[Zope] no accounts in root user folder?
Hello, I have a zope app in a folder and have an exUserFolder in there to authenticate the app's users. The app is working fine and i get authenticated by the exUserFolder and everything works. I tried to delete the single "admin" account (with Manager privileges) from the root standard user folder and the app breaks with: Unauthorized: You are not allowed to access 'call_backend' in this context where 'call_backend' is an External Method called by a Python Script. All objects in zope are owned by the "admin". Could this be causing the problem? Thnx for any help, Vangelis ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] database connections from external method
Tino Wildenhain wrote: I want to have full access rights on the database through the external methods. Usually you dont want that. Yes, usually i don't. Sane security constrains on database save you a lot mistakes if done right. You can also use views and stored functions to further tighten your security. Really, this reasoning may apply on regular projects. For my case, let me explain: - Say, you want to read/write a DB through Zope. - You have a read-only ZODB, so you cannot change anything. - The user-folder is based on an external authentication mechanism. - A Zope security hole comes up, which gives you all permissions within Zope. - You want to minimize the casualties of this attack. I think database constrains are not applicable for this scenario. Also, i don't want any application logic within the database, so stored procedures are not an option either. I believe that using ZSQLmethods for this setup will/might allow an attacker to: - retrieve information about the database (schema-wise) [ <- not so important] - retrieve/modify records [ <- much more important ] I (maybe falsely) think Zope as a "sandbox" environment. I cannot "operate" as root within this sandbox, so i need external methods. Why not moving all my "non-restricting"/"privileged" actions outside this sandbox, so that if someone breaks-in the sandbox i might stand a better chance to keep him there for a while longer? Following this reasoning, i created a single external method [a true SPOF :-) ] which does all the dirty work. Bad done external methods are more likely to open security holes. Of course! I trust the Zope developers to be much more of a coder than me! :-) I really hope i don't! :-) As Dieter said, my application is not a conventional Zope application. What is it instead? :) Got you intrigued huh?? :-) It is a webmin/usermin-like suite for Linux. The approach is quite different, both commercially and architecturally. I am pretty sure it is probably the most "unconventional" use of Zope up to now. :-) I could say that, for this project, i am using Zope: - as a much safer alternative to CGI but not if compromized :) Indeed!! ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] database connections from external method
Chris Withers wrote: Vangelis Mihalopoulos wrote: [zope -> ] (which btw i believe to be very secure) The why do you consider it a risk? I don't really. But when i present my security assessment report saying "Zope has never had a compomising security issue." i'll get the (expected) answer "Sooner or later, everything gets broken." and i will have to additionally demonstrate why compomising zope (in term of accessing the ZMI) will have minimum effect on the overall system operation. i don't want him to be able to directly access (read/write) the database i am using. *AFAIK*, ZSQLMethods won't do for this. Then put constraints in on your database, or make the whole connection read-only. I want to have full access rights on the database through the external methods. You're really buying nothing with all this other than wasting a lot of your time... I really hope i don't! :-) As Dieter said, my application is not a conventional Zope application. I could say that, for this project, i am using Zope: - as a much safer alternative to CGI - for its templating machinery - because it is built on Python and the project is based on Python - i like Zope :-) Thanks for your comments! Vangelis ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] database connections from external method
Chris Withers wrote: Have a look at the ZSQL methods code, I remember this being pretty old and convoluted :-( Ok, thanks! I take a look. Well, i am running zope under root privileges in "read-only" mode. What does this mean? I am opening the ZODB in read-only, using the appropriate parameter in the conf file. What are you seeking to do or prevent? I want a number of external methods to run with "root" privileges for performing specific tasks (older thread, "root privileges required", 27/7/2004) If there is a Zope break-in, What does that mean? I think of it as a break-in in the ZMI. i want to minimize interference with the database. Which database? I use a MySQL database for storing some info. Also, since this will be a commercial product, keeping most of the code in compiled python scripts is meaningful. As Jens already explained, .pyc's and pyo's can be decompiled in a matter of minutes, so you're getting nothing for this worry other than finding debugging a pain ;-) Yes, i fully understand the disadvantages, but i have dealt with the debugging with some custom exception handling/tracing. And, believe me, i don't have illusions about the secrecy offered by compiled python scripts. :-) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] database connections from external method
Dieter Maurer wrote: Vangelis Mihalopoulos wrote at 2005-10-19 12:22 +0300: ... I am thinking of using a Z Database Connection (mysql) from within an external method, without using Z SQL Methods, but can't figure out how i can "safely" do it Calling a "DA" object gives you a low level connection object (a "db" object). It has a "query" method. Calling it provides "safe" SQL execution. Thanks, this is what i had in mind. >From other posts, I understood that you want to do special things. Yes, this is true. In such cases, reading the source is necessary Yes, i know. But this would take me much more time than sending an email to the Zope list and getting quick help from experienced Zopistas, time that i unfortunately cannot afford. Of course, reviewing product code on other cases wasn't such a big overhead and i got my task done. -- and being prepared that things may change between releases... Of course... :-) I follow the recommendation of others to use ZSQL methods... I am loading the zodb in read-only mode. If someone breaks into Zope (which btw i believe to be very secure) i don't want him to be able to directly access (read/write) the database i am using. *AFAIK*, ZSQLMethods won't do for this. Thanks for your comments, helpful as always! - Vangelis ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] database connections from external method
