[Zope-Coders] [patch] z2.py on UNIX: security fixes + security enhancements

[Behrens Matt - Grand Rapids]

This is a multi-part message in MIME format.
--------------010200030403070801050608
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

The attached patch addresses the following issues in z2.py.  All these 
issues are related to ZServer being started as root on UNIX systems.  It 
does constitute something of a change to the startup process, but I've 
tried to make it be as non-intrusive as possible while still making sure 
the end-user is aware of what's going on.


Issue 1, the big one:  Z2.pid is written by the less-privileged user. 
This means Z2.pid can be changed by that less-privileged user, and root 
can be tricked into killing an arbitrary process by running "stop".

The first part of addressing this is moving the writing of Z2.pid up 
before the setuid call.  However, var needs to be writable by the 
less-privileged user in order for Zope to operate.  var being writable 
like this means that the less-privileged user can delete and re-create 
Z2.pid, and still trick root as above.  I solved this by forcing var to 
have the sticky bit set if ZServer is started as root.  Other solutions 
involved having to modify the start and/or stop scripts, which I didn't 
think would be cool for upgraders.


Issue 2:  'nobody' is not a good user to drop to, simply because other 
system daemons on some UNIXen as well as many third-party packages 
depend on it to have no permissions whatsoever.  The less-privileged 
user needs to have Data.fs read/write rights, so if any of these other 
daemons is compromised, Data.fs could be read.

The way this needs to be addressed is by encouraging the end-user to 
create a dedicated user to run Zope as.  To that end, I've removed 
'nobody' as the default and forced -u to be specified on the z2.py 
command line if you're starting as root.  -u nobody can still be 
specified, but it will issue a warning on startup.  Also, if z2.py is 
actually started as nobody, the same warning will be issued.


Issue 3:  The default UNIX umask, 022, means that any new files created 
in var will be created with read permissions for everyone on the system. 
  New files are created when the database is packed, as well as when 
gadfly is used.

If the umask is not set to 077, a warning is issued on startup.  There 
is probably legitimate reason to run with other umasks, so I didn't 
think it was proper to force ZServer to be run with my particular choice.


This patch also spits out INFO when it actually does the setuid.


This patch is against 2.4.1, although it cleanly applies to 2.4.2.  I'm 
sitting on the 2.4.2 update for OpenBSD (I'm maintaining that port) 
until there's a resolution of some kind that I can include with it.

-- 
Matt Behrens <matt.behrens@kohler.com>
System Analyst, Baker Furniture



--------------010200030403070801050608
Content-Type: application/octet-stream;
 name="z2_py.diff.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="z2_py.diff.gz"

