[Zope] start problem linux
ghaley@mail.venaca.com
ghaley@mail.venaca.com
Mon, 26 Mar 2001 11:43:39 -0500 (EST)
>
> Assuming /opt/zope is the Zope installation directory...
>
> This is bad advice. At most, make var/ and the files in it owned by
> nobody.nobody, so that the Zope process can write there.
>
> Zope executables and Python programs should not be writeable by the process
> executing off them. A bug or a security vulnerability (IOW, a bug with
> security implications) may permit an intruder to write to inituser/access
> or do other nasty stuff TTW, if the Zope process can write to those files.
>
>
thanks for the warning, though our sysadmin was not even aware of
it (and he is the most paranoid person i know!). so, let's take a general
/opt/zope directory, where you will have.
drwxr-xr-x 4 nobody nobody Extensions
drwxrwxr-x 4 nobody nobody ZServer
-rwxr-xr-x 1 nobody nobody Zope.cgi
-rw------- 1 nobody nobody access
-rw-r--r-- 1 nobody nobody custom_zodb.py
-rw-r--r-- 1 nobody nobody custom_zodb.pyc
drwxrwxr-x 3 nobody nobody doc
-rw-r--r-- 1 nobody nobody event.log
drwxrwxr-x 2 nobody nobody import
drwxrwxr-x 2 nobody nobody inst
drwxrwxr-x 4 nobody nobody lib
drwxrwxr-x 7 nobody nobody pcgi
-rwx--x--x 1 nobody nobody start
-rwx--x--x 1 nobody nobody stop
drwxrwxr-x 2 nobody nobody utilities
drwxrwxr-x 2 nobody nobody var
-rw-r--r-- 1 nobody nobody w_pcgi.py
-rw-r--r-- 1 nobody nobody w_pcgi.pyc
-rw-r--r-- 1 nobody nobody wo_pcgi.py
-rw-r--r-- 1 nobody nobody wo_pcgi.pyc
-rw-r--r-- 1 nobody nobody z2.py
-rw-r--r-- 1 nobody nobody z2.pyc
-rw-r--r-- 1 nobody nobody zProcessManager.pid
-rw-r--r-- 1 nobody nobody zpasswd.py
-rw-r--r-- 1 nobody nobody zpasswd.pyc
what should be owned as nobody.nobody; and who should the owner/group of
the other be?
i've been advising people about the owner/group based on what i understood
from other literature, and i want to make sure that the advice is not
creating a trap-door for crackers and other bad guys to get in.
ciao!
greg.
Gregory Haley
DBA/Web Programmer.
Venaca, LLC.