Re: [Zope-dev] Can't edit CMF/Plone content if the creator is deleted
On Fri, 11 Oct 2002, Adrian Hungate wrote: > I don't know if this is a Zope, CMF, Plone or DCWorkflow issue, but I just > got bitten by what appears to be a bug in someone's security handling. > > If you create some content as user A, then delete user A, no one can edit > the content, or change it's ownership. I suspect this is due to a Feature of the base Zope security. A user is only allowed to do things in the intersection of his privileges and those of the owner of the code being executed. Otherwise you have the same situation that having a '.' in your root path puts you in in unix. --RDM ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Debugging conflict errors? Hints please!
> "SHH" == Stefan H Holek <[EMAIL PROTECTED]> writes: SHH> Hi All! I am experiencing a lot of 'ZODB conflict error at SHH> ...' that I can reliably reproduce by hitting my browser's SHH> Refresh button at a high rate. The bad news is that the SHH> conflicts happen on pages that are not supposed to change SHH> anything in the ZODB but only display results of some SQL SHH> queries. My question is now how to find out what actually is SHH> causing the conflicts. The log entry refers to the page being SHH> served ('/very/long/path/detail_view'). The debug log should show the oid that caused the conflict error. >From the oid, you ought to be able to figure out what the object is -- class, etc. -- and then what transactions have modified that object. Can anyone recommend a simple strategy for either of these two steps? There's got to be a good way to do it, but I'm not sure what the best way is. I'd open the database in an interactive prompt: >>> db.open()[oid] That would get me the object. Then I'd use fsdump to find all the transactions that include that oid. That would be a very manual process since I'd just grep the textual dump of the storage. Jeremy ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope] Unix: Vanishing Group Ids associated with Zopeprocess ?
At 17:48 2002-10-11 +0200, Holger Blasum said: >Hello *, > >I observed that under Debian woody, Zope 2.5.1 runs under the >user id 'www-data'. > >The python OS command os.getgroups() gives me an empty list when called >from an external method, although I had configured the user 'www-data' >to be the member of several groups. > >If, on the other hand, I run python with my user id from the command >line as a normal user, the command os.getgroups () gives me all the >groups am a member of (that's what I expected). > >Please enlighten. The way that Zope changes user under the start up sequence doesn't change the groups. I'm not sure if this was due to a bug in earlier Python, but there might be a fix/more info about this in the mail archives or on zope.org or even in the collector (haven't check). Got the same problems a while back trying to execute Qmail commands with external methods some while ago. Regards, Johan Carlsson -- Torped Strategi och Kommunikation AB Johan Carlsson [EMAIL PROTECTED] Mail: Birkagatan 9 SE-113 36 Stockholm Sweden Visit: Västmannagatan 67, Stockholm, Sweden Phone +46-(0)8-32 31 23 Fax +46-(0)8-32 31 83 Mobil +46-(0)70-558 25 24 http://www.easypublisher.com http://www.torped.se ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] Unix: Vanishing Group Ids associated with Zope process ?
On Fri, Oct 11, 2002 at 06:05:59PM +0200, Johan Carlsson [EasyPublisher] wrote: > > The way that Zope changes user under the start up sequence > doesn't change the groups. man 2 setgroups should be called after (before?) the user id change in the Zope startup script. it is called for you by PAM when you log in, AFAIK, this is why it works from your command line hth Jerome Alet ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Thanks: Unix: Vanishing Group Ids associated with Zope process
Thanks Jerome, Johan, > it is called for you by PAM when you log in, AFAIK, this is > why it works from your command line That was the missing bit. After following some blind alleys (pam-python seems to be only available for py 1.5 and os.setgroups() is only available in py 2.2) the solution was to run in /etc/init.d/zope 'su www-data -c 'zope-z2 ARGS'' instead of just 'zope-z2 ARGS' so that PAM is called by su. I didn't even have to adjust the zope-z2 script because the os.setuid() is not called when it is not run as root. Data.fs.lock and some other stuff in /var/lib/zope/var is now owned by www-data instead of root, so it is not necessarily best practice but works. Have a nice weekend, -- Holger Blasum ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] MailHost.py does not set the "Date" header, who's bug?
