[Zope-dev] Re: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?

[Joachim Werner]

> > - You can work with full SSL-encryption, maybe even client certificates.
> >    This is much more secure than TELNET or FTP. (Unfortunately, SSH/SCP,
> >    while being the "better  TELNET/FTP" is not always an option, and it
> >    always opens up more than necessary)
>
> what exactly does SSH open uo 'more than necessary'. Sufficient clue on
> admin's side provided?

Of course, "suficient clue on admin's side provided", you are right. But I 
don't know too many cases of perfectly secure configurations ...

> > - People won't hack together their own solutions for the problem (with
> >    LocalFS installed and me having the rights to add LocalFS instances,
> > it would take me not very long to "infiltrate" any Zope server. Just add
> > the "Extensions" folder via LocalFS and upload all you need as External
> > Methods ...)
>
> That requires a few things, if I am not mistaken...
>
> a) ZServer runs as anything but nobody/nogroup and is not
>    jail(8)ed/chrooted. If that is the case, well, I'd personally shoot
>    the admin responsible for that if something comes up.
>
> b) ${ZOPEROOT}/Extensions allows nobody to write into it - shoot admin.

Again you are right, but as Zope is really easy to install, I'd guess that it 
is not only used (and installed) by "uberadmins" who know exactly what they 
are doing  ...

Joachim