gistfile1.txt

People mostly want an efficient concurrent pool of workers for OpenERP for SaaS usage where several company databases are hosted on the same OpenERP server (so with Gunicorn or Circus).

But OpenERP has e number of eval where admin user OpenERP can inject arbitrary code. That is especially true when advanced users want to customize their reports which are mostly done using evaling reprting engines.

A typical exploit here would be to eval a database connection to other SaaS databases and do what ever the fuck they want with it (steal the data, hack it, etc...)

So at Akretion we don't do shared hosting of OpenERP because of this obvious security hole, a precaution that is not taken by everybody...

Developing efficient "non evaling" reporting technology (Jinja2 sandbox etc..) can be done but obviously OpenERP won't be rewritten secured overnight (there is no chance that terrible RML technology get that for instance).

So the only way I see unleashed shared OpenERP hosting (way cheaper because it optimize the RAM and CPU sharing) working properly is if we can somehow have the master process to switch say a circus worker user before it serves its request. we would typically read what database this worker has to serve, and then somewhat map the database to a specific unix user and then switch the worker to that user before serving the request.

Can this be achieve safely with Gunicorn or Circus?

Thanks

if a process can read a password of one database, it can read the password to connect to other databases too. So the only solution then is to have isolated Unix users too.

Why is that ? You can have the DB connection info as startup options

But an admin user could still upload a malicious report doing request in other databases and wait for a non admin user of the shared host to execute them (so with unlimited databases access privileges), so not as simple as it looks...

You're getting a bit out of the scope. If you want true isolation, and can't trust admins, don't share the host in the first place.