[Zope-dev] Re: Unsecure design of ExternalFile

Dieter Maurer dieter@handshake.de
Fri, 22 Nov 2002 19:59:47 +0100


Wei He writes:
 > ...
 > I have an idea, but don't know whether it is possible:
 > set uid.
 > 
 > If there is a way Zope server can change uid to a predefined
 > one before accessing an externally linked file, each webmaster
 > will have permission to their own home directory plus some 
 > shared directories to which all webmasters have permission.
Forget about this in a multi-threaded process (with almost
independent threads).

   The "uid/gid" are process global things.
   Interesting things happen when threads asynchronously
   change it.

In order to be able to switch users, Zope must run with
"root" privileges -- a huge security risk.

 > Then I can create system accounts for each webmaster,
Give each webmaster its own Zope process.


Dieter