-----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Kantrowitz
Dr. Michael Gerz wrote: > are there any security mechanisms within trac (or python) to make sure > that a trac plugin does not compromise the whole trac server? Are there > any restrictions on the execution of trac plugins? Nope, nor is such thing possible. Python currently has no systems for restricted execution. Several have been looked at, but they are to be considered academic exercises at best. All plugins execute in the same memory space as trac itself, and therefore can do anything it can. In practical terms this means that plugins are programs operating with the permissions of your web server. --Noah --------- Well, you could always run Apache twice as different users on the same machine, or it may be easier to run one Apache that does proxying to a tracd instance behind, where the two instances run as separate users that don't have permissions to each other's files. Of course, you have to run two instances of a server, but you have a guarantee that they can't access each other, as long as you trust the operating system. Obviously it's possible to somehow do some root exploit by a Trac plugin that would allow them... But the exploit risk is inherent in any open port regardless of process. They could exploit your Apache or mail server or whatever you have running and get into Trac. I think the Michael's question is probably more relevantly, whether or not a trac plugin can access another instance of Trac without an exploit; in other words, through documented programming techniques. I don't know enough about Python and Trac to be able to say if Trac A can access objects of Trac B through standard coding. Jason --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
