Ownership & permissions of var for Zope on port 80: Definitive answer?
Greetings. I'm going crazy trying to figure this one out. What I want is pretty simple: to have Zope (2.6.1, python 2.1.3) run on port 80 on a Red Hat 8 system. That's got to be pretty common, right? I've got a startup script which runs as root, and launches Zope with the -u flag to change the process owner to a user named 'zope'. Problem is, I can't figure out how to set the ownership and permissions of the var directory to get everything to work properly. I've tried setting everything as instructed in doc/SETUID.txt, but that doesn't work for me. I've also found conflicting information in the archives of this list and in other Zope docs. Basically, I get one of two problems: 1) If I set the owner of var and its contents to root, Zope launches just fine, but if I try to pack the database through the ZMI, I get permission-denied errors. My Plone site managers also start getting weird permission-denied errors after a while, too. 2) If I set the owner of var and its contents to the Zope user 'zope', Zope silently fails on launch. If, however, I let Zope launch with root owning var and then, after it's running, change the owner to 'zope', everything works just fine. Until the next time Zope needs to restart, when it silently fails. Ugh. I've tried setting var's owner to root and group to zope (the group that the zope user belongs to), with g+w permission to var and its contents, but then I still get permission-denied and 'Operation not permitted' errors when packing the ODB. I've done chmod o+t and chmod a+s, neither of which seem to have helped much. (I don't really understand what they do, but one was indicated in SETUID.txt, and the other somewhere else on zope.org or someplace like that.) Please, there's *got* to be a definitive answer on how to set up a linux system for running Zope on privileged ports. Can someone post or point me to it? Thanks, ..Ian Beatty -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- Dr. Ian Beatty webmaster@physics.umass.edu Webmaster, Department of Physics voice: 413.545.9483 Univ. of Massachusetts fax: 413.545.4884 Amherst, MA 01003-4525 USA http://www.physics.umass.edu/ -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- --
Make sure you change the other things in the var directory, since when you pack, it moves the Data.fs over to Data.old. BZ
Greetings.
I'm going crazy trying to figure this one out.
What I want is pretty simple: to have Zope (2.6.1, python 2.1.3) run on port 80 on a Red Hat 8 system. That's got to be pretty common, right? I've got a startup script which runs as root, and launches Zope with the -u flag to change the process owner to a user named 'zope'.
Problem is, I can't figure out how to set the ownership and permissions of the var directory to get everything to work properly. I've tried setting everything as instructed in doc/SETUID.txt, but that doesn't work for me. I've also found conflicting information in the archives of this list and in other Zope docs.
Basically, I get one of two problems:
1) If I set the owner of var and its contents to root, Zope launches just fine, but if I try to pack the database through the ZMI, I get permission-denied errors. My Plone site managers also start getting weird permission-denied errors after a while, too.
2) If I set the owner of var and its contents to the Zope user 'zope', Zope silently fails on launch. If, however, I let Zope launch with root owning var and then, after it's running, change the owner to 'zope', everything works just fine. Until the next time Zope needs to restart, when it silently fails. Ugh.
I've tried setting var's owner to root and group to zope (the group that the zope user belongs to), with g+w permission to var and its contents, but then I still get permission-denied and 'Operation not permitted' errors when packing the ODB.
I've done chmod o+t and chmod a+s, neither of which seem to have helped much. (I don't really understand what they do, but one was indicated in SETUID.txt, and the other somewhere else on zope.org or someplace like that.)
Please, there's *got* to be a definitive answer on how to set up a linux system for running Zope on privileged ports. Can someone post or point me to it?
Thanks,
..Ian Beatty
-- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- Dr. Ian Beatty webmaster@physics.umass.edu Webmaster, Department of Physics voice: 413.545.9483 Univ. of Massachusetts fax: 413.545.4884 Amherst, MA 01003-4525 USA http://www.physics.umass.edu/ -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- --
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On 2003-09-17 10:14, BZ is reputed to have said:
Make sure you change the other things in the var directory, since when you pack, it moves the Data.fs over to Data.old.
I made my changes as "chmod -R [stuff] var" or "chmod [stuff] var/*. Thanks, though. ..Ian Beatty -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- Dr. Ian Beatty webmaster@physics.umass.edu Webmaster, Department of Physics voice: 413.545.9483 Univ. of Massachusetts fax: 413.545.4884 Amherst, MA 01003-4525 USA http://www.physics.umass.edu/ -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- --
On Wednesday 17 September 2003 14:49, Ian Beatty wrote:
Please, there's *got* to be a definitive answer on how to set up a linux system for running Zope on privileged ports. Can someone post or point me to it?
If you care about performance or security, get Zope to listen on an unprivelidged localhost port and use a proxy such as Squid. -- Toby Dickenson
On 2003-09-17 10:26, Toby Dickenson is reputed to have said:
If you care about performance or security, get Zope to listen on an unprivelidged localhost port and use a proxy such as Squid.
I'm hoping to take advantage of Zope's FTP and WebDAV servers as well. I'm under the impression that if I run Zope behind Apache, I lose that capability. What are the performance and security issues? Does using Apache as a front resolve them? I don't know squat about Squid... Any pointers to get me oriented? Thanks, ..Ian Beatty -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- Dr. Ian Beatty webmaster@physics.umass.edu Webmaster, Department of Physics voice: 413.545.9483 Univ. of Massachusetts fax: 413.545.4884 Amherst, MA 01003-4525 USA http://www.physics.umass.edu/ -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- -- --- --
On Wednesday 17 September 2003 15:34, Ian Beatty wrote:
I don't know squat about Squid... Any pointers to get me oriented?
http://www.google.com/search?q=zope%20squid -- Toby Dickenson
Ian Beatty wrote:
I'm hoping to take advantage of Zope's FTP and WebDAV servers as well. I'm under the impression that if I run Zope behind Apache, I lose that capability.
Nope, those ports just aren't proxied by Apache or Squid :-) Chris
Chris Withers wrote at 2003-9-25 12:58 +0100:
Ian Beatty wrote:
I'm hoping to take advantage of Zope's FTP and WebDAV servers as well. I'm under the impression that if I run Zope behind Apache, I lose that capability.
Nope, those ports just aren't proxied by Apache or Squid :-)
WebDAV uses HTTP. Thus, you *can* use it with Apache+Zope. Dieter
Dieter Maurer wrote:
Chris Withers wrote at 2003-9-25 12:58 +0100:
Ian Beatty wrote:
I'm hoping to take advantage of Zope's FTP and WebDAV servers as well. I'm under the impression that if I run Zope behind Apache, I lose that capability.
Nope, those ports just aren't proxied by Apache or Squid :-)
WebDAV uses HTTP. Thus, you *can* use it with Apache+Zope.
I've had Apache complain about request protocols before, so I was just being cautious... Chris
Ian Beatty wrote at 2003-9-17 09:49 -0400:
... What I want is pretty simple: to have Zope (2.6.1, python 2.1.3) run on port 80 on a Red Hat 8 system. That's got to be pretty common, right? I've got a startup script which runs as root, and launches Zope with the -u flag to change the process owner to a user named 'zope'. ... Basically, I get one of two problems:
1) If I set the owner of var and its contents to root, Zope launches just fine, but if I try to pack the database through the ZMI, I get permission-denied errors. My Plone site managers also start getting weird permission-denied errors after a while, too.
This is to be expected.
2) If I set the owner of var and its contents to the Zope user 'zope', Zope silently fails on launch. If, however, I let Zope launch with root owning var and then, after it's running, change the owner to 'zope', everything works just fine. Until the next time Zope needs to restart, when it silently fails. Ugh.
This looks like the bug, Chris fixed for Zope 2.7: Zope opens its log file at a time when it still runs as root. Later, when it has switched to the new user, it is no longer able to write logs. Chris' fix: delay opening the log file until the user is switched.
I've tried setting var's owner to root and group to zope (the group that the zope user belongs to), with g+w permission to var and its contents, but then I still get permission-denied and 'Operation not permitted' errors when packing the ODB.
Probably, your "umask" does not give write access for the group. "umask" is used for all files which are newly created. Dieter
participants (5)
-
BZ -
Chris Withers -
Dieter Maurer -
Ian Beatty -
Toby Dickenson