[Zope-dev] Zope/z2 security issues

Ivo van der Wijk ivo@amaze.nl
Mon, 18 Jun 2001 17:00:42 +0200


Hi All,

We're currently working on some security issues when running zope in a
INSTANCE_HOME (multiple instances running as different users) setup.

The first issue is tightening of the current security. We introduced
the ability to set the groupid under which the server runs, so you can
put zope users in a zope group, not give non-group members read/execute
permission (o-rwx) to the instance homes, zope directories, product
directories, etc. 

These patches (along with a zopectl patch) can be found on:

http://www.zope.org/Members/maurice

The second issue, if z2.py is started as root, it will either setuid() to 
nobody, or to the username supplied with -u.

However, z2.py initializes logging while still runing as root by importing/
using ZLogger. This means that the logfiles will be owned (if they did not
yet exist) by root in INSTANCE_HOME/var, while you would want these to be
owned by nobody or the user the instance should be running as.

z2.py setuid()'s to the non-root user after (optionally) opening privileged
ports.

If you symlink the logfiles in INSTANCE_HOME/var to /etc (or worse, /etc/passwd
or /etc/shadow), you might even be able to destroy these files or insert
data into them.

The correct solution would probably be something like:

- run as root
- seteuid(non-root-user)
- intialize logging      -\
- seteuid(root)            } optional (only if privileged ports are required)
- open priviliged ports  -/
- setuid(non-root-user)

(note both the setEuid and setuid calls)

However, python 1.5.2 does not have seteuid() so this can/will only work with
2.0/2.1 or zope 2.4 (which requires 2.1)

We don't want to run our production zope servers with python > 1.5.2, so our
current patch consists of a setuid() at the top of z2.py, we don't run 
zope on privileged ports anyway. If anyone wants a patch for this, please mail
me.

Cheers,

	Ivo

-- 
Drs. I.R. van der Wijk                              -=-
Brouwersgracht 132                      Amaze Internet Services V.O.F.
1013 HA Amsterdam                                   -=-
Tel: +31-20-4688336                          Linux/Web/Zope/SQL
Fax: +31-20-4688337                           Network Solutions
Web:     http://www.amaze.nl/                    Consultancy
Email:   ivo@amaze.nl                               -=-