Run Zope under nobody or real user?
Hi, Can anyone explain the advantages (if any) of running Zope under a real user instead of under nobody? TIA, Itai -- -- Itai Tavor -- "Je sautille, donc je suis." -- itai@optusnet.com.au -- - Kermit the Frog -- -- 'Supposing a tree fell down, Pooh, when we were underneath it?' -- -- 'Supposing it didn't,' said Pooh after careful thought. --
Then you can log on as that user, it makes upgrading via FPT and SSH/telnet so easy! All the permissions are set correctly.
From: Itai Tavor <itai@optusnet.com.au> Date: Thu, 3 May 2001 09:16:00 +1000 To: zope@zope.org Subject: [Zope] Run Zope under nobody or real user?
Hi,
Can anyone explain the advantages (if any) of running Zope under a real user instead of under nobody?
TIA, Itai -- -- Itai Tavor -- "Je sautille, donc je suis." -- itai@optusnet.com.au -- - Kermit the Frog -- -- 'Supposing a tree fell down, Pooh, when we were underneath it?' -- -- 'Supposing it didn't,' said Pooh after careful thought. --
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Yeah, this is an advantage... in this case, I could just run it as myself. But isn't this a security risk? If anyone gets my password, they get full access to the server. If zope is running under user 'zope' who is not allowed to log in, you'd need to manage to become root to do any damage - which is the same as when zope is running under nobody. That's what I imagined people are doing - using a user who does not log in. marc lindahl wrote:
Then you can log on as that user, it makes upgrading via FPT and SSH/telnet so easy! All the permissions are set correctly.
From: Itai Tavor <itai@optusnet.com.au> Date: Thu, 3 May 2001 09:16:00 +1000 To: zope@zope.org Subject: [Zope] Run Zope under nobody or real user?
Hi,
Can anyone explain the advantages (if any) of running Zope under a real user instead of under nobody?
TIA, Itai -- -- Itai Tavor -- "Je sautille, donc je suis." -- itai@optusnet.com.au -- - Kermit the Frog -- -- 'Supposing a tree fell down, Pooh, when we were underneath it?' -- -- 'Supposing it didn't,' said Pooh after careful thought. --
Well, what I did was, make a user zope, who's home directory is /usr/local/zope, then put zope there. Made the user zope have the same security as the user 'nobody', except allowed logins. 'Nobody' can't do much, neither could 'zope' in this way. Using proftpd, and SSH, you can limit the login, for example, to only certain IP addresses, which would limit the exposure. Or, you could run those services on a wierd port number, and so on. Typical security stuff, should be worked in with overall security scheme.
From: Itai Tavor <itai@optusnet.com.au>
Yeah, this is an advantage... in this case, I could just run it as myself. But isn't this a security risk? If anyone gets my password, they get full access to the server. If zope is running under user 'zope' who is not allowed to log in, you'd need to manage to become root to do any damage - which is the same as when zope is running under nobody.
That's what I imagined people are doing - using a user who does not log in.
marc lindahl wrote:
Can anyone explain the advantages (if any) of running Zope under a real user instead of under nobody?
A really great How-to which discusses hand-on the why and wherefor of root vs. user vs. nobody Zope is: http://www.zope.org/Members/mcdonc/HowTos/HowTos/zopeinstall/ZOPE-INSTALL-HO WTO It made me want to do a fresh install __properly__ as described.[thanks] - Jason ___________________________________________________________ Jason CUNLIFFE = NOMADICS['Interactive Art and Technology']
Jason Cunliffe wrote:
Can anyone explain the advantages (if any) of running Zope under a real user instead of under nobody?
A really great How-to which discusses hand-on the why and wherefor of root vs. user vs. nobody Zope is:
http://www.zope.org/Members/mcdonc/HowTos/HowTos/zopeinstall/ZOPE-INSTALL-HO WTO
It made me want to do a fresh install __properly__ as described.[thanks]
- Jason
Thanks! The setup suggested in the howto does seem very good, think I'll adopt it. -- -- Itai Tavor -- "Je sautille, donc je suis." -- itai@optusnet.com.au -- - Kermit the Frog -- -- 'Supposing a tree fell down, Pooh, when we were underneath it?' -- -- 'Supposing it didn't,' said Pooh after careful thought. --
participants (3)
-
Itai Tavor -
Jason Cunliffe -
marc lindahl