On a linux box, what is the right way to allow a non-privileged user (eg "zope") to run a zope server on port 80. I can run on 8080 just fine, but don't have access to the lower numbered ports. Interestingly, when I try 'bin/runzope' as root (port 80 or 8080), I get a segmentation fault, even though I can run on 80 as user zope. [root@crcdocs bin]# ./runzope ------ 2004-09-21T16:29:36 INFO(0) ZServer HTTP server started at Tue Sep 21 16:29:36 2004 Hostname: localhost.localdomain Port: 8080 ------ 2004-09-21T16:29:36 INFO(0) ZServer FTP server started at Tue Sep 21 16:29:36 2004 Hostname: crcdocs.bsd.uchicago.edu Port: 8021 Segmentation fault [root@crcdocs bin]# zope 2.7.2
John Hunter wrote:
On a linux box, what is the right way to allow a non-privileged user (eg "zope") to run a zope server on port 80. I can run on 8080 just fine, but don't have access to the lower numbered ports.
Interestingly, when I try 'bin/runzope' as root (port 80 or 8080), I get a segmentation fault, even though I can run on 80 as user zope.
[root@crcdocs bin]# ./runzope ------ 2004-09-21T16:29:36 INFO(0) ZServer HTTP server started at Tue Sep 21 16:29:36 2004 Hostname: localhost.localdomain Port: 8080 ------ 2004-09-21T16:29:36 INFO(0) ZServer FTP server started at Tue Sep 21 16:29:36 2004 Hostname: crcdocs.bsd.uchicago.edu Port: 8021 Segmentation fault [root@crcdocs bin]#
You have to start the parent process as root since it is below 1024, but in the zope.conf you can set the effective-user to someone else so its children will then run as the non-privileged user. Not optimal, but works. Calvin -- S i x F e e t U p | "Nowhere to go but open-source" Silicon Valley: +1 (650) 401-8579 | Midwest: +1 (317) 861-5948 Toll-Free: 1-866-SIX-FEET mailto:calvin@sixfeetup.com http://www.sixfeetup.com | Zope Hosting from $19.95/month
"Calvin" == Calvin Hendryx-Parker <calvin@sixfeetup.com> writes:
Calvin> You have to start the parent process as root since it is Calvin> below 1024, but in the zope.conf you can set the Calvin> effective-user to someone else so its children will then Calvin> run as the non-privileged user. Not optimal, but works. Yes, that is what I am doing: effective-user zope <http-server> # valid keys are "address" and "force-connection-close" address 80 # force-connection-close on </http-server> <ftp-server> # valid key is "address" address 21 </ftp-server> Then starting zope as root. I chown -R zope.zope the zope root dir to make sure zope user had access to all the log and dbase files, etc that it needed. But I get the segfault when I try and run as root. For good measure I did a clean re-install of python and zope from src but still get the segfault. Here are my compile notes # setup for zope user user> sudo /usr/sbin/useradd -m zope user> sudo passwd zope # login as zope # configure python with zlib and LFS zope> CFLAGS='-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64' OPT="-g -O2 $CFLAGS" ./configure # Edit Modules/Setup and uncomment the zlib line; REQUIRED! zope> make root# make install # build zope zope> cd /var/tmp/build/Zope-2.7.2-0/ zope> ./configure --with-python=/usr/local/bin/python --prefix=/usr/local/Zope-2.7.2 # add the prefix - default is opt! zope> make root# make install root# /usr/local/Zope-2.7.2/bin/mkzopeinstance.py # prompted for username and passwd # Directory: /usr/local/Zope-2.7.2/zope_instance # username : zope # passwd : whatever # set the ownership root# chown -R zope.zope /usr/local/Zope-2.7.2 # login as zope; change effective user to zope and the ports zope> emacs -q -nw /usr/local/Zope-2.7.2/zope_instance/etc/zope.conf # login as root at start zope root# /usr/local/Zope-2.7.2/zope_instance/bin/runzope ------ 2004-09-21T17:29:36 INFO(0) ZServer HTTP server started at Tue Sep 21 17:29:36 2004 Hostname: localhost.localdomain Port: 80 ------ 2004-09-21T17:29:36 INFO(0) ZServer FTP server started at Tue Sep 21 17:29:36 2004 Hostname: crcdocs.bsd.uchicago.edu Port: 21 Segmentation fault
"John" == John Hunter <jdhunter@ace.bsd.uchicago.edu> writes:
John> crcdocs.bsd.uchicago.edu Port: 21 Segmentation fault For a little more information, I ran an strace. The effective-user information is [root@crcdocs Products]# grep zope /etc/passwd zope:x:503:503::/home/zope:/bin/bash and the strace is at http://nitace.bsd.uchicago.edu:8080/files/share/strace.out. If anyone has any insight, I'm much obliged. JDH
