Suggestions for improving http://www.zope.org/Members/mcdonc/HowTos/zopeinstall/ZOPE-INSTALL-HOWTO
Chris, What with all the activity on the list in the last week about the quality of documentation, I'd thought I'd better try to deliver on my promise to send you feedback. I'd hoped to send you something more polished, but best not to let the best be the enemy of the good I always think. Anyway, the following comments relate to my experience of installing Zope using your fine document: http://www.zope.org/Members/mcdonc/HowTos/zopeinstall/ZOPE-INSTALL-HOWTO 1) A bit out of date: refers to "the as yet mythical 2.2.5" for example (we are now 2.5.0, no?) 2) A couple of minor typo-like errors All this futzing with security is important because we're going to start Zope as the root user. When Zope is started as root, it executes programs kept in the Zope directory as the root user before it switches user context to the nobody user. If these program files are modifiable by arbitrary users, ***you [could] [be] [are] compromising the security of your system.*** We've limited our risk by allowing only three trusted users to access the Zope holding directory and anything kept within it. Giving arbitrary write access to the holding directory or the Zope directory and files within is a Bad Idea. ***pick one ===== ===== There, I did it. I've got a holding directory named "/usr/local/zope" that's owned by the "nobody" user. It's also group-owned by the "mcdonc" group, whose only member is my user account "mcdonc". 3) Educational suggestions Could add: If you don't already have such a group on your system, you need to set one up as follows dougie@carnall:/usr/local/zope$ su Password: dougie@carnall:/usr/local/zope# root@carnall:/usr/local/zope# usermod -G users,dougie dougie This adds the user dougie to two groups, users and dougie. ***** ***** Further reading/additional knowledge. Understanding unix permissions is vital to successfully installing zope. You may need to brush up by reading the man pages of the following commands: chmod/chgrp/useradd/groupadd/usermod/groupmod (It was setting up the groups that I had not done before) dougie@carnall:/usr/local/zope$ man usermod and so on This is a nice introductory page: http://www.perlfect.com/articles/chmod.shtml I'd also recommend Pfaffenberger B. Linux Command Instant Reference. Almeda CA: Sybex, 2000. though O'Reilly has just put up this nice page here: http://www.oreillynet.com/linux/cmd/ ***** ***** If you are having trouble with your install have a look at these related webpages: start with: http://www.zope.org/Members/jens/docs/newbie_caveats I made a mini-link-o-paedia for someone on the list a while back: http://www.carnall.demon.co.uk/install_zope.html Scavenge at will. ****** ****** Might be useful to reassure people of the distro independence of Zope, and the various versions of python problem. (see http://lists.zope.org/pipermail/zope/2002-February/108708.html et seq) Hope this is helpful D. -- Douglas Carnall tel:+44 (0)20 7241 1255 fax:08700 557879 mob:07900 212881 http://www.carnall.org/ dougie@carnall.org
Excellent, thanks so much Doug. I'll roll these suggestions in to the next release. ----- Original Message ----- From: "Douglas Carnall" <dougie@carnall.org> To: <chrism@zope.com> Cc: "Zope List" <zope@zope.org> Sent: Wednesday, March 13, 2002 11:27 AM Subject: Suggestions for improvinghttp://www.zope.org/Members/mcdonc/HowTos/zopeinstall/ZOPE-INSTALL- HOWTO
Chris,
What with all the activity on the list in the last week about the quality of documentation, I'd thought I'd better try to deliver on my promise to send you feedback. I'd hoped to send you something more polished, but best not to let the best be the enemy of the good I always think. Anyway, the following comments relate to my experience of installing Zope using your fine document:
http://www.zope.org/Members/mcdonc/HowTos/zopeinstall/ZOPE-INSTALL-HOWTO
1) A bit out of date: refers to "the as yet mythical 2.2.5" for example (we are now 2.5.0, no?)
2) A couple of minor typo-like errors
All this futzing with security is important because we're going to start Zope as the root user. When Zope is started as root, it executes programs kept in the Zope directory as the root user before it switches user context to the nobody user. If these program files are modifiable by arbitrary users, ***you [could] [be] [are] compromising the security of your system.*** We've limited our risk by allowing only three trusted users to access the Zope holding directory and anything kept within it. Giving arbitrary write access to the holding directory or the Zope directory and files within is a Bad Idea.
***pick one
===== =====
There, I did it. I've got a holding directory named "/usr/local/zope" that's owned by the "nobody" user. It's also group-owned by the "mcdonc" group, whose only member is my user account "mcdonc".
