[Zope] Re: [Zope-dev] Re: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?

Jonas Luster loki@smurftarget.net
Tue, 9 Jan 2001 09:34:10 -0800


* Joachim Werner sez:

Ok, let me try to understand this one. I am a bit dumb, sorry...

> - You can work with full SSL-encryption, maybe even client certificates.
>    This is much more secure than TELNET or FTP. (Unfortunately, SSH/SCP,
>    while being the "better  TELNET/FTP" is not always an option, and it
>    always opens up more than necessary)

what exactly does SSH open uo 'more than necessary'. Sufficient clue on
admin's side provided?

> - People won't hack together their own solutions for the problem (with
>    LocalFS installed and me having the rights to add LocalFS instances, it
>    would take me not very long to "infiltrate" any Zope server. Just add the
>    "Extensions" folder via LocalFS and upload all you need as External
>    Methods ...)

That requires a few things, if I am not mistaken... 

a) ZServer runs as anything but nobody/nogroup and is not
   jail(8)ed/chrooted. If that is the case, well, I'd personally shoot
   the admin responsible for that if something comes up.

b) ${ZOPEROOT}/Extensions allows nobody to write into it - shoot admin.

http://www.post1.com/home/ngps is a good way to start securing Zope, the
problem of transmitting passwords in the clear is a big one, but has
been solved at my domains by deploying SecurID-tokens, which might not
be the ultiamte solution (lots of stuff I wanted to hide is still
transmitted in the clear) but is a good start.

jonas

-- 
Jonas Luster -- http://smurftarget.net (while netwarriors.org is down) -- loki@smurftarget.net