[Zope] [ANN] ZShell 0.2

[Michel Pelletier]

On Sat, 5 May 2001, Jason Cunliffe wrote:

> From: "Jerome Alet" <alet@unice.fr>
> > I've just seen the same message, so I've browsed the files with cvsweb,
> > and now I better understand Michel's concerns: it seems as External
> methods
> > run completely unrestricted by default, which I ignored until I read this
> > document.
> 
> ..and what of Scripts (Python) Do they inherit Zope permissions model.?

Yes.  This comes at the cost of a small performance hit compared to
external methods.

My concern with ZShell is that as soon as your execution crosses the
boundary between Zope and an external method, all security checks stop.  
So yes, Zope will restrict 'Bob' from running the ZShell external method
if he doesn't not have the 'Use External Methods' permission, but if he
*does* have the right permission, then no other permissions matter,
because ZShell circumvents them.

> Security should be addressed.

Absolutely!

> I suppose one could extend 'Exernal Methods' to create a 'External Zshell
> Methods'

This won't help, as I said, as soon as a user has that one permission,
they circumvent all of them.

> But Jerome please don't let this slow you down writing Zshell functions now.
> Let's just agree that Zshell is a really powerful Essential Zope tool. An
> important concept which definitely needs developing. And it assumes greater
> responsibility than the default TTW interface, and wears a large sysadmin
> warning label!

Oh yes, don't take my warning as a discouragement, please continue.  I
just wanted to make sure everyone was aware of the security issues.

> I have been using ZJavatelnetSSH Product quite often recently for sheer
> convenvince of remote Zope sysadmin.
> http://dev.zope.org/Members/dshaw/ZJavaTelnetSSH

Yeah, that's a really cool product that shows off some pretty amazing
Java/ZClass integration.

-Michel