[Zope] start problem linux
Bill Anderson
bill@libc.org
26 Mar 2001 11:39:38 -0700
On 26 Mar 2001 11:43:39 -0500, ghaley@mail.venaca.com wrote:
> >
> > Assuming /opt/zope is the Zope installation directory...
> >
> > This is bad advice. At most, make var/ and the files in it owned by
> > nobody.nobody, so that the Zope process can write there.
> >
> > Zope executables and Python programs should not be writeable by the process
> > executing off them. A bug or a security vulnerability (IOW, a bug with
> > security implications) may permit an intruder to write to inituser/access
> > or do other nasty stuff TTW, if the Zope process can write to those files.
> >
> >
> thanks for the warning, though our sysadmin was not even aware of
> it (and he is the most paranoid person i know!). so, let's take a general
> /opt/zope directory, where you will have.
Make all zope files owned by root with a few exceptions:
access/inituser
Data.fs
log files
These should be owned and r/w by nobody, or whomever you run Zope as.
All other files should be writable by root, but none other. The
principle here is the least opportunity. Don't allow a process that is
started as root, to write to it's own executable files. Give publicly
accesible daemons/servers the bare minumum they need to run, and don't
allow others those permissions either.
Bill