20 Mar
2000
20 Mar
'00
10:36 a.m.
1) Setup Zope to run as its own user (eg. user 'zope') instead of user 'nobody' 2) Add a crontab job to copy the /etc/shadow file to where Zope can see it, changing ownership to user zope and removing group and other permissions.
This makes the shadow password suite worthless. Assuming readonly access to /etc/shadow it's better to use a simple wrapper program that can do the access. This program should be carefully designed to not allow arbitrary input to compromise security. One example is checkpassword (not for non-root programs) which is located at http://cr.yp.to/checkpwd.html It's designed primarily to get a simple interface to various authentication schemes, but my be used as an example. Regards, Frank