Gary Shears wrote:
Also keep in mind that Zope does not run as "root", so if you are running on a Unix-like system such as Linux, even if Zope were fully compromised an intruder would still have to find a security hole in something else before it's possible to write to arbitrary files.
I just checked the perms on zope, and it's owned by root. Started it, looked at the processes owned by root (ps -u root) and 'python' shows up, with the same PID as Z2.pid. Is there an easy way to fix this? Thanks in advance.
Run ps -ef|grep python or ps auxww|grep python (depending on your system; the latter is preferred). Zope usually runs two processes: a process manager and the real server. The process manager runs as root and the real server, which actually handles the connections and talks to the file system, has many threads. So, if configured correctly, you should see one python process running as root and several others running as nobody (or whataver you configured the user to be). The process manager just restarts the real server automatically when it dies. Shane