Should I create a user, and group for zope install? Where should I put the installation? "/usr/local/zope" Should the user/group own Zope's entire directory structure. In the documentation it says that the user that starts Zope must own the var directory. How do you know what user is being used to start Zope, and how do you control it. I did the compile using "root". What kind of security implication is having root own the zope directory. If I want to add additional components to zope like mysql, apache, and whatever--does this affect the user that zope runs under? thanks, Geoff Nordli MCT, MCSE, Master CNE, CCA, MCP, A+ G Nordli & Associates 749 Robson Dr. Kamloops BC, V2E 2G7 Phone: 250-314-7354 E-mail to pager: 2503147354@pcs.cantelatt.com E-mail: geoff@gnaa.net
I don't know about "should", so I can only tell you what I do. My Zope installation lives in '/home/Zope', which belongs to my normal login account 'evan' but group 'nobody' (and I have 'nobody' as a secondary group for 'evan'). Zope is started by the root, so it automatically runs as 'nobody'. I considered making a 'zope' user, but this way I can pop over to the Zope directory to add a Product, edit an Extension, or whatever without changing users. Of course, I'm the only administrator on this machine, so YMMV. ----- Original Message ----- From: Geoff Nordli <geoff@gnaa.net>
Should I create a user, and group for zope install?
Where should I put the installation? "/usr/local/zope"
Should the user/group own Zope's entire directory structure.
On Wed, 27 Oct 1999, Geoff Nordli wrote:
Should I create a user, and group for zope install?
Where should I put the installation? "/usr/local/zope"
/usr/local/zope is fine. And yes you could create a new user/group just for Zope.
Should the user/group own Zope's entire directory structure.
yes, even though is not required, it certainly makes things easier. The exception is if you run Zope as root. in that case ZServer changes the process id to nobody for security reasons. Therefore your var directory and *all* the subdirectories/files should be owned by nobody including write permissions for nobody.
In the documentation it says that the user that starts Zope must own the var directory. How do you know what user is being used to start Zope, and how do you control it. I did the compile using "root".
Zope will run as the user who started the process, ie the login user, unless that is root, in which case it will change to nobody.
What kind of security implication is having root own the zope directory.
I do not know of any security problems having root own the zope dir, as long as the process is running as nobody.
If I want to add additional components to zope like mysql, apache, and whatever--does this affect the user that zope runs under?
I suppose most of the services you mention have their own ideas about authentication, so you will need to explicitly deal with them anyway. Regards Pavlos
So if I was using a team model for development I would create a group called "zope". Insert all people who need access to the code into the zope group. Add the new zope group, and user. groupadd zope adduser zope login as the zope user: su zope Unzip the tarball into the /usr/local/zope directory. change the permissions for zope directory to add the zope group to the entire directory chgrp zope /usr/local/zope -R chown zope /usr/local/zope -R Change the permissions of the /usr/local/zope/Zope-2.0.1-src/var to allow root to modify files chgrp nobody /usr/local/zope/Zope-2.0.1-src/var -R Now what about the permissions. They are different for the user, and group. How does one deal with this, or is this even a concern. I would think that these docs should be added to the INSTALL.doc file to help out other people. thanks, geoff
-----Original Message----- From: Pavlos Christoforou [mailto:pavlos@gaaros.msrc.sunysb.edu] Sent: Wednesday, October 27, 1999 12:24 PM To: Geoff Nordli Cc: Zope List (E-mail) Subject: Re: [Zope] what user and group to use for zope install
On Wed, 27 Oct 1999, Geoff Nordli wrote:
Should I create a user, and group for zope install?
Where should I put the installation? "/usr/local/zope"
/usr/local/zope is fine. And yes you could create a new user/group just for Zope.
Should the user/group own Zope's entire directory structure.
yes, even though is not required, it certainly makes things easier.
The exception is if you run Zope as root. in that case ZServer changes the process id to nobody for security reasons. Therefore your var directory and *all* the subdirectories/files should be owned by nobody including write permissions for nobody.
In the documentation it says that the user that starts Zope must own the var directory. How do you know what user is being used to start Zope, and how do you control it. I did the compile using "root".
Zope will run as the user who started the process, ie the login user, unless that is root, in which case it will change to nobody.
What kind of security implication is having root own the zope directory.
I do not know of any security problems having root own the zope dir, as long as the process is running as nobody.
If I want to add additional components to zope like mysql, apache, and whatever--does this affect the user that zope runs under?
I suppose most of the services you mention have their own ideas about authentication, so you will need to explicitly deal with them anyway.
Regards
Pavlos
On Wed, 27 Oct 1999, Geoff Nordli wrote:
So if I was using a team model for development I would create a group called "zope". Insert all people who need access to the code into the zope group.
I suppose you mean access to the source code of Zope. Otherwise for access to components *through* Zope you can set roles and permissions within Zope.
to allow root to modify files
chgrp nobody /usr/local/zope/Zope-2.0.1-src/var -R
No - since you are logged in as user zope when you start Zope, it will be running with UID zope. No need to do the above unless you are planing to su root and then start Zope as root.
Now what about the permissions. They are different for the user, and group. How does one deal with this, or is this even a concern.
you could assign permissions, roles and access rights within Zope, unless you have a team working on a python Zope extension, you will not need to deal with permissions outside Zope. Pavlos
participants (3)
-
Evan Simpson -
Geoff Nordli -
Pavlos Christoforou