[Zope] Can't build resource file for PCGI on Zope 2.7b1
Tiller, Michael (M.M.)
mtiller at ford.com
Fri Aug 29 11:07:35 EDT 2003
> From: Chris Withers [mailto:chrisw at nipltd.com]
> Subject: Re: [Zope] Can't build resource file for PCGI on Zope 2.7b1
>
> Tiller, Michael (M.M.) wrote:
> > Why do I want to do it this way? Well, if I open a port on
> localhost then any user of the server can access that port.
> With the named pipe, I can control the permissions on the port.
>
> You have people other than sys admin logging into and using
> the machine that's
> the live webserver for your corporate intranet?
>
> And your corporate security guidlines don't say anything about that?
>
> That's pretty suprising...
I think you are taking liberties with what I said. First, the server is not *THE* live webserver for Ford's corporate intranet, it is one among *many* and a rather minor one at that. If it were one of the main ones, there is no way they would let me run Zope one it (not an accepted "corporate standard"). In fact, the systems people here have been quite accommodating by even allowing me to run Zope.
To answer your question, access to the machine *is* heavily restricted (I never indicated otherwise).
That isn't the point. The point is that a (properly configured) named pipe *is* more secure than a port (even a localhost port) because the permissions can be controlled at the system level. So it seems reasonable (to me) for somebody to want to use a named pipe.
In any case, I'm not looking to get into an argument about how well-reasoned our corporate security policies. I'm just trying to understand what the purported "more appropriate" alternatives are for PCGI.
> Chris
--
Mike
More information about the Zope
mailing list