[Zope] hard-coded pcgi

Kevin Dangoor kid@ans.net
Wed, 3 Feb 1999 13:41:10 -0500


On Wed, Feb 03, 1999 at 12:18:04PM -0500, Phillip J. Eby wrote: 
,-----
| At 09:44 AM 2/3/99 -0500, Kevin Dangoor wrote:
| >
| >Unless there's something I've missed, I think this is the most secure way
| >for one to run Zope in a shared hosting environment...
| 
| Only if your shared hosting environment doesn't give every domain its own
| Unix user ID and executes CGI's under that ID...  :)

Hmm... If the hosting company doesn't give you your own Unix uid, I don't
think there's any way to prevent people from getting at your data...

| 
| In any case, it's not pcgi-wrapper that really needs to be setuid, it's
| Zope itself.  So you need to either be on a platform that supports setuid
| scripts, or write a C wrapper that wraps the server-side Zope, not the PCGI
| client.

But pcgi *is* the wrapper, right? pcgi starts up Zope when it isn't running and then passes requests to it after that. So, if pcgi is running setuid, the it will start up Zope under my uid as well. (I have tried this already, and it works. Zope runs as my user id if I chmod u+s pcgi-wrapper.)

`-----

Kevin

-- 
Kevin Dangoor
UUnet Technologies
kid@ans.net / 734-214-7349