Zope and permissions in Linux
I'm moving my web site from OS/2 to Suse 8.2 and I've a few questions to understand how to deal with the permissions. The installation creates a user called zope which owns the directory var/gadfly and also var/gadfly/demo. I tried to create another directory, gadfly/db to put my database files in. However, I could not 'su zope' as I didn't know the password given at install time. I was not present during the Suse install but my colleague doesn't remember having seen a password for Zope (as stated in a couple of pages online, the install script outputs a password). Then, I went root and I gave zope a new password. Only afterwards, I realised this was probably a mistake. What happens if I restart Zope? Anyways, even after changing the password i could not su zope. Nothing would happen. So to create var/gadfly/db I went root and then chown the directory to zope. Was this the correct procedure? Also, I've a little External method file to install. Should it be owned by root or by zope? Any good piece of advice regarding zope security in Linux? (it's an internal web site but still) Thanks, Fernando
The zope user installed by SuSE is configured as a deamon accout. If you would like to login as the zope user you will need to modify /etc/passwd so that the zope user looks something like this: zope:x:64:2:Zope daemon:/opt/zope26:/bin/bash Then you can login as the zope user and start zope as that user. hth, Mike On Sat, 2003-05-03 at 06:27, Fernando Martins wrote:
I'm moving my web site from OS/2 to Suse 8.2 and I've a few questions to understand how to deal with the permissions.
The installation creates a user called zope which owns the directory var/gadfly and also var/gadfly/demo. I tried to create another directory, gadfly/db to put my database files in.
However, I could not 'su zope' as I didn't know the password given at install time. I was not present during the Suse install but my colleague doesn't remember having seen a password for Zope (as stated in a couple of pages online, the install script outputs a password).
Then, I went root and I gave zope a new password. Only afterwards, I realised this was probably a mistake. What happens if I restart Zope?
Anyways, even after changing the password i could not su zope. Nothing would happen. So to create var/gadfly/db I went root and then chown the directory to zope. Was this the correct procedure?
Also, I've a little External method file to install. Should it be owned by root or by zope?
Any good piece of advice regarding zope security in Linux? (it's an internal web site but still)
Thanks, Fernando
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- Michael Long <mlong@datalong.com>
The zope user installed by SuSE is configured as a deamon accout. If you would like to login as the zope user you will need to modify /etc/passwd so that the zope user looks something like this:
zope:x:64:2:Zope daemon:/opt/zope26:/bin/bash
Then you can login as the zope user and start zope as that user.
Indeed it helps, thanks. I can't check it now but I suppose a daemon account doesn't have a shell by default and that was why I couldn't su. Is it common practice to use the root account or the daemon account to manage Zope? Does it make a difference? Regards, Fernando
You do not want to start zope as root. The zope process has the same permissions as the user that starts the process. On Sat, 2003-05-03 at 14:15, Fernando Martins wrote:
The zope user installed by SuSE is configured as a deamon accout. If you would like to login as the zope user you will need to modify /etc/passwd so that the zope user looks something like this:
zope:x:64:2:Zope daemon:/opt/zope26:/bin/bash
Then you can login as the zope user and start zope as that user.
Indeed it helps, thanks. I can't check it now but I suppose a daemon account doesn't have a shell by default and that was why I couldn't su.
Is it common practice to use the root account or the daemon account to manage Zope? Does it make a difference?
Regards, Fernando
-- Michael Long <mlong@datalong.com>
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Michael Long Sent: Saturday, May 03, 2003 11:43 PM
You do not want to start zope as root. The zope process has the same permissions as the user that starts the process.
Actually, you *must* start Zope as root if you want to listen on a privileged port. When you start as root, Zope will setuid to the user you specify with the -u option to z2.py, so it will serve requests under that non-privileged user. _______________________ Ron Bickers Logic Etc, Inc.
Are there security issues that mandate that zope should be listening on a privileged port? On Sun, 2003-05-04 at 00:05, Ron Bickers wrote:
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Michael Long Sent: Saturday, May 03, 2003 11:43 PM
You do not want to start zope as root. The zope process has the same permissions as the user that starts the process.
Actually, you *must* start Zope as root if you want to listen on a privileged port. When you start as root, Zope will setuid to the user you specify with the -u option to z2.py, so it will serve requests under that non-privileged user.
_______________________
Ron Bickers Logic Etc, Inc.
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- Michael Long <mlong@datalong.com>
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Michael Long
Are there security issues that mandate that zope should be listening on a privileged port?
No. Many people run Zope behind another Web server that listens on port 80, in which case there's no need to run Zope on a privileged port. But if you wanted ZServer to serve by itself on port 80, you'd have to run it as root. _______________________ Ron Bickers Logic Etc, Inc.
Thanks Ron, Michael, I'm getting a better understanding of it. It was confusing why the main directories are owned by root and not by zope. But I suppose the idea is exactly to avoid the zope user to mess with the installation, with the logical exception of var. Also confusing was that I could not su to zope (to create a directory in var/gadfly), but that's also sorted out. Regards, Fernando
Are there security issues that mandate that zope should be listening on a privileged port?
No. Many people run Zope behind another Web server that listens on port 80, in which case there's no need to run Zope on a privileged port. But if you wanted ZServer to serve by itself on port 80, you'd have to run it as root. _______________________
Ron Bickers Logic Etc, Inc.
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
participants (4)
-
Fernando Martins -
Michael Long -
Ron Bickers -
Ron Bickers