[Zope-dev] How (in)secure is Zope?

Shane Hathaway shane@zope.com
Thu, 13 Mar 2003 07:49:05 -0500 (EST)


On Thu, 13 Mar 2003, Toby Dickenson wrote:

> On Thursday 13 March 2003 5:21 am, Shane Hathaway wrote:
> 
> >  The only vulnerability would involve
> > trusted users who want to vandalize Zope.  So even though there have
> > been many hotfixes, they are irrelevant--Zope is still secure. (Unless
> > you can't trust your trusted users, which is a different problem.)
> 
> Of course you cant *completely* trust your trusted users. Thats why we have 
> seperate user accounts, and seperate roles.
> 
> IMO:
> Zope is sufficiently vulnerable to abuse from trusted users to justify 
> concern. The normal zope development model is to consider normal python code 
> as trusted - normal python code can do anything without security checks. Zope 
> has many normal python methods that can be called by through-the-web code 
> (after permission checking). In unix terms this is equivalent to having many 
> setuid root programs. IMO concern can be justified without needing to find a 
> specific exploit. From this point of view, Jamies advocacy of using Unix 
> mechanisms to restrict this 'trusted' python code is valuable.

I agree with you in principle, but your choice of words leads an outsider
to believe that a vulnerability in Zope's internal security model is a
root exploit.  The truth is that a vulnerability in Zope's internal
security model can only "setuid" to the privileges of the owner of the
Zope process, and root doesn't own the Zope process.  On most systems,
Zope is owned by an independent, restricted user.  To get root privileges,
the user would still have to make use of a root exploit outside Zope.

Yes, Zope's internal security model is currently too fragile, since any
product can break the barriers, but Zope 3 is working to deal with that.

Shane