[Zope] Help Please : IOError: [Errno 13] Permission denied
Behrens Matt - Grand Rapids
Matt.Behrens@Kohler.Com
Wed, 17 Oct 2001 09:11:46 -0400
bak (kedai) wrote:
> On Wednesday 17 October 2001 03:42 pm, girish wrote:
>
>> File /home/ep/zope/Zope2.4.1/z2.py, line 757, in ?
>>IOError: [Errno 13] Permission denied: '/home/ep/zope/Zope2.4.1/var/Z2.pid'
>>
>>***************************************************************************
>>
>
> if you started zope as root, zope will then operate as nobody. make sure
> nobody has access/permission to the zope tree
Please, everyone, DON'T run Zope as nobody, if you value anything in the
Data.fs!
Recall that nobody is an unprivileged OS username. You want nobody to
not have access to anything that might be considered a privileged resource.
Data.fs is a bad choice to give nobody access to. If ANY system service
that you have that runs as nobody (CGIs often do, for example) is
compromised, your entire Data.fs becomes fair game for the compromiser.
Your acl_users is in Data.fs, and it's real easy to pull the passwords
out of there, or any other content.
Make a new user explicitly for running Zope. Give that user rights to
the Zope tree. Or, better yet, use INSTANCE_HOME (see
<http://www.zope.org/Members/4am/instancehome>), and give the user
rights only to the instance tree. That's how the OpenBSD zope port
(coming in 3.0) operates.
--
Matt Behrens <matt.behrens@kohler.com>
System Analyst, Baker Furniture