Filesystem Permissions for a Zope Install
Hey Guys, Got some angst about permissions on the server we have Zope installed on. Up to now, world has had read access to the entire Zope tree. We need to turn that off since there are users that can access this server that should not be allowed to peruse the Python code we've been writing. However, the only immediate alternative seems to be to add Apache to the "Zopeadmins" group we have, but that has read-write, and letting Apache have write is a potential security hazard. Can anyone with greater knowledge of the interaction of Zope and Apache tell me if I can be more selective about my permissions? And, more generally, how have other people solved these problems? Edward
Apache does not need access to the Zope filesystem tree (unless you are doing something unusual). Stefan --On Freitag, 16. Mai 2003 11:30 -0600 Edward Pollard <pollej@uleth.ca> wrote:
However, the only immediate alternative seems to be to add Apache to the "Zopeadmins" group we have, but that has read-write, and letting Apache have write is a potential security hazard.
-- The time has come to start talking about whether the emperor is as well dressed as we are supposed to think he is. /Pete McBreen/
On Fri, 2003-05-16 at 10:30, Edward Pollard wrote:
Up to now, world has had read access to the entire Zope tree.
Hmmm... can't see why you'd want to change *that*. :-)
However, the only immediate alternative seems to be to add Apache to the "Zopeadmins" group we have, but that has read-write, and letting Apache have write is a potential security hazard.
Apache needs access to the port Zope is running on and nothing else. Really, they don't even have to be on the same machine... or the same OS, for that matter. Unless you're doing something *highly* unusual, Apache needs exactly *zero* access to Zope files. There are a number of how-tos online with details on how to get Apache to function as a reverse proxy for Zope. Ignore the ones that make use of cgi wrappers and just go straight to RewriteRules. HTH, Dylan
However, the only immediate alternative seems to be to add Apache to the "Zopeadmins" group we have, but that has read-write, and letting Apache have write is a potential security hazard.
Apache needs access to the port Zope is running on and nothing else. Really, they don't even have to be on the same machine... or the same OS, for that matter.
Unless you're doing something *highly* unusual, Apache needs exactly *zero* access to Zope files.
We turned off world read and instantly got an error. This brought me great consternation in light of this advice. Further investigation reveals that we had set up the Zope process to run under the Apache user. Duh. This is probably poor form, and undoubtedly the cause of my error. Would it be wise to create a new unprived user for Zope processes, or is it just fine to cram Apache into the Zopeadmins group? This is probably getting academic, but I'd love some opinions on the subject. Edward
On Wednesday 21 May 2003 4:41 pm, Edward Pollard wrote:
This is probably poor form, and undoubtedly the cause of my error. Would it be wise to create a new unprived user for Zope processes, or is it just fine to cram Apache into the Zopeadmins group?
Unless you have a specific reason not to, a seperate user id for zope is the way to go. If you are using zeo, give it a seperate user id too. -- Toby Dickenson http://www.geminidataloggers.com/people/tdickenson
Edward Pollard wrote at 2003-5-21 09:41 -0600:
... Would it be wise to create a new unprived user for Zope processes, or is it just fine to cram Apache into the Zopeadmins group?
I would create a "zope" user and run "zope" as this user. "Date.fs" might contain sensitive data (e.g. passwords) and it is wise to restrict access to it. Dieter
The generic answer to this question is to give each daemon its own user. This way, if one is compromised, the extent of the damage is (hopefully) limited. It may also be easier to audit / detect the results of an exploit. It's tough to know how much difference this actually makes, but it's a typical best practice. Dylan On Wed, 2003-05-21 at 08:41, Edward Pollard wrote:
However, the only immediate alternative seems to be to add Apache to the "Zopeadmins" group we have, but that has read-write, and letting Apache have write is a potential security hazard.
Apache needs access to the port Zope is running on and nothing else. Really, they don't even have to be on the same machine... or the same OS, for that matter.
Unless you're doing something *highly* unusual, Apache needs exactly *zero* access to Zope files.
We turned off world read and instantly got an error. This brought me great consternation in light of this advice.
Further investigation reveals that we had set up the Zope process to run under the Apache user. Duh.
This is probably poor form, and undoubtedly the cause of my error. Would it be wise to create a new unprived user for Zope processes, or is it just fine to cram Apache into the Zopeadmins group?
This is probably getting academic, but I'd love some opinions on the subject.
Edward
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
participants (5)
-
Dieter Maurer -
Dylan Reinhardt -
Edward Pollard -
Stefan H. Holek -
Toby Dickenson