On Sunday 06 Oct 2002 4:56 pm, Chris McDonough wrote:
It's probably unavoidable that the log file is opened as root -- it's used to report "can't setuid()". :-)
Thats what syslog is for. It is good security practice that a daemon should *never* have a writeable file descriptor for its log file. If it does, and the daemon is compromised, an attacker can trivially cover his tracks by removing the incriminating evidence from the log file.
Pidfiles too.
Currently it is common practice for Zope's 'stop' scripts to be run as root. We cant allow the pid files to be written by non-root users, otherwise those users could trick root into killing an arbitrary process.
The only real purpose to running as root is to be able to bind to low-numbered TCP ports.
IMO there are better solutions to the problems to which low-numbered ports are a common solution. Zope/ZSS never *needs* a low numbered port, and zope should never be started as root. (I have cc'ed zope-dev. I suggest we continue there, rather than zodb-dev)