Il giorno lun, 18/09/2006 alle 15.07 +0200, Bastian Blank ha scritto: > Package: zope-common > Version: 0.5.24 > Severity: grave > Tags: security > > dzhandle make-instance creates files with owner zope which is executed > as root by the init script. This gives this user the same rights as > root. > > Bastian
I still do not understand... after start-up, zope uses the zope user.
I've created a hacked product, with a __init__.py like this:
import os; os.system("touch /tmp/abc.txt")
After start-up, the /tmp/abc.txt is owned by zope:zope which is correct.
So, what are you talking about?
Are /var/lib/zope2.9/instance/devel/bin/runzope
and /var/lib/zope2.9/instance/devel/bin/zopectl the faulty scripts?
If you want to write on it, then you must be within the zope group, and
if the system administrator adds you to a system group it must know what
he is doing.
Thanks,
--
Fabio Tranchitella http://www.kobold.it
Free Software Developer and Consultant http://www.tranchitella.it
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564
signature.asc
Description: Questa รจ una parte del messaggio firmata digitalmente
