmm... thanks for trying it.  This doesn't seem much of a risk, does
it?

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] zope and UNIX permissions

2000-07-12 Thread Bill Anderson


Chris McDonough wrote:
 
   The other file (pcgi.soc) is a unix domain socket...  it
  gets created
   when you run "python w_pcgi" as a Zope install command from
  the source
   distribution.  I'm not sure of the danger of having this get created
   777.  It might be worthwhile to look into what could be done to it.
 
  Well, other than zope not responding over pcgi if it isn't 777?
  I just tried this out of curiousity. No response through pcgi.
 
 Hmmm... thanks for trying it.  This doesn't seem much of a risk, does
 it?

Not that I can see off-hand. It is only a socket, a means for
communicating with Zope. The 'risk' would only lie in Zope's Security
mechanisms. ;-)

The only possible risk would be a DoS type manuever if random user could
rewrite the pcgi.soc socket. You could control this through var
directory permissions, will try this out and report back.

Bill

-- 
"Linux: the operating system with a CLUE...
Command Line User Environment".

seen in a posting on comp.software.testing

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] zope and UNIX permissions

2000-07-12 Thread Chris McDonough



  Hmmm... thanks for trying it.  This doesn't seem much of a 
 risk, does
  it?
 
 Not that I can see off-hand. It is only a socket, a means for
 communicating with Zope. The 'risk' would only lie in Zope's Security
 mechanisms. ;-)
 
 The only possible risk would be a DoS type manuever if random 
 user could
 rewrite the pcgi.soc socket. You could control this through var
 directory permissions, will try this out and report back.

You're the coolest!  Thanks..

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] zope and UNIX permissions

2000-07-11 Thread Bill Anderson


Chris McDonough wrote:
 
 Using gnutar, untarring as the root user preserves ownership on
 expansion by default.  Not sure if FreeBSD uses gnutar (I imagine not),
 but this is the case with gnutar under Linux.  I think this is what
 happened to him... he said he could not use the RPM release and was
 working with the source distribution, so I don't think the problem is
 with the RPM.


He seemed to be mostly griping about files that were wide open (777). On
2.2.0b4 the only ones I get are:
lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZEO/cPickle.so
- ../cPickle.so
lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZServer -
../../ZServer
srwxrwxrwx1 root root 0 Jul 11 02:08 var/pcgi.soc


Notes:
o All but one of these are symbolic links. 
  No way around 777 on them. 
  No cause for alarm on them either. 
o The two symlinks are from ZEO, and thus would 
  not be in a default tarball.

Now, I do *nix security for a living, and I don't have any issues with
these few, unexposed 777's. I'd be interested to hear what the concerns,
and how to avoid them are.

Zope is actually one of the two places I avoid the RPMs (The other being
Kernel RPMs), adn always stick to source, so I can't vouch for the
permissions of files in the RPM

As I read his post, btw, it looked like he avoided the RPMs dues to the
problems, and was looking for source.


I have a copy of the 2.1.6 source; I'll look at that tonight for
permissions.

Bill

-- 
"Linux: the operating system with a CLUE...
Command Line User Environment".

seen in a posting on comp.software.testing

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] zope and UNIX permissions

2000-07-11 Thread Chris McDonough


Bill Anderson wrote:
 He seemed to be mostly griping about files that were wide open (777). On
 2.2.0b4 the only ones I get are:
 lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZEO/cPickle.so
 - ../cPickle.so
 lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZServer -
 ../../ZServer
 srwxrwxrwx1 root root 0 Jul 11 02:08 var/pcgi.soc
 
 Notes:
 o All but one of these are symbolic links.
   No way around 777 on them.
   No cause for alarm on them either.
 o The two symlinks are from ZEO, and thus would
   not be in a default tarball. 
 Now, I do *nix security for a living, and I don't have any issues with
 these few, unexposed 777's. I'd be interested to hear what the concerns,
 and how to avoid them are.

The other file (pcgi.soc) is a unix domain socket...  it gets created
when you run "python w_pcgi" as a Zope install command from the source
distribution.  I'm not sure of the danger of having this get created
777.  It might be worthwhile to look into what could be done to it.