From: "Craeg K Strong" <[EMAIL PROTECTED]> > Here is my question. Should ZWiki, my web app, and everybody else's > Zope-based web app in the world have to add "Date" headers? > Or maybe MailHost should be smart enough to add a Date header with > Date=now if Date is missing from the header...? Indeed, reading in RFC 2822, the origination date-field is required, which means that the header munging done in MailHost should also look for a date header and add it if it doesn't exist. Best Regards Lennart Regebro, Torped http://www.easypublisher.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope-2.5.1 restart failed
Andre Schubert wrote: 2002-10-11T06:01:00 ERROR(200) ZODB Couldn't load state for '\x00\x00\x00\x00\x00\x00\x00T' Traceback (innermost last): File /usr/share/zope/lib/python/ZODB/Connection.py, line 447, in setstate File /usr/share/zope/lib/python/ZODB/FileStorage.py, line 582, in load (Object: /var/zope/var/Data.fs) File /usr/share/zope/lib/python/ZODB/FileStorage.py, line 558, in _load (Object: /var/zope/var/Data.fs) ValueError: I/O operation on closed file Yeah, I've seen this too. Is your zope running in a chroot'ed / jail'ed environment? This is the only time I've seen it, should it be classed as a bug? cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Can't edit CMF/Plone content if the creator is deleted
I don't know if this is a Zope, CMF, Plone or DCWorkflow issue, but I just got bitten by what appears to be a bug in someone's security handling. If you create some content as user A, then delete user A, no one can edit the content, or change it's ownership. I created a site as "manager" and created a bunch of content. Then I created the users that would actually be maintaining the content and deleted "manager" (It's far too easy to guess at). Suddenly, all updates started failing, and continued failing, untill I re-created the "manager" user. I have set the domain to 127.0.0.1 so the user can not log in, but I would really like to know if this is and intended security feature or a bug. Any input would be appreciated. Adrian... ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Debugging conflict errors? Hints please!
Hi All! I am experiencing a lot of 'ZODB conflict error at ...' that I can reliably reproduce by hitting my browser's Refresh button at a high rate. The bad news is that the conflicts happen on pages that are not supposed to change anything in the ZODB but only display results of some SQL queries. My question is now how to find out what actually is causing the conflicts. The log entry refers to the page being served ('/very/long/path/detail_view'). As a matter of fact I am not even sure whether the log entry means that the 'detail_view' document has changed (which of course it hasn't), or something along the traversal path caused a ZODB write. Zope 2.5.1, ZEO 1.0 Any hints on how I could find the culprit appreciated. Thanks, Stefan -- Those who write software only for pay should go hurt some other field. /Erik Naggum/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Debugging conflict errors? Hints please!
conflict errors do not imply conflicting writes by definition. there is a thing called "read conflict", which is probably what happens to you. jens On Friday, Oct 11, 2002, at 07:47 US/Eastern, Stefan H. Holek wrote: Hi All! I am experiencing a lot of 'ZODB conflict error at ...' that I can reliably reproduce by hitting my browser's Refresh button at a high rate. The bad news is that the conflicts happen on pages that are not supposed to change anything in the ZODB but only display results of some SQL queries. My question is now how to find out what actually is causing the conflicts. The log entry refers to the page being served ('/very/long/path/detail_view'). As a matter of fact I am not even sure whether the log entry means that the 'detail_view' document has changed (which of course it hasn't), or something along the traversal path caused a ZODB write. Zope 2.5.1, ZEO 1.0 Any hints on how I could find the culprit appreciated. Thanks, Stefan ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] MailHost.py does not set the "Date" header, who's bug?
From: "Lennart Regebro" <[EMAIL PROTECTED]> > Indeed, reading in RFC 2822, the origination date-field is required, which > means that the header munging done in MailHost should also look for a date > header and add it if it doesn't exist. A simple addition of: if not mo.getheader('Date'): mo['Date'] = DateTime().rfc822() in _mungeHeaders did it. I'll check this in. I did however find a possible bug in DateTime().rfc822(), see next post about that. Best Regards Lennart Regebro, Torped http://www.easypublisher.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] DateTime.rfc822() bug?
RFC 2822 (which is the currently valid one, if I understand correctly) specifies the date format to have four digit zone specifications, ie "GMT+0200", while DateTime.rfc822() happily returns "GMT+2". Not that this seems to be any problem, I'm just looking for an answer if this is how it's supposed to be? I discovered it, because Outlook Express handles RFC822 dates incorrectly and will display both the "Fri, 11 Oct 2002 13:47:03 GMT+0200" and "Date: Fri, 11 Oct 2002 13:47:03 GMT+2" as "2002-10-11 15:47". Obviously some programmer at Microsoft hasn't read the rfc properly. :-) "The date and time-of-day SHOULD express local time. The zone specifies the offset from Coordinated Universal Time (UTC, formerly referred to as "Greenwich Mean Time") that the date and time-of-day represent." While MS obviously thinks it represents GMT. Easy mistake to do, if you don't read the rfc... Best Regards Lennart Regebro, Torped http://www.easypublisher.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Debugging conflict errors? Hints please!
Yes, but AFAIK read conflicts mean that something has changed during a read. I do not expect this to happen either... Stefan --On Freitag, 11. Oktober 2002 07:54 -0400 Jens Vagelpohl <[EMAIL PROTECTED]> wrote: conflict errors do not imply conflicting writes by definition. there is a thing called "read conflict", which is probably what happens to you. jens -- Those who write software only for pay should go hurt some other field. /Erik Naggum/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )