Greetings 2 all! I installed Zope 2.3.0-x86 under SuseLinux 7.1 - but I can't start it. When I start "./start" (as root), an error of type 13 occurs: "permission denied" when the start-script tries to create the pid-file (Z2.pid). I have set the write-permissons of all directories/files around Zope to "all" - but the error stays and Zope is not starting up. Any tips || hints? Thanks in advance! Paul Paulousek mailto:pz@percept.de
hi paul, make sure the /opt/zope/ directory and all its subdirectories have owner and group set to nobody.nobody (you can do this in a single command: chown -R nobody.nobody /opt/zope/ ). hth. ciao! greg. On Sun, 25 Mar 2001, paulousek wrote:
Greetings 2 all!
I installed Zope 2.3.0-x86 under SuseLinux 7.1 - but I can't start it. When I start "./start" (as root), an error of type 13 occurs: "permission denied" when the start-script tries to create the pid-file (Z2.pid). I have set the write-permissons of all directories/files around Zope to "all" - but the error stays and Zope is not starting up.
Any tips || hints?
Thanks in advance! Paul Paulousek mailto:pz@percept.de
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
On Sun, Mar 25, 2001 at 04:05:47PM -0500, ghaley@mail.venaca.com wrote:
make sure the /opt/zope/ directory and all its subdirectories have owner and group set to nobody.nobody (you can do this in a single command: chown -R nobody.nobody /opt/zope/ ).
Assuming /opt/zope is the Zope installation directory... This is bad advice. At most, make var/ and the files in it owned by nobody.nobody, so that the Zope process can write there. Zope executables and Python programs should not be writeable by the process executing off them. A bug or a security vulnerability (IOW, a bug with security implications) may permit an intruder to write to inituser/access or do other nasty stuff TTW, if the Zope process can write to those files. -- Ng Pheng Siong <ngps@post1.com> * http://www.post1.com/home/ngps
Assuming /opt/zope is the Zope installation directory...
This is bad advice. At most, make var/ and the files in it owned by nobody.nobody, so that the Zope process can write there.
Zope executables and Python programs should not be writeable by the process executing off them. A bug or a security vulnerability (IOW, a bug with security implications) may permit an intruder to write to inituser/access or do other nasty stuff TTW, if the Zope process can write to those files.
thanks for the warning, though our sysadmin was not even aware of it (and he is the most paranoid person i know!). so, let's take a general /opt/zope directory, where you will have. drwxr-xr-x 4 nobody nobody Extensions drwxrwxr-x 4 nobody nobody ZServer -rwxr-xr-x 1 nobody nobody Zope.cgi -rw------- 1 nobody nobody access -rw-r--r-- 1 nobody nobody custom_zodb.py -rw-r--r-- 1 nobody nobody custom_zodb.pyc drwxrwxr-x 3 nobody nobody doc -rw-r--r-- 1 nobody nobody event.log drwxrwxr-x 2 nobody nobody import drwxrwxr-x 2 nobody nobody inst drwxrwxr-x 4 nobody nobody lib drwxrwxr-x 7 nobody nobody pcgi -rwx--x--x 1 nobody nobody start -rwx--x--x 1 nobody nobody stop drwxrwxr-x 2 nobody nobody utilities drwxrwxr-x 2 nobody nobody var -rw-r--r-- 1 nobody nobody w_pcgi.py -rw-r--r-- 1 nobody nobody w_pcgi.pyc -rw-r--r-- 1 nobody nobody wo_pcgi.py -rw-r--r-- 1 nobody nobody wo_pcgi.pyc -rw-r--r-- 1 nobody nobody z2.py -rw-r--r-- 1 nobody nobody z2.pyc -rw-r--r-- 1 nobody nobody zProcessManager.pid -rw-r--r-- 1 nobody nobody zpasswd.py -rw-r--r-- 1 nobody nobody zpasswd.pyc what should be owned as nobody.nobody; and who should the owner/group of the other be? i've been advising people about the owner/group based on what i understood from other literature, and i want to make sure that the advice is not creating a trap-door for crackers and other bad guys to get in. ciao! greg. Gregory Haley DBA/Web Programmer. Venaca, LLC.
On 26 Mar 2001 11:43:39 -0500, ghaley@mail.venaca.com wrote:
Assuming /opt/zope is the Zope installation directory...
This is bad advice. At most, make var/ and the files in it owned by nobody.nobody, so that the Zope process can write there.
Zope executables and Python programs should not be writeable by the process executing off them. A bug or a security vulnerability (IOW, a bug with security implications) may permit an intruder to write to inituser/access or do other nasty stuff TTW, if the Zope process can write to those files.
thanks for the warning, though our sysadmin was not even aware of it (and he is the most paranoid person i know!). so, let's take a general /opt/zope directory, where you will have.
Make all zope files owned by root with a few exceptions: access/inituser Data.fs log files These should be owned and r/w by nobody, or whomever you run Zope as. All other files should be writable by root, but none other. The principle here is the least opportunity. Don't allow a process that is started as root, to write to it's own executable files. Give publicly accesible daemons/servers the bare minumum they need to run, and don't allow others those permissions either. Bill
participants (4)
-
Bill Anderson -
ghaley@mail.venaca.com -
Ng Pheng Siong -
paulousek