Re: [Zope] Starting Zope
Costagliola Giovanni wrote:
Il gio, 27 lug 2000, Oleg Broytmann ha scritto:
On Thu, 27 Jul 2000, Costagliola Giovanni wrote:
How can I to start Zope whit a different user than root and cath the default HTTP port?
Use different way - start Zope as root, catch port 80 and drop uid.
I receive an error becouse root hasn't granted the need privileges on /Zope/var/ directory.
This is a different error, not a problem with port 80, ah?
I see Oleg, more exactly I would start ZServer with an user like 'zope', for example, but at the same time I want it links the port 80!
I could use the root user simply but I'll lose my sleep :^)
Can you give me some input?
If you want to bind to ports <1024 you _must_ be root. ZXope can run as another user (the -u <user> option), but it must be _started_ as root, if you want to bind to port 80. Period.
Sorry, there is no other way, short of making Sope SUID, which is a very, very, very, very, very, very bad idea.
Well... If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did. -- cary
Cary O'Brien wrote:
Well...
If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did.
Which is an even worse idea. -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password.
Cary O'Brien wrote:
Well...
If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did.
Which is an even worse idea.
Why? On a sufficiently firewalled off box, where the few logins are completly trusted, what's the diff? If you were worried about people cracking a user account and getting underneath telnet, than limit the lifting of the restriction to port 80. If you are concerned that non-root users could launch attacks from low ports at other machines, assuming that only good guys can come from low ports is pretty naive. The whole business about not letting anyone but root bind to low ports makes sense for a public access machine where all the first year engineering students have an account, but for a dedicated application server it is kind of misdirected. You ought to be running next to nothing but the application, and you had better trust everyone that you give a login to, and you out to have the thing locked down/firewalled well. So the tiny bit of possible protection may not be worth the hassle/risks of writing your own suid-wrapper, or the complexity of having a redirect and messing with site-access so that the port numbers in the zope -- what it is that parameter -- base or whatever, comes out write. Just for fun - does NT have the same restriction? -- cary
Interesting argument. However, consider this: if you completely trust your 'firewalled' box, then why not run the web server as root? One response, in your case is the fact that you mention your trust on users(humans are the most easy to compromise, however that argument is a bit OT). However, do you trust all of your webserver code? Do you trust your cgi-bin scripts and applications? And by trust I not only mean harmful intent by the authors of software, but unintentional bugs which can be exploited, and will be given the privilege to bind to <1024 ports even when they run as a user with least privileges. Just my opinion. nitesh. On Sun, 30 Jul 2000, Cary O'Brien wrote:
Cary O'Brien wrote:
Well...
If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did.
Which is an even worse idea.
Why? On a sufficiently firewalled off box, where the few logins are completly trusted, what's the diff? If you were worried about people cracking a user account and getting underneath telnet, than limit the lifting of the restriction to port 80. If you are concerned that non-root users could launch attacks from low ports at other machines, assuming that only good guys can come from low ports is pretty naive.
The whole business about not letting anyone but root bind to low ports makes sense for a public access machine where all the first year engineering students have an account, but for a dedicated application server it is kind of misdirected. You ought to be running next to nothing but the application, and you had better trust everyone that you give a login to, and you out to have the thing locked down/firewalled well. So the tiny bit of possible protection may not be worth the hassle/risks of writing your own suid-wrapper, or the complexity of having a redirect and messing with site-access so that the port numbers in the zope -- what it is that parameter -- base or whatever, comes out write.
Just for fun - does NT have the same restriction?
-- cary
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
(Quoting reversed for sake of continuity.
On Sun, 30 Jul 2000, Cary O'Brien wrote:
Cary O'Brien wrote:
Well...
If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did.
Which is an even worse idea.
Why? On a sufficiently firewalled off box, where the few logins are completly trusted, what's the diff? If you were worried about people cracking a user account and getting underneath telnet, than limit the lifting of the restriction to port 80. If you are concerned that non-root users could launch attacks from low ports at other machines, assuming that only good guys can come from low ports is pretty naive.
The whole business about not letting anyone but root bind to low ports makes sense for a public access machine where all the first year engineering students have an account, but for a dedicated application server it is kind of misdirected. You ought to be running next to nothing but the application, and you had better trust everyone that you give a login to, and you out to have the thing locked down/firewalled well. So the tiny bit of possible protection may not be worth the hassle/risks of writing your own suid-wrapper, or the complexity of having a redirect and messing with site-access so that the port numbers in the zope -- what it is that parameter -- base or whatever, comes out write.
Just for fun - does NT have the same restriction?
Nitesh Dhanjani wrote:
Interesting argument. However, consider this: if you completely trust your 'firewalled' box, then why not run the web server as root? One response, in your case is the fact that you mention your trust on users(humans are the most easy to compromise, however that argument is a bit OT). However, do you trust all of your webserver code? Do you trust your cgi-bin scripts and applications? And by trust I not only mean harmful intent by the authors of software, but unintentional bugs which can be exploited, and will be given the privilege to bind to <1024 ports even when they run as a user with least privileges.
Exactly. In addition, relying solely on a firewall is a bad idea from a security standpoint. Firewalls can. and do get breached. I don't run many services on _any_ of my machines for security reasons. I certainly don't want Joe Random User to fire them up either. Consider tftpd, or telnetd, or rlogin, rusers, rwho, ruptime, etc.. There are many ways a user can compromise, not only the machine he is on, but other machines by having the capability to bind to ports under 1024. Nearly all of them are off topic for this list; thus I would recommend a number of the security resources available on the web, such as: http://www.rootshell.com http://www.securityfocus.com Just a quick example: A user can upload a custom compiled version of (insert servie such as DNS, NIS, telnetd, httpd, etc> that uses his/her local libraries, bypass /etc/services. since they can bind to ports under 1025, they can be started by the user. Whereas, for example, on other systems, their app would fail. Now, consider that if they used a version of, say ftpd, or fingerd, or named, that has known security openings, they can then exploit this to get root accounts; the firewall being bypassed by being local to the machine. Remember, Cary, if you don't think like a cracker/hacker, you can't stop them. If you can't see why allowing users (and users' programs) can be a problem, doing so is an violaiton of the basic premise of good security: That which is not specifically allowed, is denied. And, BTW, for the record, I handle Unix/Network security for a company known as Hewlett-Packard, so I think I have a good idea of the risks and potnetial exploits ;) -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password.
chown the var directory to the zope user. This is what I do with my setup. On Sat, 29 Jul 2000, Cary O'Brien wrote:
Costagliola Giovanni wrote:
Il gio, 27 lug 2000, Oleg Broytmann ha scritto:
On Thu, 27 Jul 2000, Costagliola Giovanni wrote:
How can I to start Zope whit a different user than root and cath the default HTTP port?
Use different way - start Zope as root, catch port 80 and drop uid.
I receive an error becouse root hasn't granted the need privileges on /Zope/var/ directory.
This is a different error, not a problem with port 80, ah?
I see Oleg, more exactly I would start ZServer with an user like 'zope', for example, but at the same time I want it links the port 80!
I could use the root user simply but I'll lose my sleep :^)
Can you give me some input?
If you want to bind to ports <1024 you _must_ be root. ZXope can run as another user (the -u <user> option), but it must be _started_ as root, if you want to bind to port 80. Period.
Sorry, there is no other way, short of making Sope SUID, which is a very, very, very, very, very, very bad idea.
Well...
If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did.
-- cary
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
yes, but it would solve the permission problem the original poster mentioned. On Sat, 29 Jul 2000, Bill Anderson wrote:
Nitesh Dhanjani wrote:
chown the var directory to the zope user. This is what I do with my setup.
That will not let you bind to ports < 1024.
-- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password.
Nitesh Dhanjani wrote:
yes, but it would solve the permission problem the original poster mentioned.
No, because the orignal user wanted to _start_ Zope as user zope. Unless that user has a UID/GID of 0 (is, is root by another name), the file permissions are irrelevant. Now, as to _running_ (ie, switch to once bound), the directory permissions come into play. I was basing my response of of:
How can I to start Zope whit a different user than root and cath the default HTTP port?
AND
I see Oleg, more exactly I would start ZServer with an user like 'zope', for example, but at the same time I want it links the port 80!
Of course, it is entirely possible the user meant something other than s/he wrote. ;) But that last one doesn't seem to indicate that. To put it succinctly: If you want Zope to bind to port 80 on *nix you have few options: o Change Zope to run SID ** Bad Idea o Modify the kernel so _anyone_ can bind to ports under 1024 ** even worse o START Zope as root, run it as a non-priviledged user, preferably one without a login. File permissions are irrelevenat when binding to ports under 1024 on Unix. -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password.
I receive an error becouse root hasn't granted the need privileges on
/Zope/var/ directory.
That is what i was responding to. I am aware of the facts you mention regarding the 3 points you make below, and agree with them. nitesh. On Sun, 30 Jul 2000, Bill Anderson wrote:
Nitesh Dhanjani wrote:
yes, but it would solve the permission problem the original poster mentioned.
No, because the orignal user wanted to _start_ Zope as user zope. Unless that user has a UID/GID of 0 (is, is root by another name), the file permissions are irrelevant. Now, as to _running_ (ie, switch to once bound), the directory permissions come into play.
I was basing my response of of:
How can I to start Zope whit a different user than root and cath the default HTTP port?
AND
I see Oleg, more exactly I would start ZServer with an user like 'zope', for example, but at the same time I want it links the port 80!
Of course, it is entirely possible the user meant something other than s/he wrote. ;) But that last one doesn't seem to indicate that.
To put it succinctly: If you want Zope to bind to port 80 on *nix you have few options:
o Change Zope to run SID ** Bad Idea o Modify the kernel so _anyone_ can bind to ports under 1024 ** even worse o START Zope as root, run it as a non-priviledged user, preferably one without a login.
File permissions are irrelevenat when binding to ports under 1024 on Unix.
-- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (3)
-
Bill Anderson -
Cary O'Brien -
Nitesh Dhanjani