3) Educational suggestions
Could add:
If you don't already have such a group on your system, you need to set one up as follows
dougie@carnall:/usr/local/zope$ su Password: dougie@carnall:/usr/local/zope# root@carnall:/usr/local/zope# usermod -G users,dougie dougie
This adds the user dougie to two groups, users and dougie.
*****
*****
Further reading/additional knowledge.
Understanding unix permissions is vital to successfully installing zope. You may need to brush up by reading the man pages of the following commands:
chmod/chgrp/useradd/groupadd/usermod/groupmod
(It was setting up the groups that I had not done before)
dougie@carnall:/usr/local/zope$ man usermod
and so on
This is a nice introductory page:
http://www.perlfect.com/articles/chmod.shtml
I'd also recommend
Pfaffenberger B. Linux Command Instant Reference. Almeda CA: Sybex, 2000.
though O'Reilly has just put up this nice page here:
http://www.oreillynet.com/linux/cmd/
***** *****
If you are having trouble with your install have a look at these related webpages:
start with:
http://www.zope.org/Members/jens/docs/newbie_caveats
I made a mini-link-o-paedia for someone on the list a while back:
http://www.carnall.demon.co.uk/install_zope.html
Scavenge at will.
****** ******
Might be useful to reassure people of the distro independence of Zope, and the various versions of python problem. (see http://lists.zope.org/pipermail/zope/2002-February/108708.html et seq)
Hope this is helpful
D.
-- Douglas Carnall
tel:+44 (0)20 7241 1255 fax:08700 557879 mob:07900 212881 http://www.carnall.org/ dougie@carnall.org
Douglas Carnall <dougie@carnall.org> writes:
All this futzing with security is important because we're going to start Zope as the root user. When Zope is started as root, it executes programs kept in the Zope directory as the root user before it switches user context to the nobody user.
Is there _any_ need to have Zope started as root? I never did this and hadn't problems with this approach yet. Even the Zope tree is only readable for Zope on my systems (after one initial start to get the pyc-files). Regards, Frank
On Mon, Mar 18, 2002 at 03:15:40PM +0100, Frank Tegtmeyer wrote:
Douglas Carnall <dougie@carnall.org> writes:
All this futzing with security is important because we're going to start Zope as the root user. When Zope is started as root, it executes programs kept in the Zope directory as the root user before it switches user context to the nobody user.
Is there _any_ need to have Zope started as root? I never did this and hadn't problems with this approach yet. Even the Zope tree is only readable for Zope on my systems (after one initial start to get the pyc-files).
Yes, to bind it to port 80 -- __________________________________________________ "Nothing is as subjective as reality" Reinoud van Leeuwen reinoud.v@n.leeuwen.net http://www.xs4all.nl/~reinoud __________________________________________________
Reinoud van Leeuwen <reinoud.v@n.leeuwen.net> writes:
Yes, to bind it to port 80
An excellent example of how one can be locked into a specific kind of thinking :) I never used port 80 - so I never thought about it ... Thanks for reminding me about something so simple. Regards, Frank
On Mon, Mar 18, 2002 at 03:27:59PM +0100, Reinoud van Leeuwen wrote:
Is there _any_ need to have Zope started as root? I never did this and hadn't problems with this approach yet. Even the Zope tree is only readable for Zope on my systems (after one initial start to get the pyc-files).
Yes, to bind it to port 80
Why not have Apache listening on port 80 and redirecting to Zope? A little hassle but worth it to avoid such a security problem. -- Bruce I see a mouse. Where? There, on the stair. And its clumsy wooden footwear makes it easy to trap and kill. -- Harry Hill
It's no security problem as I understand it. You start it as root, but with -u <username>, and it will run as username, and you have username as owner on all the files.
On Mon, 18 Mar 2002 20:02:41 +0100, "Lennart Regebro" <lennart@torped.se> wrote:
It's no security problem as I understand it. You start it as root, but with -u <username>, and it will run as username, and you have username as owner on all the files.
Thats not universally true In our configuration the z2.py script is routinely updated from a cvs repository that many people have write access to. It definitely is a security risk for me to run z2.py as root. Of course, other configurations are different. Toby Dickenson tdickenson@geminidataloggers.com
participants (7)
-
Bruce Richardson -
Chris McDonough -
Douglas Carnall -
Frank Tegtmeyer -
Lennart Regebro -
Reinoud van Leeuwen -
Toby Dickenson