[Zope-DB] Plaintext Password Concerns

David A. Riggs lukewarm@ultrasoul.com
15 May 2003 18:35:24 -0400

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2003-05-15 at 16:40, Jim Penny wrote:
> On Thu, May 15, 2003 at 04:00:41PM -0400, David A. Riggs wrote:
> > Our University would like to give out Zope accounts for
> > groups of students so they may experiment and work on
> > various projects. One key feature that people would like
> > to use is connectivity to a PostgreSQL database.
> >=20
> > We take security very seriously and would like some way
> > around storing plaintext passwords in the connection
> > strings for the Psycopg Database Connectors. Has anyone
> > come up with some alternative to this or a solution to
> > this possible security hazard?
> >=20
> Two Answers:
> 1)  It is OK that users share the connections to postgresql.
>   put the pyscopgda in the root of your Zopes, and build a separate
>   folder for each user.   Do not allow them to view root.  That should
>   be enough.
> 2)  Each user gets a separate database and thus requires a separate
>     connection.
>   Build a separate folder for each user.  Put the database connector in
>   that folder.  Deny the user the right to view this folder.  Now put
>   another folder, say sandbox inside the user's folder.  grant the user
>   admin rights to this folder.  Use rewrite rules so that=20
>   http://host/userid is remapped to http://host/userid/sandbox.
>   This should be plenty.

Number 1 is most definitely out of the question, and number 2 addresses
the wrong problem...we don't want other users to see a user's password.
Let me try and explain the situation a bit better.

Zope authentication is performed against an OpenLDAP directory with
LDAPUserFolder. LDAP people are mapped directly to Zope users, LDAP
groups are mapped to Zope roles. PostgreSQL also authenticates against
LDAP, every user has their own database in the PostgreSQL instance.
We want to be able to give users their own folder in Zope where they
can muck around and create applications, but not all users (just the
members of a certain ZopeUsers LDAP group or something similar). The
security hazard here is that Managers at a higher level in the Zope
tree can view the plaintext password in their DB connectors (making
things worse is that they are authenticating against the same source
for everything, LDAP).

I'm trying to find some solution where this password isn't available
plaintext for Managers higher in the Zope tree or people in this
same sibling group.

What I want to be able to say is "bind to the database with the=20
username and pass of the object owner" rather than "bind to the=20
database with this explicit username and pass", though I may be
seeking for answers in the wrong place.

David A. Riggs
West Virginia University CS/EE

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.1 (GNU/Linux)