Bug#388072: [Pkg-zope-developers] Bug#388072: zope-common - dzhandle
make-instance produces non-root owned files which are executed as root
Fabio Tranchitella
kobold at kobold.it
Mon Sep 18 14:13:37 UTC 2006
Il giorno lun, 18/09/2006 alle 15.07 +0200, Bastian Blank ha scritto:
> Package: zope-common
> Version: 0.5.24
> Severity: grave
> Tags: security
>
> dzhandle make-instance creates files with owner zope which is executed
> as root by the init script. This gives this user the same rights as
> root.
>
> Bastian
I still do not understand... after start-up, zope uses the zope user.
I've created a hacked product, with a __init__.py like this:
import os; os.system("touch /tmp/abc.txt")
After start-up, the /tmp/abc.txt is owned by zope:zope which is correct.
So, what are you talking about?
Are /var/lib/zope2.9/instance/devel/bin/runzope
and /var/lib/zope2.9/instance/devel/bin/zopectl the faulty scripts?
If you want to write on it, then you must be within the zope group, and
if the system administrator adds you to a system group it must know what
he is doing.
Thanks,
--
Fabio Tranchitella http://www.kobold.it
Free Software Developer and Consultant http://www.tranchitella.it
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Questa =?ISO-8859-1?Q?=E8?= una parte del messaggio
firmata digitalmente
Url : http://lists.alioth.debian.org/pipermail/pkg-zope-developers/attachments/20060918/782f9ad3/attachment.pgp
More information about the Pkg-zope-developers
mailing list