[Zope-dev] Re: [ZODB-Dev] ZEO signal feature
Toby Dickenson
tdickenson@geminidataloggers.com
Mon, 7 Oct 2002 07:39:05 +0100
On Sunday 06 Oct 2002 4:56 pm, Chris McDonough wrote:
> > It's probably unavoidable that the log file is opened as root --
> > it's used to report "can't setuid()". :-)
Thats what syslog is for.
It is good security practice that a daemon should *never* have a writeabl=
e=20
file descriptor for its log file. If it does, and the daemon is compromis=
ed,=20
an attacker can trivially cover his tracks by removing the incriminating=20
evidence from the log file.
> Pidfiles too.
Currently it is common practice for Zope's 'stop' scripts to be run as ro=
ot.=20
We cant allow the pid files to be written by non-root users, otherwise th=
ose=20
users could trick root into killing an arbitrary process.
> The only real
> purpose to running as root is to be able to bind to low-numbered TCP
> ports.
IMO there are better solutions to the problems to which low-numbered port=
s are=20
a common solution. Zope/ZSS never *needs* a low numbered port, and zope=20
should never be started as root.
(I have cc'ed zope-dev. I suggest we continue there, rather than zodb-dev=
)