Tino Wildenhain wrote:
I want to have full access rights on the database through the
external methods.
Usually you dont want that.
Yes, usually i don't.
Sane security constrains on database save you a lot mistakes if done
right. You can also use views and stored
functions to further tighten your security.
Really, this reasoning may apply on regular projects.
For my case, let me explain:
- Say, you want to read/write a DB through Zope.
- You have a read-only ZODB, so you cannot change anything.
- The user-folder is based on an external authentication mechanism.
- A Zope security hole comes up, which gives you all permissions within
Zope.
- You want to minimize the casualties of this attack.
I think database constrains are not applicable for this scenario. Also,
i don't want any application logic within the database, so stored
procedures are not an option either. I believe that using ZSQLmethods
for this setup will/might allow an attacker to:
- retrieve information about the database (schema-wise) [ <- not so
important]
- retrieve/modify records [ <- much more important ]
I (maybe falsely) think Zope as a "sandbox" environment. I cannot
"operate" as root within this sandbox, so i need external methods. Why
not moving all my "non-restricting"/"privileged" actions outside this
sandbox, so that if someone breaks-in the sandbox i might stand a better
chance to keep him there for a while longer? Following this reasoning, i
created a single external method [a true SPOF :-) ] which does all the
dirty work.
Bad done external methods are more likely to open security holes.
Of course! I trust the Zope developers to be much more of a coder than
me! :-)
I really hope i don't! :-) As Dieter said, my application is not a
conventional Zope application.
What is it instead? :)
Got you intrigued huh?? :-)
It is a webmin/usermin-like suite for Linux. The approach is quite
different, both commercially and architecturally. I am pretty sure it is
probably the most "unconventional" use of Zope up to now. :-)
I could say that, for this project, i am using Zope:
- as a much safer alternative to CGI
but not if compromized :)
Indeed!!
_______________________________________________
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )