Installing Zope as nonroot user (was: Zope-dev ZFormulator review...)
(moved from zope-dev) Well, let's think about this... If I untar a source Zope from Zope.org into, for instance, /home/mcdonc/Zope while logged in as a nonroot user ("mcdonc"), and run "python w_pcgi.py" on the source as the same user, I'll get a working Zope via ZServer that runs under the "mcdonc" account. So far so good, I can talk to Zope running as "mcdonc" on 8080 if I want to via ZServer. Then let's say I want to make PCGI work so that we can serve Zope content via Apache. We'll assume I configure Apache via httpd.conf's User and Group directives to run as "mcdonc" and configure it to listen on port 80 via the Port directive. I'll then set up my httpd.conf rewrite rules to point to a symlink of the PCGI shellfile at /home/mcdonc/Zope/Zope.cgi in my Apache's cgi-bin directory. We'll always need to start Apache as root if it listens on port 80. Apache will spawn off several nonroot-owned processes which serve requests that run under "mcdonc" in this case. Apache's nonroot server processes should be able to read the Zope.cgi file as they're all running as "mcdonc", and "mcdonc" owns the Zope.cgi file. So far so good. So I start Apache as root via apachectl start. I do a ps -aux to see who Apache is running as, and I have five httpd processes that show the user "mcdonc" as owner and one httpd process that shows the user "root" as owner (the "manager" process). I also see that Zope's two processes are running as "mcdonc". When I visit http://127.0.0.1/Zope/manage, I am able to log in as superuser, etc. So we're successful. I've been doing this as I've been writing it to be 100% sure that this is the case... So, while it seems advisable to untar Zope as a nonroot user (so your files don't end up getting owned by one of the Pelletier clan -- pretty funny!), I don't think it's a requirement to install Zope (via "python w_pcgi.py") as root if you want to serve Zope content from Apache using PCGI. I've done the equivalent under Netscape Enterprise Server, too, and it works. I haven't set up Zope using FastCGI, so I have to claim utter ignorance there. Patrick Phalen wrote:
[Chris McDonough, on Sat, 08 Jan 2000] :: Thanks. Understood. :: :: This is a pretty good argument against installing Zope itself as the :: root user.
Well, er, ahem, hmmm ... While I know what you mean by 'install', here, it might be worth clarifying, to prevent the spread of confusion ...
This is a good argument against *untarring* Zope as root. Instead, su to nobody (or your version of nobody). Otherwise, Zope will likely be owned by one of the Pelletier clan.
OTOH, Zope should be *installed* as root *if* you're intending to run ZServer behind another web server, right?
-- Chris McDonough Digital Creations, Inc. Zope - http://www.zope.org
[Chris McDonough, on Sat, 08 Jan 2000] :: So, while it seems advisable to untar Zope as a nonroot user (so your :: files don't end up getting owned by one of the Pelletier clan -- pretty :: funny!), I don't think it's a requirement to install Zope (via "python :: w_pcgi.py") as root if you want to serve Zope content from Apache using :: PCGI. I've done the equivalent under Netscape Enterprise Server, too, :: and it works. I haven't set up Zope using FastCGI, so I have to claim :: utter ignorance there. Heh. OK, I think we're talking about two different uses of the word "install" (and far be it from me, btw, to disagree about Zope installation with someone who has "digicool.com" in their email address). ;>) ... but ... ... in my comment, I was simply reacting to the following excerpt from Zope/doc/INSTALL.txt: """ 4. In the Zope directory is a shell script named 'install'. This script will configure your Zope installation. If you plan to use Zope with your existing web server environment, the install script *should be run as root*! """ You had said, "This is a pretty good argument against installing Zope itself as the root user." and I was thinking that might mislead people.
Oh wow. Shows you how much I install from the binary release! To my great shame, I'm not really all that sure why the binary release install doc says (and emphasizes) that. Installing the Zope binary release as a nonroot user and using PCGI with Apache is very doable (I just did it to make sure). There's probably Something I Don't Know related to FastCGI or maybe even another webserver (too many variables!!). Amos? Personally, installing Zope as root kinda gives me the creeps. I don't like having to go reset the var directory and file permissions. We seem to get a lot of questions about this on the mailing list that get glossed over by telling people to go reset the permissions on var and the files contained within, but to me, it's simpler and more graceful just to install Zope as the user under which you intend to run it (usually "nobody") when intended inherited install directory permissions permit. One potential problem with installing Zope as a nonroot user (I've run into it) is that when you set up an rc script to start Zope on boot, because the rc script gets run as root, Zope goes pretty much haywire for reasons which are nonobvious and that I didn't spend the time to fully go figure out. Suffice to say that (on Linux at least) it doesn't work. And while it might be inadvisable to disagree with, for example, Jim Fulton (as he will *always* instantly reduce people of average intelligence to a quivering mass of gel in a battle of programming know-how or logic) or Amos Latteier (as he consistently demonstrates an uncanny ability to be right about 100% of the time) or Martijn Pieters (I think I've seen him be wrong *once* in a list message), I am just another schlub. Disagreeing with me is almost *always* a wise move. :) Patrick Phalen wrote:
[Chris McDonough, on Sat, 08 Jan 2000] :: So, while it seems advisable to untar Zope as a nonroot user (so your :: files don't end up getting owned by one of the Pelletier clan -- pretty :: funny!), I don't think it's a requirement to install Zope (via "python :: w_pcgi.py") as root if you want to serve Zope content from Apache using :: PCGI. I've done the equivalent under Netscape Enterprise Server, too, :: and it works. I haven't set up Zope using FastCGI, so I have to claim :: utter ignorance there.
Heh. OK, I think we're talking about two different uses of the word "install" (and far be it from me, btw, to disagree about Zope installation with someone who has "digicool.com" in their email address). ;>) ... but ...
... in my comment, I was simply reacting to the following excerpt from Zope/doc/INSTALL.txt:
""" 4. In the Zope directory is a shell script named 'install'. This script will configure your Zope installation.
If you plan to use Zope with your existing web server environment, the install script *should be run as root*! """
You had said, "This is a pretty good argument against installing Zope itself as the root user." and I was thinking that might mislead people.
-- Chris McDonough Digital Creations, Inc. Zope - http://www.zope.org
participants (2)
-
Chris McDonough -
Patrick Phalen