H4sICKvx1jsAA3oyX3B5LmRpZmYAxVhtk9o2EP7c/IotmdSQGI/h3pnhQ6d3aWkvkLlLJk3azI3O
FqAeWB5JhpBf313JBmMMIV9aDQeHtFqtnn178MuXL+FrN0hXgVRi8sMbmcDvWQKdSwiveqdXvbAD
3TDsPGu3207uhw88hlFkoHsKnW7v9LJ3duVEXm4P+g4n3a5/0r0COwFwPbx/GLztex7+j6/n8F5z
BSIGI0HhsZ/uuVrgDNMBDKXhYKbM4JvQIJPZCpZSPWnIkhhl3ifiiw8siUGMn/2IuorNKKwNUwbt
fFyBktIEuP5+cN33Evko49X69Fs5gbGYcZjJiBkhkwAGY3ccvhgoPsPpBYeUmamPCzwBYWjtHykS
1I8zVhF+grdgyoNYKB4ZqVaBhcze/yQE/L/9P94f3pGKROJFkwmKxHzMspnRdG4BCmiRRNxqsqdG
LIEZZ9Y2Bp9kyh1WkZynSs6F5gWsQ5nw/wbSuhA7Oz3zz85CF2KE+dnpOU6cF5jTyD++xozP0SSE
uqlXOmBqsvBB6oCMCciA5i+3g5vhu4ffRm9ufPiUirjVoqu9IsjgYclU8uDwarZ6OGu13o5+DfCv
2fjabfju64ef74aD4a8+eHdZkohk4gBk2t7r/XDwJzg1kFEEePAqV7YeHuG/wRpWMlNOieYmSwOA
gYUNsZHzOceQiJ3f6nThZjoI8UcxgY5BYXvwWCrnnDRTqUSXei3cjDc2atXLUXsOg3kqlUGXTiZ0
FZ2l9D1fFm6Rrl3rn4vOlX9xdlmUgLoxldokbM77LI4V19rfI0cH9enN+qSdW/dOrShGERbIXCo1
2lkD2ojcQhAsOBvUSU+ctBMnODzEQYk5Q5GJkgTyZhuBtBSz2SYRMe8cdjpSInXOwBxe1xy31QLZ
Xl8hRytdxqXJikwxRZ+YX9DHfFYIfMCMFE2caVWE+ZeIp6aHOaV1ZYnu2AebodsLZPwq5VYd9Pvu
S6PRqhpCI7NK0OZgwk26RFfZbX91P9cIT/YIn1SF+azWhs4xJuDX401YC9eYoHndaYpRyv3BVzdK
YYbU+KZmE96GDraF1ljI66QOKCgGFiQMT9TVxL+qr9emW5/D6N6aeEhdTVRsTiFsst1Tvq29ojXf
UEBW3VFXI2/u7kZ3PjQbWOk8g10DWxmF+wvdgBf0X6uwKo/vks789PWLxnPyAPaSKdNWH8M2FEPR
P1Os7saHSHGsflgIA6zttlMFRR0bW7/d3fx8/TAa3n7slYpQOsZ4wtqbNN8Orh9eD26xOXhLr1UW
EXEf07SJsFLQIaxkPraji+6Zf1FQgNoCed7xL87PNw3s4uTEv+yE5QbmjAiWShjepK60PR/NsHY3
807lsPiArYrutOT4UnxNCZjOO0+Qi9pg3DSMUoEqTY7B3YvCpdWr9Bdc3cq1kmjrr/AzZXZBMqpb
aWx31VygcPlG3Lr81eaC10qmttJSzV6gIydc5xeesgVRJz53/CjGci/nCAFLhFlBNOXRE5bTtSbs
AXP2hOuZIrA8fKdIsIhRv1sKM0VFIB8XQmYay79INI9I2vXiPUhugUYohDXI2QLfz8vFLjiuEt2v
tOHzmy8CI9j7iM18nmk0MOWRGK8wmG0vt2YSvWhnRALg7xp1u8Mbz9iEDCGOsBR6arsjXX1NWb5D
mWObOTUhEOvoybHKyKJtS6y7s2SGHMHa+x3KEo4WFBQZrzgTCCn6FEmuXFpm8V0X1Vk0pdpyGQZe
1akug9Bys+tuwoQShFab+5gnpg2tB/fvHt6Mrm8+/xR2wjDcyTsau/FR0oPXQfosuXNFkRXHX9Nr
aCOipxU8CtOgWEfXvsZ+aIOfUul4TVh2tUy0b93mopfnlTmPveN1saKclXm1jTwPKgoqKVmeps89
7Gp3wxbD2l0usazdxf1Mq/6yB9hW/YYDjKvmJvtZ11HmlJnXUeaU2Vf9BueF3Q1hvf26tlDSqNK2
Xak6HjIYvh750NBYP6MphZStpmgTVokNF6l3bF69D7U3GrUtrjz2xGl+yg6t3J8lBxQVo0Iv9wtX
SeBhtXtSY3PimmruS69vnVRzwg7tPM7lx1DPMg8pFdjyETbejiYs2ZzpJyQC9jmIxp+SSEUY/qBs
Ps7wty+8Hd0P/mxhhf1QEBj3K5Woi7FxKZK1Lqli18YwY5DzaliwWcb3EBEs1oon5sEaQERWB86W
sOyL9eyWeFkCI3Fb1Y9IaS4uetVEq57nvQhPpIfAbi1UNh1+ivKRnn7k2x2QhI1tAHJc98ij3hbq
h3OG/YzQlZByNRdaiwXPG1veHfcp89aNT45LD2RiZpifP8Uq8528q+3V5p7IOMtQIULpHr8cDqfN
GuTBQM/cbD/M0nxNIK0h5ms4xlf+1MuWD3rOyB2nynTxy8eGy78lzbzGCRYAAA==

--------------010200030403070801050608--