[Zope] database connections from external method

Vangelis Mihalopoulos mihalop at vtrip.net
Mon Oct 24 09:37:58 EDT 2005


Tino Wildenhain wrote:

>> I want to have full access rights on the database through the 
>> external methods.
>
> Usually you dont want that.

Yes, usually i don't.

> Sane security constrains on database save you a lot mistakes if done 
> right. You can also use views and stored
> functions to further tighten your security.

Really, this reasoning may apply on regular projects.
For my case, let me explain:
 - Say, you want to read/write a DB through Zope.
 - You have a read-only ZODB, so you cannot change anything.
 - The user-folder is based on an external authentication mechanism.
 - A Zope security hole comes up, which gives you all permissions within 
Zope.
 - You want to minimize the casualties of this attack.
I think database constrains are not applicable for this scenario. Also, 
i don't want any application logic within the database, so stored 
procedures are not an option either. I believe that using ZSQLmethods 
for this setup will/might allow an attacker to:
 - retrieve information about the database (schema-wise)   [ <- not so 
important]
 - retrieve/modify records [ <- much more important ]

I (maybe falsely) think Zope as a "sandbox" environment. I cannot 
"operate" as root within this sandbox, so i need external methods. Why 
not moving all my "non-restricting"/"privileged" actions outside this 
sandbox, so that if someone breaks-in the sandbox i might stand a better 
chance to keep him there for a while longer? Following this reasoning, i 
created a single external method [a true SPOF :-) ] which does all the 
dirty work.

> Bad done external methods are more likely to open security holes.

Of course! I trust the Zope developers to be much more of a coder than 
me! :-)

>> I really hope i don't! :-)   As Dieter said, my application is not a 
>> conventional Zope application.
>
> What is it instead? :)

Got you intrigued huh?? :-)
It is a webmin/usermin-like suite for Linux. The approach is quite 
different, both commercially and architecturally. I am pretty sure it is 
probably the most "unconventional" use of Zope up to now. :-)

>> I could say that, for this project, i am using Zope:
>> - as a much safer alternative to CGI
>
> but not if compromized :)

Indeed!!



More information about the Zope mailing list