[Zope] Run Zope under nobody or real user?
marc lindahl
marc@bowery.com
Wed, 02 May 2001 21:48:29 -0400
Well, what I did was, make a user zope, who's home directory is
/usr/local/zope, then put zope there. Made the user zope have the same
security as the user 'nobody', except allowed logins. 'Nobody' can't do
much, neither could 'zope' in this way.
Using proftpd, and SSH, you can limit the login, for example, to only
certain IP addresses, which would limit the exposure. Or, you could run
those services on a wierd port number, and so on. Typical security stuff,
should be worked in with overall security scheme.
> From: Itai Tavor <itai@optusnet.com.au>
>
> Yeah, this is an advantage... in this case, I could just run it as
> myself. But isn't this a security risk? If anyone gets my password,
> they get full access to the server. If zope is running under user
> 'zope' who is not allowed to log in, you'd need to manage to become
> root to do any damage - which is the same as when zope is running
> under nobody.
>
> That's what I imagined people are doing - using a user who does not log in.
>
> marc lindahl wrote: