[Zope] Filesystem Permissions for a Zope Install

Dylan Reinhardt zope@dylanreinhardt.com
16 May 2003 14:04:08 -0700


On Fri, 2003-05-16 at 10:30, Edward Pollard wrote:
> Up to now, world has had read access to the entire Zope tree.

Hmmm... can't see why you'd want to change *that*. :-)


> However, the only immediate alternative seems to be to add Apache to 
> the "Zopeadmins" group we have, but that has read-write, and letting 
> Apache have write is a potential security hazard.

Apache needs access to the port Zope is running on and nothing else. 
Really, they don't even have to be on the same machine...  or the same
OS, for that matter.

Unless you're doing something *highly* unusual, Apache needs exactly
*zero* access to Zope files.

There are a number of how-tos online with details on how to get Apache
to function as a reverse proxy for Zope.  Ignore the ones that make use
of cgi wrappers and just go straight to RewriteRules.

HTH,

Dylan