[Zope] Zope application offline - how to apply a
licenseptotection?
Jaroslav Lukesh
lukesh at seznam.cz
Fri Aug 15 15:01:27 EDT 2003
> Odesílatel: Gabriel Genellina <gagenellina at softlab.com.ar>
> >1. use dedicated server with crypted FS (eg., Linux), does not share ANY
> >passwords.
> >2. does not allow to users gone above specified hierarchy of folders.
> >3. disable for all other access than "view" all DTML Methods and
> >code-critical DTML documents.
> >etc...
>
> Except 1) the other measures protect against thru-the-web access, but not
> from local access.
> Anyone who can read data.fs can see the user passwords, which the
standard
> UserFolder stores without encryption by default, and then can log in as
> Manager and change anything.
Use your own dedicated server with zope, crypted FS (you need solve problem
with key :( or lock at computer case.
> And anyone with write permission to the filesystem can create an
emergency
Nothing more than "root" will does not have access to that PC
> user, log in as such, and modify all objects inside Zope (the emergency
> user can do almost anything without restrictions, just can't create new
> objects).
> Zope may have a good shield from web attacks but I think it is very
> vulnerable for local intrusion or sabotage.
Zope is not responsible for that, you need solve these problems at system
level and robust HW, as I shown you.
Do you have access to local files in server at your bank office?
Regards JL.
More information about the Zope
mailing list