Just did a test and it worked by making a quick test instance:: cyclone% /Applications/Zope-2.7.2/bin/mkzopeinstance.py Directory: ~/foobar Please choose a username and password for the initial user. These will be the credentials you use to initially manage your new Zope instance. Username: calvin Password: Verify password: cyclone% vim ~/foobar/etc/zope.conf Changed as follows:: 139c139 < # effective-user chrism ---
effective-user calvin 798c798 < address 8080
address 88 804c804 < address 8021
address 21
cyclone% sudo ~/foobar/bin/runzope Comes up just fine and states during start up:: ------ 2004-09-21T21:37:10 INFO(0) ZServer HTTP server started at Tue Sep 21 21:37:10 2004 Hostname: cyclone.sixfeetup.house Port: 88 ------ 2004-09-21T21:37:10 INFO(0) ZServer FTP server started at Tue Sep 21 21:37:10 2004 Hostname: cyclone Port: 21 ------ 2004-09-21T21:37:10 INFO(0) Zope Set effective user to "calvin" then after a bit:: 2004-09-21T21:37:22 INFO(0) Zope Ready to handle requests This was on OS X, but I would think that the same would apply for linux. I'm guessing that it is still some sort of permission issue. Calvin -- S i x F e e t U p | "Nowhere to go but open-source" Silicon Valley: +1 (650) 401-8579 | Midwest: +1 (317) 861-5948 Toll-Free: 1-866-SIX-FEET mailto:calvin@sixfeetup.com http://www.sixfeetup.com | Zope Hosting from $19.95/month
"Calvin" == Calvin Hendryx-Parker <calvin@sixfeetup.com> writes:
Calvin> This was on OS X, but I would think that the same would Calvin> apply for linux. I'm guessing that it is still some sort Calvin> of permission issue. It's also worked for me too, on other linux boxes. The strace I posted yesterday indicates a failure on the set group call. I'll just post the tail here fstat(5, {st_mode=S_IFREG|0644, st_size=579, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a983ae000 lseek(5, 0, SEEK_CUR) = 0 read(5, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 579 read(5, "", 4096) = 0 close(5) = 0 munmap(0x2a983ae000, 4096) = 0 setgroups(1, [503]) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ I'm hoping that this give some zope guru-possibly-named-tim an idea of what is going wrong. Here is my /etc/group and /etc/passwd info for the effective user [root@crcdocs Products]# grep zope /etc/group /etc/passwd /etc/group:zope:x:503: /etc/passwd:zope:x:503:503::/home/zope:/bin/bash And my kernel info: [root@crcdocs Products]# uname -a Linux crcdocs.bsd.uchicago.edu 2.6.5-1.358 #1 Sat May 8 09:01:26 EDT 2004 x86_64 x86_64 x86_64 GNU/Linux This is a brand-spanking new box from Monarch Systems with FC2 per-installed. JDH
"John" == John Hunter <jdhunter@ace.bsd.uchicago.edu> writes:
John> I'm hoping that this give some zope guru-possibly-named-tim John> an idea of what is going wrong. Here is my /etc/group and John> /etc/passwd info for the effective user I did some old fashioned debugging, inserting print statements into /usr/local/Zope-2.7.2/lib/python/Zope/Startup/__init__.py to find out which call was generating the segfault. It's occurring on the line initgroups.initgroups(effective_user, gid) in the def dropPrivileges(cfg) function. I took a look at the src /var/tmp/build/Zope-2.7.2-0/lib/Components/initgroups/initgroups.c and added a print statement to initgroups_initgroups static PyObject * initgroups_initgroups(PyObject *self, PyObject *args) { printf("hi mom"); char *username; gid_t gid; recompiled and the segfault went away. Removed the printf statement, recompiled, and the segfault returned. I was able to repeat this several times with the same result each time: without the irrelevant printf, I segfaulted, with it, I didn't. Does this typically indicate a pointer/memory bug? Is there any reason to believe the cflags CFLAGS='-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64' OPT="-g -O2" would cause any trouble? JDH
On Sep 21, 2004, at 4:41 PM, John Hunter wrote:
On a linux box, what is the right way to allow a non-privileged user (eg "zope") to run a zope server on port 80. I can run on 8080 just fine, but don't have access to the lower numbered ports.
Would someone who does have root access be willing to set up some sort of proxy that will forward requests from port 80 to a high numbered port for you? I've used Apache's mod_rewrite and mod_proxy, and I've used pound <http://www.apsis.ch/pound> for this purpose.
participants (3)
-
Andrew Langmead -
Calvin Hendryx-Parker -
John Hunter