[Zope] Re: superuser confusion

Chris McDonough chrism@digicool.com
Tue, 5 Sep 2000 03:06:15 -0400 (EDT)


On Tue, 5 Sep 2000, Evan Simpson wrote:

> > I've got to say I agree with you here.  I'm still not 100% sure why the
> > superuser or bootstrap user can't own anything.
> 
> It's due to a combination of the trojan horse issue and the sticky
> authentication issue, I think.  You really don't want to be authenticated as
> super very often, because while you are, if you visit a page someone else
> wrote, they can make your browser do evil things to your site.  This is also
> true of Managers, but less so.  Similarly, a page owned by non-super has
> tighter permissions than one owned by the super would.

Yes... the PDG security chapter has all of this in it, but it would seem
that neither Chris W or I are completely satisfied by these answers.  :-)
It seems a matter of diminishing returns, especially when newbies hit the
wall during install, since we haven't provided them with an airbag yet.

Chris McDonough
Digital Creations, Publishers of Zope
http://www.zope.org