'[Zope-Coders] [patch] z2.py on UNIX: security fixes + security enhancements'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       zope-coders
Subject:    [Zope-Coders] [patch] z2.py on UNIX: security fixes + security enhancements
From:       Behrens Matt - Grand Rapids <Matt.Behrens () Kohler ! Com>
Date:       2001-10-26 13:07:35
[Download RAW message or body]


The attached patch addresses the following issues in z2.py.  All these 
issues are related to ZServer being started as root on UNIX systems.  It 
does constitute something of a change to the startup process, but I've 
tried to make it be as non-intrusive as possible while still making sure 
the end-user is aware of what's going on.


Issue 1, the big one:  Z2.pid is written by the less-privileged user. 
This means Z2.pid can be changed by that less-privileged user, and root 
can be tricked into killing an arbitrary process by running "stop".

The first part of addressing this is moving the writing of Z2.pid up 
before the setuid call.  However, var needs to be writable by the 
less-privileged user in order for Zope to operate.  var being writable 
like this means that the less-privileged user can delete and re-create 
Z2.pid, and still trick root as above.  I solved this by forcing var to 
have the sticky bit set if ZServer is started as root.  Other solutions 
involved having to modify the start and/or stop scripts, which I didn't 
think would be cool for upgraders.


Issue 2:  'nobody' is not a good user to drop to, simply because other 
system daemons on some UNIXen as well as many third-party packages 
depend on it to have no permissions whatsoever.  The less-privileged 
user needs to have Data.fs read/write rights, so if any of these other 
daemons is compromised, Data.fs could be read.

The way this needs to be addressed is by encouraging the end-user to 
create a dedicated user to run Zope as.  To that end, I've removed 
'nobody' as the default and forced -u to be specified on the z2.py 
command line if you're starting as root.  -u nobody can still be 
specified, but it will issue a warning on startup.  Also, if z2.py is 
actually started as nobody, the same warning will be issued.


Issue 3:  The default UNIX umask, 022, means that any new files created 
in var will be created with read permissions for everyone on the system. 
  New files are created when the database is packed, as well as when 
gadfly is used.

If the umask is not set to 077, a warning is issued on startup.  There 
is probably legitimate reason to run with other umasks, so I didn't 
think it was proper to force ZServer to be run with my particular choice.


This patch also spits out INFO when it actually does the setuid.


This patch is against 2.4.1, although it cleanly applies to 2.4.2.  I'm 
sitting on the 2.4.2 update for OpenBSD (I'm maintaining that port) 
until there's a resolution of some kind that I can include with it.

-- 
Matt Behrens <matt.behrens@kohler.com>
System Analyst, Baker Furniture



["z2_py.diff.gz" (application/octet-stream)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic