Assuming that "plone" is an unprivileged user, and is not otherwise in use, you've covered the basics.
If you'd like to go further, have the program directories be owned by a different user than the var, with the daemon user running with permissions to write into var, but nowhere else. This isn't that easy to achieve, because sometimes buildout wants to write into var, and you're going to have to fix permissions afterwards. If you're using zeo, you can go a bit further by having the zeo process running under a different id than the clients. The gotcha is that you won't be able to use shared blobs (which is why the Unified Installer abandoned this with 4.0). On Tue, Oct 4, 2011 at 7:58 PM, hydrostarr2 <[email protected]>wrote: > Any general "best practice" recommendations for user/group ownership (in > Ubuntu 10/11) of /usr/local/Plone and all its dirs/files in its tree? > > We've been running with inconsistent settings, and plan to standard on all > 'plone:plone' for /everything/ in /usr/local/Plone. eg: > > > > Problems with this? Alternative suggestions (and if so, why?)? > > -- > View this message in context: > http://plone.293351.n2.nabble.com/User-group-ownership-all-plone-plone-tp6860860p6860860.html > Sent from the Installation, Setup, Upgrades mailing list archive at > Nabble.com. > _______________________________________________ > Setup mailing list > [email protected] > https://lists.plone.org/mailman/listinfo/plone-setup >
_______________________________________________ Setup mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-setup
