Security Basics mailing list archives
Re: zope - plone security issues
From: Christos Gioran <himicos () freemail gr>
Date: Sat, 8 May 2004 21:57:34 +0300
On Saturday 08 May 2004 01:02, you wrote:
On Fri, 7 May 2004, Christos Gioran wrote:If you agree on this approach, is there any diferrence, security-wise, in compiling all programs in the chroot jail (all programs being zope, plone *and* python) statically or shared? If so, why?
[snip]
the latest versions. Will you be using Plone as your base to develop from?
I'm not sure what you mean by that. If you are asking whether we plan changing from an Apache based (cgi-bin world) configuration to a Plone based one, the answer is yes. Please clarify.
However per your last point, I'd be interested to know if you're successful in chrooting zope. When I compiles and launched Zope 2.7.0, run as its own user (running on OpenBSD-3.3-stable) it always exits with a segmentation fault as soon as a web request is made. Crash. The only alternative was to launch as root temporarily and have it switch to its own user. rrgh. That's probably a security risk.
Done! Python 2.3.3 and Zope 2.7.0 are together in a chroot and requests are served properly. No problems (taking into consideration the complexity of a chroot attempt!!) so far and hopefully none will appear. As far as UID's concerned, if you want to bind to a low port (low<=1024) you have to be root. Afterwards, zope changes on its own. The default port is 8080 where a simple user (say zope) can listen. My current, somewhat clumsy and experimental, working configuration has a "runzope" script set as SUID for user zope. Thus, the service is started as: root shell#> chroot /path/to/jail /path/to/runzope and starts running under the zope user ID. To bind to port 80 though, it *has* to be started as root. I hope I haven't misunderstood your question. For the record, i am working on a RedHat 9 with stock kernel, gcc and glibc. Python is the latest 2.3.3 May I suggest doing a strace on the server to try and clarify the reason it crashes? I am not familiar with the BSD platform, but this is a general troubleshooting method and should give you some pointers.
The Plone mailing list is quite busy, but I'm not aware of any online archives of it to search for more info. Personally I've found moving from the cgi-bin development model to Zope to be rather complicated. :)
If we get it moving, i will gladly share any experience. Don't hesitate to contact me for any further info, clarifications or whatever. cheers -- himicos --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- zope - plone security issues Christos Gioran (May 07)
- Re: zope - plone security issues Kelly Martin (May 07)
- Re: zope - plone security issues Christos Gioran (May 10)
- Re: zope - plone security issues Kelly Martin (May 07)