RE: [Zope-dev] Opinions wanted: clean installation (was distribut ion)
-----Original Message----- From: Behrens Matt - Grand Rapids [mailto:Matt.Behrens@Kohler.Com] Sent: 06 November 2001 13:12 To: tdickenson@geminidataloggers.com Cc: Matt Behrens; zope-dev@zope.org Subject: Re: [Zope-dev] Opinions wanted: clean installation (was distribution)
Toby Dickenson wrote:
Do you really want products and extensions in VARDIR? To me they feel more like configuration, and less like data.
My preference:
XXX/etc/zope/INSTANCE/Products : containing symlinks to XXX/lib/zope/AllZopeProducts : containing products
My second preference:
XXX/lib/zope/INSTANCE/Products : containing products
But I really dont like:
XXX/var/zope/INSTANCE/Products : containing products
I think the biggest problem with this setup is that installation of additional products should be able to be done without permission to modify the base installation.
I dont think this is a problem, because of a complication that I havent told you about yet I actually use two user accounts per instance, called "myinstance" and "myinstancemaster". zope runs under the "myinstance" user account, and that user can only write to the equivalent of VARDIR. Any installation changes are performed under "myinstancemaster". the "myinstancemaster" user can write to the equivalent of XXX/etc/zope/INSTANCE for his own instance, where he can create symlinks to common products, symlinks to his own products, or indeed create whole product directories for things that will never be shared between different instances. I also allow the instancemaster to choose which version of zope to use, with a symlink in the equivalent of XXX/etc/zope/INSTANCE directory
There is work afoot to make products installable TTW, too, so the running user must have permission to install his own products for this to work properly.
That is a very bad idea from a security point of view, for the same reason that we dont allow TTW editing of external methods. For the same reason, I do not allow the "myinstance" user (the user of the zope process) to write to the Extensions directory where external methods are stored.
Given this, VARDIR is really the only hierarchy we can count on to be writable at all (BINDIR/LIBDIR should be writable only at OS-level package installation time, and ETCDIR can be locked down by the sysadmin for normal operation).
Thats true if ETCDIR==/etc and LIBDIR==/lib, but I had been assuming that was unlikely. Had you not? Indeed, I dont think that works in your proposal. Zope need to write inituser while it is running, if that file is ever to be of use. I also think its unlikely we would want to lock the 'access' file so tightly. As for VARDIR==/var.... well, maybe.
Toby Dickenson wrote:
From: Behrens Matt - Grand Rapids [mailto:Matt.Behrens@Kohler.Com]
I think the biggest problem with this setup is that installation of additional products should be able to be done without permission to modify the base installation.
I dont think this is a problem, because of a complication that I havent told you about yet
I actually use two user accounts per instance, called "myinstance" and "myinstancemaster". zope runs under the "myinstance" user account, and that user can only write to the equivalent of VARDIR. Any installation changes are performed under "myinstancemaster".
I'm worried that the dual-user setup is too complicated and results in too little of an integrity gain to make it the default. The instance user is trusted with a lot -- for example, if you can compromise the instance user, you can easily grab administrative passwords to the instance, as well as walk clear around all security implemented in the ZODB. Any bad code that gets inserted (which would have to be inserted either by a lax admin or by some sort of instance user compromise) would run as the instance user, which is already compromised.
There is work afoot to make products installable TTW, too, so the running user must have permission to install his own products for this to work properly.
That is a very bad idea from a security point of view, for the same reason that we dont allow TTW editing of external methods.
I went and read up a little more on the proposal (<http://dev.zope.org/Wikis/DevSite/Proposals/ProductInstallationSystem>) and actually it looks like the path that they're taking is downloading the package, then having the user run a script outside of Zope before restarting to do the actual install. So disregard what I said before, it really isn't an issue :-)
Given this, VARDIR is really the only hierarchy we can count on to be writable at all (BINDIR/LIBDIR should be writable only at OS-level package installation time, and ETCDIR can be locked down by the sysadmin for normal operation).
Thats true if ETCDIR==/etc and LIBDIR==/lib, but I had been assuming that was unlikely. Had you not?
It won't be the default for a source distribution, certainly, but the OpenBSD-distributed port and package will definitely go that way, since that's how we define our hierarchy. Plus the administrator should have the option.
Indeed, I dont think that works in your proposal. Zope need to write inituser while it is running, if that file is ever to be of use. I also think its unlikely we would want to lock the 'access' file so tightly.
Yes, I'd forgotten about that. inituser is just deleted after it's merged into the ZODB, right? Then it should probably go somewhere in the VARDIR/zope/INSTANCE hierarchy.
As for VARDIR==/var.... well, maybe.
Again, not default for a source dist, but the capability should be there. I won't back a proposal to change the installation if I can't make it work for the reason I want it to work in the first place :-) I am thinking of making a wiki re all this... good idea? I have some more points on symlinking Products and think this e-mail is too long already... -- Matt Behrens <matt.behrens@kohler.com> System Analyst, Baker Furniture
participants (2)
-
Matt Behrens -
Toby Dickenson