[Zope] Installing Zope as nonroot user (was: Zope-dev ZFormulator review...)

Chris McDonough chrism@digicool.com
Sat, 08 Jan 2000 17:53:51 -0500


(moved from zope-dev)

Well, let's think about this...

If I untar a source Zope from Zope.org into, for instance,
/home/mcdonc/Zope while logged in as a nonroot user ("mcdonc"), and run
"python w_pcgi.py" on the source as the same user, I'll get a working
Zope via ZServer that runs under the "mcdonc" account.  So far so good,
I can talk to Zope running as "mcdonc" on 8080 if I want to via ZServer.

Then let's say I want to make PCGI work so that we can serve Zope
content via Apache.  We'll assume I configure Apache via httpd.conf's
User and Group directives to run as "mcdonc" and configure it to listen
on port 80 via the Port directive.  I'll then set up my httpd.conf
rewrite rules to point to a symlink of the PCGI shellfile at
/home/mcdonc/Zope/Zope.cgi in my Apache's cgi-bin directory.

We'll always need to start Apache as root if it listens on port 80. 
Apache will spawn off several nonroot-owned processes which serve
requests that run under "mcdonc" in this case.  Apache's nonroot server
processes should be able to read the Zope.cgi file as they're all
running as "mcdonc", and "mcdonc" owns the Zope.cgi file.  So far so
good.

So I start Apache as root via apachectl start.  I do a ps -aux to see
who Apache is running as, and I have five httpd processes that show the
user "mcdonc" as owner and one httpd process that shows the user "root"
as owner (the "manager" process).  I also see that Zope's two processes
are running as "mcdonc".

When I visit http://127.0.0.1/Zope/manage, I am able to log in as
superuser, etc.  So we're successful.

I've been doing this as I've been writing it to be 100% sure that this
is the case...

So, while it seems advisable to untar Zope as a nonroot user (so your
files don't end up getting owned by one of the Pelletier clan -- pretty
funny!), I don't think it's a requirement to install Zope (via "python
w_pcgi.py") as root if you want to serve Zope content from Apache using
PCGI.  I've done the equivalent under Netscape Enterprise Server, too,
and it works.  I haven't set up Zope using FastCGI, so I have to claim
utter ignorance there.

Patrick Phalen wrote:
> 
> [Chris McDonough, on Sat, 08 Jan 2000]
> :: Thanks.  Understood.
> ::
> :: This is a pretty good argument against installing Zope itself as the
> :: root user.
> 
> Well, er, ahem, hmmm ...  While I know what you mean by 'install', here,
> it might be worth clarifying, to prevent the spread of confusion ...
> 
> This is a good argument against *untarring* Zope as root. Instead,
> su to nobody (or your version of nobody). Otherwise, Zope will likely be
> owned by one of the Pelletier clan.
> 
> OTOH, Zope should be *installed* as root *if* you're intending to run
> ZServer behind another web server, right?
> 
-- 
Chris McDonough
Digital Creations, Inc.
Zope - http://www.zope.org