[Guido]
It's probably unavoidable that the log file is opened as root -- it's used to report "can't setuid()". :-)
[Toby]
Thats what syslog is for.
It is good security practice that a daemon should *never* have a writeable file descriptor for its log file. If it does, and the daemon is compromised, an attacker can trivially cover his tracks by removing the incriminating evidence from the log file.
Well, there goes zLOG's MinimalLogger implementation. (This only holds for log files owned by a root, right?) [Chris]
Pidfiles too.
Currently it is common practice for Zope's 'stop' scripts to be run as root. We cant allow the pid files to be written by non-root users, otherwise those users could trick root into killing an arbitrary process.
The current design, for whatever reason, writes the pidfile as *late* as possible. That's often bugged me, because there's a failure mode where the process dies before the pidfile is written; zdaemon restarts it over and over (that's what prompted my zdaemon hack proposal), and the stop script won't stop it. (And of course, being an very infrequent Zope user, I always forget how to set up the environment so that Zope will run correctly. Fortunately I never run it as root. :-)
The only real purpose to running as root is to be able to bind to low-numbered TCP ports.
IMO there are better solutions to the problems to which low-numbered ports are a common solution. Zope/ZSS never *needs* a low numbered port, and zope should never be started as root.
Correct.
(I have cc'ed zope-dev. I suggest we continue there, rather than zodb-dev)
I wish there were fewer lists. I can never decide which list is right. :-( --Guido van Rossum (home page: http://www.python.org/~guido/)