[Zope] Fw: Enrollment Error (fwd)

Jamie Heilman jamie at audible.transient.net
Wed Nov 5 16:25:40 EST 2003


Dennis Allison wrote:
> which googling suggests is due to the protections of the var directory not 
> having public write permissions set.  My configuration vis a vis
> permissions is right out of the book
> 
> drwxr-xr-t    2 root     root         4096 Oct 27 17:39 var
> 
> with zope running as a local user ( -u zope ).
> 
> The question, then, is "What should the permissions on var be?".

Whatever your system policy dicates it should be.  What you have makes
no sense though.  Zope used to ship with a document detailing the
proper ownership and permissions of the data directory, but that
document was wildly incorrect (it describes something like what you
have above).  Unfortunately people seem all to happy to blindly follow
instructions than to actually bother figuring out how unix filesystem
permission really work.

Step 1, is to make sure you're not running zope as root
        http://audible.transient.net/zope/#root
Step 2, is to make a group for your zope instance, eg. "zope"
Step 3, is to make a user for your zope instance, eg. "zope" with its
        primary group set to the group you've created in step 2
Step 4, is to set up the instance home, you should choose a partition
        intended for this kind of thing, on my systems I use
        /var/local/zope

        There are a bunch of silly default paths from here which I'll
        stick to only for the purposes of example, but don't feel tied
        to them.

        Consider this view of /var/local/zope:
        drwxr-xr-x    3 root     staff        4096 Nov  1 14:32 .
        drwxrwsr-x    7 root     staff        4096 Nov  4 01:07 ..
        drwxr-sr-x    2 root     staff        4096 Aug  6 00:59 Extensions
        drwxr-sr-x    2 root     staff        4096 Aug  6 00:59 Products
        drwxr-sr-x    2 root     staff        4096 Sep 22 03:00 import
        drwxr-s---    2 zope     staff        4096 Oct 31 13:27 var

        This gives you a data directory ("var") that zope can write
        to, but keeps other users (apart from the superuser) out, unless they
        are part of the staff group (handy for admins to be able to debug
        stuff in there).

        If you're running zope as the "zope" user created earlier
        (directly, not via '-u' or other setuid misfeatures) this
        should give the process enough leeway to do what it needs to do
        with its data files and logs.
Step 5, abandon all of the above and switch to zeo to get even further
        seperation, but I'll leave that for another discussion

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/



More information about the Zope mailing list