Re: [Zope] The Ascetic Superuser

2000-09-07 Thread Dieter Maurer

ethan mindlace fremen writes:
  Now every object excecutes according to the permision of the owner,
  *not* the viewer. It can also run as a proxy role.  The
  super-bootstrap-user lives outside of "normal" zope authentication  has
  permission to do anything save that which NotEvenGodShouldDo. 
  Therefore, it shouldn't own objects.
Am I really expected to understand this "Therefore"?
In fact, I do not!

Does it mean, that a Superuser can execute any method with
*ITS* privileges and not the intersection of its priviledges
with the owners privileges?
I hope (and expect) not!

Why is it much worse when an object is owned by Superuser
than by a manager?
What are the differences with respect to the Trojan Horse
or other security issues?


Dieter

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] The Ascetic Superuser

2000-09-05 Thread Chris McDonough

On Tue, 5 Sep 2000, ethan mindlace fremen wrote:
 Now every object excecutes according to the permision of the owner,
 *not* the viewer. It can also run as a proxy role.  The
 super-bootstrap-user lives outside of "normal" zope authentication  has
 permission to do anything save that which NotEvenGodShouldDo. 
 Therefore, it shouldn't own objects.

Methods actually now execute with the effective intersection of the
permissions granted to the AUTHENTICATED_USER and the permissions
granted to the method's owner.  If a proxy role is specified, the method
executes with permissions restricted to those roles assigned by the proxy
role.

This is unarguably a good thing.  What's not entirely clear is *why*
super can't own, which is a separate issue.  The power it has beyond
that of a normal management user is the ability to traverse the site
unrestricted by the security machinery.  I actually don't think
there's an answer to this question that has to do with method
execution.  I think the ultimate answer is one or a few of the
following: "because," "shrug," "for audit trail purposes," or "so you
don't shoot yourself in the foot," or "be quiet."  :-) Alternately,
the answer might lie in an unobvious implementation detail that none
of us really want to think about.

 This is *quite* important, and needs to stay.  I don't know how to
 emphasize enough that this is a well thought out correction to an
 extremely deadly class of security problems that still (afaik) plagues
 many "other" through-the-web management systems.

I just can't think of any situations where having a method execute with
the effective intersection of the permissions granted to superuser and
the permissions granted to another user would cause more damage
than a method executing with the effective intersection of the permissions
granted to a normal management user and another user.  Can you? 

 The newbie pain, however, could probably be mitigated- don't call it a
 Super user, since it hardly deserves the S or the cape.  Have a user in
 the default install.  Something like that.

I agree.  This should happen soon.

Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )