[Zope] Re: PythonMethods and import

Robin Becker robin@jessikat.demon.co.uk
Tue, 14 Sep 1999 16:06:09 +0100


In article <37DE5A9A.3B5EBBA0@4-am.com>, Evan Simpson <evan@4-am.com>
writes
>Robin Becker wrote:
>
>> Couldn't this and similar things be done as a property setting on the
>> method. The you could have a proxy security to allow various degrees of
>> un-safeness rather than just hack the code for all people. So really
>> safe people could open files on the server etc others could do regexps
>> etc etc.
>
>Well...  Sort of.  I mean, yes, obviously this can be done, but there's a 
>problem;
>Once *anyone* is allowed access to unsecure PythonMethod you've got a fairly 
>large
>security risk going unless you routinely manage your server through https.
>
>Suppose someone snoops your management sessions and grabs the username/password 
>you
>use for site administration.  Normally, this lets them destroy or subvert the
>contents of your ZODB, but that's all.  With scarywildunchained PythonMethods in 
>the
>picture, they now have full access to your system as 'nobody', or whatever you 
>run
>Zope under.  On Windows, at least, this could be effectively root access.
>
>This *can* be made secure (I think) by routing all management through an SSL-
>enabled
>server and shutting off Zope2's other port access methods, but it's not secure 
>by
>*default*, which is a concern.
>
>The upshot of all this is that I'll probably make unsecure PythonMethods an 
>option,
>but not through the web-interface.  I'll probably make it a switch in the source
>code, down in a broom closet in the basement with a sign on the door saying 
>"Beware
>of the Leopard".
>
>and-don't-forget-the-toe-gremlins-ly y'rs
>Evan Simpson
...
Ok I see we're getting more deeply into what can be imported and what
can't. How can you snoop into another thread? As I understand it at
present the PMs can only access their locals. If I can get access to any
form of peek/poke I can certainly do nasty things. But can I do this
with the re module? The sys module is certainly dangerous as is the
thread module since it might allow us to use up all the threads. Since
denial of service is possible with looping constructs any form of non
resource limited thing is insecure. I'm fairly sure individual threads
in Python aren't resource limited and unless Zope contains some kind of
watchdog simple PMs are insecure. Importing re might make them more
insecure by using up resources more rapidly (I believe certain regexps
are very cpu intensive), but I don't think they change the quality of
the insecurity.
-- 
Robin Becker