zope and UNIX permissions
Donn Cave
donn at u.washington.edu
Tue Jul 11 12:43:35 EDT 2000
Quoth shikida at my-deja.com:
| We tried to install zope using its tar.gz file and it created a lot of
| files with non-default users and with very permissive permissions on a
| linux box (like 777 permissions for many files).
|
| This is a HUGE security hole. We couldn't install the RPMs files on our
| webserver. Is there any decent zope source code distribution?
I don't know about Zope, but if you unpack tar.gz files from the net
- as root and
- don't monitor which files are installed that way and
- don't change the ownerships and protections afterwards,
then you are the huge security hole. One way to handle this is
chown bin .; gzip -d -c bla-0.0.tar.gz | su bin -c 'tar xvf -'
then monitor the files as the tar proceeds. All files will be owned
by "bin" (per your UID scheme, not the author's), no file owned by
root can be overwritten, and permissions will be limited by umask value.
(You'd have to check that last one - I'm assuming tar on your platform
is implemented correctly, and then there's the question of what umask
value you get with su bin -c '...'.)
Donn Cave, University Computing Services, University of Washington
donn at u.washington.edu
More information about the Python-list
mailing list