Re: [Zope-dev] root ZServer
--On Mittwoch, 19. Januar 2005 17:04 Uhr +1100 Alan Milligan <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Jung wrote: | There is zero need to relax this requirement. You only have to start | Zope as root I just explained you cannot start as root ... And I explained that Zope wants to the change the UID to a non-root account for security reasons. | to get port 80 but it is in general not a good idea for *any* service to | run | as root for security reasons. So there is absolutely no reason to *not* | changing | the the uid of the process to a user with less permissions. Says you!! I happen to be using zope to wrap a number of excellent Python rpm packaging scripts/modules (eg yum, mach), and as part of this process, need to do rpm package installs from the zope server which obviously requires root access. I see no reason why I should be penalised for using the excellent workflow features of Zope in a system programming environment. If Zope is to be useful to the widest cross community, we really MUST stop this 'we know best' attitude and allow people at the coalface to override default behaviour as only they are in a position to evaluate the appropriateness of the 'security reasons'. To be honest: if you need another behaviour than the one implemented then fix it on your own and maybe put a patch into the Zope collector. So if someone has the same problem it can grab the patch. At least your usecase does not seem to be common so I don't think we should add such a dangerous feature (although if disabled by default) with Zope. There are also other applications e.g. postgres that refuse to run as root. If you need to perform root-level operations from within a non-rooted Zope there are enough solutions available to give the application limited root right (sudo etcsearch on freshmeat). I consider your request as a YAGNI. -aj ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] root ZServer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Jung wrote: | There is zero need to relax this requirement. You only have to start | Zope as root I just explained you cannot start as root ... | to get port 80 but it is in general not a good idea for *any* service to | run | as root for security reasons. So there is absolutely no reason to *not* | changing | the the uid of the process to a user with less permissions. Says you!! I happen to be using zope to wrap a number of excellent Python rpm packaging scripts/modules (eg yum, mach), and as part of this process, need to do rpm package installs from the zope server which obviously requires root access. I see no reason why I should be penalised for using the excellent workflow features of Zope in a system programming environment. If Zope is to be useful to the widest cross community, we really MUST stop this 'we know best' attitude and allow people at the coalface to override default behaviour as only they are in a position to evaluate the appropriateness of the 'security reasons'. How about a 'yes' response this time. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB7fiFCfroLk4EZpkRAoDZAJ40UveUjpBGyN0/1VnUmZUQz0GctgCfa+R1 tvE2RP5DNwa2IlEmMmX2l0g= =JNQg -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] root ZServer
--On Mittwoch, 19. Januar 2005 15:18 Uhr +1100 Alan Milligan <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have a requirement to run a root uid Z2 process and was most surprised to see that line 334 of Zope/Startup/__init__.py expressly forbids this, throwing a ZConfig.ConfigurationError While it's not a good idea to configure Zope to run as root by default, isn't it completely fascist to disallow it altogether? Similarly, I'd now expect issues if I chose to attach a Z2 to a low port. As far as I'm concerned, the account policy (and port too) is clearly defined by directives in zope.conf and should be honoured - clearly someone's consciously made these configuration changes and is thus fully accepting of their potential consequences. How about relaxing this requirement? There is zero need to relax this requirement. You only have to start Zope as root to get port 80 but it is in general not a good idea for *any* service to run as root for security reasons. So there is absolutely no reason to *not* changing the the uid of the process to a user with less permissions. -aj ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope] November Bug Day Roundup & January Bug Day Announcement!
--On Dienstag, 18. Januar 2005 20:55 Uhr + Chris Withers <[EMAIL PROTECTED]> wrote: The next bug day is going to be on Thursday 27th November as an experiment to see if those who complain about the Friday bug days can make it. Hope to see all on #zope-dev next Thursday! 27th November -aj ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] root ZServer
On Tuesday 18 January 2005 9:18 pm, Alan Milligan wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi, > > I have a requirement to run a root uid Z2 process and was most surprised > to see that line 334 of Zope/Startup/__init__.py expressly forbids this, > throwing a ZConfig.ConfigurationError > > While it's not a good idea to configure Zope to run as root by default, > isn't it completely fascist to disallow it altogether? Similarly, I'd > now expect issues if I chose to attach a Z2 to a low port. > > As far as I'm concerned, the account policy (and port too) is clearly > defined by directives in zope.conf and should be honoured - clearly > someone's consciously made these configuration changes and is thus fully > accepting of their potential consequences. > > How about relaxing this requirement? > > Alan > Why would you need to run zope as root? You can start it as root so it can bind to a low numbered port and then it will switch to a less privelaged user for its normal operations. I can't think of a good reason right now for why a network service should be run as the root user. ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] root ZServer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have a requirement to run a root uid Z2 process and was most surprised to see that line 334 of Zope/Startup/__init__.py expressly forbids this, throwing a ZConfig.ConfigurationError While it's not a good idea to configure Zope to run as root by default, isn't it completely fascist to disallow it altogether? Similarly, I'd now expect issues if I chose to attach a Z2 to a low port. As far as I'm concerned, the account policy (and port too) is clearly defined by directives in zope.conf and should be honoured - clearly someone's consciously made these configuration changes and is thus fully accepting of their potential consequences. How about relaxing this requirement? Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB7d+hCfroLk4EZpkRAuBaAKCm7PnRFMDtBBVft59L5FD4gIUdfQCgtXP0 1Qi8jv96rjUGRsI/x15Rty8= =P0J4 -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] November Bug Day Roundup & January Bug Day Announcement!
Hi All, It's a long time overdue, but here's the roundup. I suspect these all made it into 2.7.4, if anyone's curious :-) The great news is that lots of bugs were resolved, and it was especially good to see patches contributed by people outside the usual core of developers. Thanks to those people! The next bug day is going to be on Thursday 27th November as an experiment to see if those who complain about the Friday bug days can make it. Hope to see all on #zope-dev next Thursday! cheers, Chris Here's the lowdown: Resolved: #551 - ExtentionClass.h might conflict with other system versions #679 - ZPT: bogus close tag should be removed #721 - ZPT escapes attributes when it shouldn't #808 - Site Access Rule not working with dtml method in 2.6.1 #881 - Error: The ZGadflyDA product must be installed #995 - zope/python seg fault with infinite __str__ recursion #1003 - Overlong HTTP headers handled badly #1219 - XML Export #1371 - Surface cgi.maxlen in zope.conf #1407 - WebDav displayname Title #1450 - ZODBTools Packaging problem #1478 - Unittesting improvements #1489 - Invalid cookie causes other cookies to silently disappear #1510 - Unicode broken for non text/* content-types #1565 - monitor server not started #1593 - OFS/CopySupport _get_id() is buggy #1599 - ZSQL sqltest and unicode Wontfix: #922 - Version feature is broken in Zope #930 - Problems with Zope 2.6 config of sys.path on Windows #1461 - SCRIPT_NAME empty #1546 - Structured text links and IPv6 addresses Rejected: #576 - Importing ZClass fails #764 - ZCTextIndex is CMF incompatible #941 - Emergency user can own objects in Zope 2.7 #971 - Version only saves the last change #1023 - Tutorial import problem #1252 - VIRTUAL_URL #1512 - 2.8 failure with Plone: DocumentTemplate.ustr.py #1547 - import from one instance to another Deferred #1469 - win32 install 2.7.2 XP SP1 ..and here's the "player stats" :-) Resolved Assists Wontfix Rejected Deferred chrisw 6 151 ajung 6121 efge3 2 tseaver 1 regebro 1 ctheune 1 dpollard 1 sirilyan 1 jajcus 1 shh 1 sabaini 1 -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )