It's in the docs already, nobody must have write permissions in the var directory.
<dtml-nitpick> The uid under which your webserver runs, which is often called 'nobody', must be able to read and write the 'var' directory. </dtml-nitpick> As for this being an installation bug, I'm not sure if it is clear what permissions *should* be set on 'var' in the general case, given the possibility that Zope may be served through ZServer, Apache, AOLServer, etc, etc. I've been thinking that it might be a Good Thing to have a zsanity.py script which asks some pertinent questions about how you will be running Zope, and checks for FFECs (Frequently Failed Environment Conditions) such as 'var' permissions, Python version/threading, unset master password, and so on. Guess I just volunteered, hmm? PythonMethods have priority, but once they are ready I'll hit this if nobody else does. Evan Simpson