[Zope] no accounts in root user folder?

JPenny at ykksnap-america.com JPenny at ykksnap-america.com
Thu Aug 10 14:59:49 EDT 2006


zope-bounces+jpenny=ykksnap-america.com at zope.org wrote on 08/10/2006 
02:02:28 PM:

> Vangelis Mihalopoulos wrote at 2006-8-10 10:58 +0300:
> >I have a zope app in a folder and have an exUserFolder in there to 
> >authenticate the app's users. The app is working fine and i get 
> >authenticated by the exUserFolder and everything works. I tried to 
> >delete the single "admin" account (with Manager privileges) from the 
> >root standard user folder and the app breaks with:
> >
> >Unauthorized: You are not allowed to access 'call_backend' in this 
context
> >
> >where 'call_backend' is an External Method called by a Python Script. 
> >All objects in zope are owned by the "admin". Could this be causing the 

> >problem?
> 
> Others already answered "yes".
> 
> I just would like to add that this is due to the "executable owner"
> feature, introduced in Zope 2.2 to make Trojan horse attacks much
> more difficult. You may still be able to find the corresponding
> documentation (maybe even in the Zope Book (2.7 edition on "Plope.org").
> 
> 

I would also add.  It is usually a real good idea to put only
admin users in the root folder anyway. 

This gives you additional protection from several problems:  it makes
database connection methods much harder to see, it protects you from
bugs in add-on acl_user products, it keeps people from doing things
like adding a siteroot to your root folder, and it keeps people out of
the Control_Panel.

The only thing that I can imagine that you would want non admins to have
access to in the root folder is the error_log. 
In a large organization, I could see that you would want programmers
who do not have admin rights to be able to see it.  That might take some
special handling, but I suspect that you could use a proxy role or
even just set its access to Anonymous (although that may lead to 
unintended information leakage).

jim penny
> 
> -- 
> Dieter
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )



More information about the Zope mailing list