[Zope] Zope in Virtual Host on ISP

Kevin Dangoor kid@ans.net
Mon, 1 Feb 1999 12:02:35 -0500


On Mon, Feb 01, 1999 at 06:02:22AM -0600, Chris Larson wrote: 
,-----
| On 1/31/99 2:53 PM , Kevin Dangoor kid@ans.net said:
| 
| >On Sun, Jan 31, 1999 at 01:24:24PM -0600, Chris Larson wrote: 
| >,-----
| >Actually, it's pretty straightforward, except for the authentication part.
| >The INSTALL.txt file (in the docs directory of the Zope distribution)
| >breaks it down to a nice set of steps.
| 
| Assuming I can't convince my ISPs admin to help out (Or rather, that I'm 
| too impatient to wait), is there a way around setting the var permission 
| to 'nobody'? 'not permitted' at the moment. Rmemember, I do not have 
| 'root' access.

I'm actually working through the security issues myself right now.
The easiest thing to do is make that directory world writeable. I
know this is less than ideal in a shared environment...

On my web server, I got the ISP to set the group ID on my directories
to a group that the web server belongs to. So, I could set var
to group writeable and other users that are logged on are unable to
change that directory. (However, anyone on the machine could make
their own CGI scripts that mess with that directory.)

My ultimate goal is to get pcgi-wrapper running setuid. I have it doing
this right now. All you do is go to the pcgi directory (under your
Zope directory) and do "chmod u+s pcgi-wrapper". This lets Zope run
as your user ID, so var only needs to be read/writeable by you.

The problem that I am still working out with this arrangement is that
pcgi-wrapper gets configured by the Zope.cgi script. This means that
other people on the system could make their own PCGI programs that
do arbitrary things with your website and data. If pcgi-wrapper is
hard coded to just run your instance of Zope, this should be a pretty
secure thing.

| >As far as authentication, you are going to want to ask your ISP if they've
| >got mod_rewrite installed. You can use Zope without mod_rewrite, but
| >(to me) it seems like a pain, because you have to maintain a user list
| >for the webserver (in .htpasswd) and another copy of the user list (in
| >the User Folders) in Zope.
| 
| Is there a way for me to determine this by calling or examining Apache?

I think so. Just put:
RewriteEngine on

in your .htaccess file. If mod_rewrite isn't there, you should get an
error when you try to view anything on your site.

| >Is python already installed there? If so, I really don't think you'll
| >run into much trouble...
| >
| On that note, when I run a simple python cgi to return the sys.version of 
| python, I get "Python 1.4 (Feb  4 1997)  [GCC 2.7.2.1]". It appears they 
| do have PyApache installed. Am I getting a PyApache version number? When 
| I 'locate python' all that shows up is 1.5. Also, or maybe more to the 
| point, is there any way to force Zope (or any other .cgi) to execute 
| python from my user directory as my username? I've installed 1.5.2b1 in 
| my local/bin, and suspect that a lot of my problems may be coming from 
| the installed 1.5. When I place my user account directory as the path 
| (/myaccount/local/bin/python), I end up with "500 Internal Server Error".

Hmm... do these scripts work from the command line? If so, you should make
sure that the permissions on all of the python stuff are such that
"nobody" can run everything.

`-----

Kevin

-- 
Kevin Dangoor
kid@ans.net / 734-214-7349