Tino Wildenhain wrote: The threading is handled by the ZDA, so you can use query() or what the method actually is. I couldn't find a method like that... any hints? Otoh, what do you think you gain from circumventing ZSQL Methods? Well, i am running zope under root privileges in "read-only" mode. If there is a Zope break-in, i want to minimize interference with the database. Also, since this will be a commercial product, keeping most of the code in compiled python scripts is meaningful. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] database connections from external method
Hi, I want an external method to access a mysql database on each call. For now, i open up a new connection on every call, but this probably won't scale much either on performance (new connection on each call is quite an overhead) or availability (the number of open connections is restricted). I am thinking of using a Z Database Connection (mysql) from within an external method, without using Z SQL Methods, but can't figure out how i can "safely" do it... It crossed my mind to take a peek to the Z SQL Method source, but i don't know if such an approach would be thread safe... Any thoughts? Thanks, Vangelis ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Pass index in a TAL path expr
Hello, if "data" is a tuple (or list), how can directly access it's contents using path expressions, like in: -- script "s": return context.t(data=("one", "two", "three")) -- template "t" The above example give out a TypeError for the index... "options/data/0" is not correct. What should i set the path to? ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] DTML namespace problem (was: dtml-tree issue)
Just added__allow_access_to_unprotected_subobjects__=1as an attribute of my class defined in an external python script and it works fine. Thanks Tino! Tino Wildenhain wrote: Hi, Am Montag, den 11.04.2005, 14:08 +0300 schrieb Vangelis Mihalopoulos: Andreas Jung wrote: You should *not* define classes inside PythonScripts. PythonScripts are stricted and don't provide the full functionality. Either use filesystem based code (Zope Product) or use simple Python datatypes as dictionaries in this case. An External Method behaves exactly the same. I have not yet involved in writting even the simpler Product and i will not do it now for such a trivial issue. I tried to return a dictionary, - return {'a':1, 'b':2, 'c':3} -- but it the DTML Doc fails with a KeyError. Use a dict and if you really need DTML... see the keyword "mapping" for and tags. If you want to return custom class objects into untrusted code (e.g. from external methods) you need to set security declarations on them - at least add the attribute: __allow_access_to_unprotected_subobjects=1 (from top of head - just grep -r zopes source for the actual name) HTH Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] DTML namespace problem (was: dtml-tree issue)
Andreas Jung wrote: You should *not* define classes inside PythonScripts. PythonScripts are stricted and don't provide the full functionality. Either use filesystem based code (Zope Product) or use simple Python datatypes as dictionaries in this case. An External Method behaves exactly the same. I have not yet involved in writting even the simpler Product and i will not do it now for such a trivial issue. I tried to return a dictionary, - return {'a':1, 'b':2, 'c':3} -- but it the DTML Doc fails with a KeyError. I was wondering if there was some "Zopish" way to do it i don't know. i kinda desperate here :-) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] DTML namespace problem (was: dtml-tree issue)
Hello, i have focused my problem on this: having a Python Script "testScript": class obj: a = 1 b = 2 c = 3 return obj() and a DTML Document "testWith": --- --- when i try to view the DTML Document, i get an "Unauthorized" Exception. I believe this has something to do with the security mechanism of Zope. What must i return from the Python Script in order for the DTML Document to work? Thanks for any help ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] dtml-tree issue
Hello, I want to use dtml-tree. I want to populate this tree using an external method that like this one: getChildren(parent_id) => [child, child, child, ..] where "parent_id" is a string and each child is a node (python object). My problem is what kind of object must each node be, in order for the dtml-tree to work properly... The dtml-method is like this (example, hierarchy of links): I tried a dictionary, but i cannot retrieve the "LINK" in the branches_expr. I made a class in the External Method with attributes "LINK" and "TITLE", but i get unauthorized exceptions... Thanks for any help, Vangelis ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] script python error
Maybe using quotese.g. RESP.redirect('/store_nic/consumables/test') prabuddha ray wrote: wats wrong with the given puthon script request = container.REQUEST RESP = request.RESPONSE passwd = context.request.password1 user = context.request.username, if(container.chkpwd(uname=user,pwd=passwd)): RESP.redirect(/store_nic/consumables/test) // syntax errror. else: RESP.redirect(/store_nic/consumables/index_html) On Tue, 29 Mar 2005 19:07:00 +0200, Andreas Pakulat <[EMAIL PROTECTED]> wrote: On 29.Mär 2005 - 05:39:42, prabuddha ray wrote: Danke Jürgen, one tip i'm lookin for is how to cal pyhton scripts on any form event, ie. like we call javascripts on the onclick or onsubmit or onchange events? thanks again. You can't. Python and JavaScript are completely different things. JavaScript runs on the client side, whereas Python runs on the server. However, you probably can use your JavaScript to call a python Script, but I wouldn't suspect that it works the same as with JavaScript alone. Python Scripts are executed when you send them a Request or by calling them from within another python script (or TAL or DTML statement) Andreas -- You have an ambitious nature and may make a name for yourself. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- Share the vision of difference with ME ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )