[Zope-dev] Re: [ZODB-Dev] ZEO signal feature

Christian Reis kiko@async.com.br
Mon, 7 Oct 2002 16:13:10 -0300


On Mon, Oct 07, 2002 at 07:39:05AM +0100, Toby Dickenson wrote:
> On Sunday 06 Oct 2002 4:56 pm, Chris McDonough wrote:
> 
> > > It's probably unavoidable that the log file is opened as root --
> > > it's used to report "can't setuid()". :-)
> 
> Thats what syslog is for.

Only issue with syslog is defining what facility to use and changing the
code to use it. That and win32 support.

> It is good security practice that a daemon should *never* have a writeable 
> file descriptor for its log file. If it does, and the daemon is compromised, 
> an attacker can trivially cover his tracks by removing the incriminating 
> evidence from the log file.

+1 for syslog.

> >  The only real purpose to running as root is to be able to bind to
> >  low-numbered TCP ports.
> 
> IMO there are better solutions to the problems to which low-numbered ports are 
> a common solution. Zope/ZSS never *needs* a low numbered port, and zope 
> should never be started as root.

Maybe better, but not simpler. It's the Unix standard to run daemons in
low-numbered ports, and we know the reasons for it.

I'd propose calling socket() and then setuid() (with the relevant save
pid step), and then run the ZEO normally as the user using either a
user-written log or syslog.

> (I have cc'ed zope-dev. I suggest we continue there, rather than zodb-dev)

This is really a ZEO issue, as far as both Zope and standalone ZEO's
affected, but anyway.. 

Take care,
--
Christian Reis, Senior Engineer, Async Open Source, Brazil.
http://async.com.br/~kiko/ | [+55 16] 261 2331 | NMFL