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] zope and UNIX permissions

2000-07-11 Thread Bill Anderson


Chris McDonough wrote:
 
 Bill Anderson wrote:
  He seemed to be mostly griping about files that were wide open (777). On
  2.2.0b4 the only ones I get are:
  lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZEO/cPickle.so
  - ../cPickle.so
  lrwxrwxrwx1 root root 13 Jul 11 01:36 lib/python/ZServer -
  ../../ZServer
  srwxrwxrwx1 root root 0 Jul 11 02:08 var/pcgi.soc
 
  Notes:
  o All but one of these are symbolic links.
No way around 777 on them.
No cause for alarm on them either.
  o The two symlinks are from ZEO, and thus would
not be in a default tarball.
  Now, I do *nix security for a living, and I don't have any issues with
  these few, unexposed 777's. I'd be interested to hear what the concerns,
  and how to avoid them are.
 
 The other file (pcgi.soc) is a unix domain socket...  it gets created
 when you run "python w_pcgi" as a Zope install command from the source
 distribution.  I'm not sure of the danger of having this get created
 777.  It might be worthwhile to look into what could be done to it.

Well, other than zope not responding over pcgi if it isn't 777?
I just tried this out of curiousity. No response through pcgi.

Bill


-- 
"Linux: the operating system with a CLUE...
Command Line User Environment".

seen in a posting on comp.software.testing

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] zope and UNIX permissions

2000-07-10 Thread Chris McDonough

Which files?  Know that if you untar as root, the files will be 'owned'
by whoever tarred it up on our side.  Untar it as a normal user.  Reset
the permissions of the ones you find too permissive.  Then let us know
so we can change the distribution.

-Original Message-
From: Leonardo Kenji Shikida [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 10, 2000 7:15 PM
To: [EMAIL PROTECTED]
Subject: [Zope-dev] zope and UNIX permissions

We tried to install zope using its tar.gz file and it created a lot of
files with non-default users and with very permissive permissions on a
linux box (like 777 permissions for many files).

This is a HUGE security hole. We couldn't install the RPMs files on our
webserver. Is there any decent zope source code distribution?

thanks in advance

K.

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] zope and UNIX permissions

2000-07-10 Thread R. David Murray


On Mon, 10 Jul 2000, Chris McDonough wrote:
 Which files?  Know that if you untar as root, the files will be 'owned'
 by whoever tarred it up on our side.  Untar it as a normal user.  Reset
 the permissions of the ones you find too permissive.  Then let us know
 so we can change the distribution.

On FreeBSD at least, this is not true.  Unless you specify the 'p'
(preserve) flag, untaring as root will leave all the files owned
by root.  I just untared the b4 source distrabution, and the file
permissions all look good to me.

The original poster mentioned an RPM and looking for a source release,
so perhaps the problem is with the RPM.

--RDM


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] zope and UNIX permissions

2000-07-10 Thread Chris McDonough


Using gnutar, untarring as the root user preserves ownership on
expansion by default.  Not sure if FreeBSD uses gnutar (I imagine not),
but this is the case with gnutar under Linux.  I think this is what
happened to him... he said he could not use the RPM release and was
working with the source distribution, so I don't think the problem is
with the RPM.

 -Original Message-
 From: R. David Murray [mailto:[EMAIL PROTECTED]]
 Sent: Monday, July 10, 2000 10:55 PM
 To: Chris McDonough
 Cc: 'Leonardo Kenji Shikida'; [EMAIL PROTECTED]
 Subject: RE: [Zope-dev] zope and UNIX permissions
 
 
 On Mon, 10 Jul 2000, Chris McDonough wrote:
  Which files?  Know that if you untar as root, the files 
 will be 'owned'
  by whoever tarred it up on our side.  Untar it as a normal 
 user.  Reset
  the permissions of the ones you find too permissive.  Then 
 let us know
  so we can change the distribution.
 
 On FreeBSD at least, this is not true.  Unless you specify the 'p'
 (preserve) flag, untaring as root will leave all the files owned
 by root.  I just untared the b4 source distrabution, and the file
 permissions all look good to me.
 
 The original poster mentioned an RPM and looking for a source release,
 so perhaps the problem is with the RPM.
 
 --RDM
 

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] zope and UNIX permissions

Re: [Zope-dev] zope and UNIX permissions

RE: [Zope-dev] zope and UNIX permissions

Re: [Zope-dev] zope and UNIX permissions

Re: [Zope-dev] zope and UNIX permissions

Re: [Zope-dev] zope and UNIX permissions

RE: [Zope-dev] zope and UNIX permissions

RE: [Zope-dev] zope and UNIX permissions

RE: [Zope-dev] zope and UNIX permissions

9 matches

Site Navigation

Mail list logo

Footer information