Re: zope - plone security issues

[Christos Gioran <himicos () freemail gr>]

On Saturday 08 May 2004 01:02, you wrote:
> On Fri, 7 May 2004, Christos Gioran wrote:
> > If you agree on
> > this approach, is there any diferrence, security-wise,  in compiling all
> > programs in the chroot jail (all programs being zope, plone *and* python)
> > statically or shared? If so, why?
[snip]
> the latest versions. Will you be using Plone as your base to develop from?

I'm not sure what you mean by that. If you are asking whether we plan changing 
from an Apache based (cgi-bin world) configuration to a Plone based one, the 
answer is yes. Please clarify.

> However per your last point, I'd be interested to know if you're
> successful in chrooting zope. When I compiles and launched Zope 2.7.0, run
> as its own user (running on OpenBSD-3.3-stable) it always exits with a
> segmentation fault as soon as a web request is made. Crash. The only
> alternative was to launch as root temporarily and have it switch to its
> own user. rrgh. That's probably a security risk.

Done! Python 2.3.3 and Zope 2.7.0 are together in a chroot and requests are 
served properly. No problems (taking into consideration the complexity of a 
chroot attempt!!) so far and hopefully none will appear. As far as UID's 
concerned, if you want to bind to a low port (low<=1024) you have to be root. 
Afterwards, zope changes on its own. The default port is 8080 where a simple 
user (say zope) can listen. My current, somewhat clumsy and experimental, 
working configuration has a "runzope" script set as SUID for user zope. Thus, 
the service is started as:

root shell#> chroot /path/to/jail /path/to/runzope

and starts running under the zope user ID.

To bind to port 80 though, it *has* to be started as root. I hope I haven't 
misunderstood your question.

For the record, i am working on a RedHat 9 with stock kernel, gcc and glibc. 
Python is the latest 2.3.3

May I suggest doing a strace on the server to try and clarify the reason it 
crashes? I am not familiar with the BSD platform, but this is a general 
troubleshooting method and should give you some pointers.

> The Plone mailing list is quite busy, but I'm not aware of any online
> archives of it to search for more info. Personally I've found moving from
> the cgi-bin development model to Zope to be rather complicated. :)

If we get it moving, i will gladly share any experience. Don't hesitate to 
contact me for any further info, clarifications or whatever.

cheers

-- 
himicos

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------