[Zope-dev] zope and UNIX permissions
Bill Anderson
bill@libc.org
Thu, 13 Jul 2000 01:06:59 -0600
Chris McDonough wrote:
>
> > > Hmmm... thanks for trying it. This doesn't seem much of a
> > risk, does
> > > it?
> >
> > Not that I can see off-hand. It is only a socket, a means for
> > communicating with Zope. The 'risk' would only lie in Zope's Security
> > mechanisms. ;-)
> >
> > The only possible risk would be a DoS type manuever if random
> > user could
> > rewrite the pcgi.soc socket. You could control this through var
> > directory permissions, will try this out and report back.
>
> You're the coolest! Thanks..
OK, it appears that Zope can handle it if:
the var directory (for Zope) is rwx for user and group AND pcgi.soc is
777.
This makes sense, of course. I was primarily making sure that Zope
didn't try to access it as a non-user (as some apps do).
So, in conclusion, the paranoid can make certain the directory
containing pcgi.soc is only writeable/executable to user/group owned by
the Zope process (and by the WebServer!!) with little fear of other son
the system accessing it willy-nilly.
YYMV, offer void in some states, yadda yadda yadda.
Bill
--
"Linux: the operating system with a CLUE...
Command Line User Environment".
seen in a posting on comp.software.testing