On Fri, 2003-05-16 at 10:30, Edward Pollard wrote:
Up to now, world has had read access to the entire Zope tree.
Hmmm... can't see why you'd want to change *that*. :-)
However, the only immediate alternative seems to be to add Apache to the "Zopeadmins" group we have, but that has read-write, and letting Apache have write is a potential security hazard.
Apache needs access to the port Zope is running on and nothing else. Really, they don't even have to be on the same machine... or the same OS, for that matter. Unless you're doing something *highly* unusual, Apache needs exactly *zero* access to Zope files. There are a number of how-tos online with details on how to get Apache to function as a reverse proxy for Zope. Ignore the ones that make use of cgi wrappers and just go straight to RewriteRules. HTH, Dylan