Re: [Zope] Starting Zope
Cary O'Brien wrote: I've done it this way: http://www.zope.org/Members/otto/portfw [snip] How can this work? Won't Zope put a "base href=http://server:8080" tag into the head of the document and mess things up? Won't you need site-access to work around this? -- cary You're probably right. I already had SiteAccess installed, so I never saw a problem. On the other hand, I just went to a URL my SiteAccess rules shouldn't know about (the IP) and didn't get that. Perhaps SiteAccess is doing somethin I don't understand. Anyone tried it? -Otto. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
Bill wrote... Of course, it is entirely possible the user meant something other than s/he wrote. ;) But that last one doesn't seem to indicate that. To put it succinctly: If you want Zope to bind to port 80 on *nix you have few options: o Change Zope to run SID ** Bad Idea o Modify the kernel so _anyone_ can bind to ports under 1024 ** even worse o START Zope as root, run it as a non-priviledged user, preferably one without a login. You could also run zope behind Apache. The Apache bits that handle root permissions seem pretty well accepted. This doesn't really run Zope listening to port 80, but if you go to port 80 on the machine running Apache, you get to zope. One advantage is that you can bounce Zope all day long without even touching root. Plus depending on your setup you can have Apache running on a separate machine. This can be better depending on the situation (i.e. development machines behind a firewall with private addresses. The downside is that you need to become aquainted with the wonderful worlds of mod-rewrite and site-access[1]. Plus you may take a performance hit. -- cary [1] Can someone explain (or point me to the reason) why the base tag is necessary? It sure can make life difficult! File permissions are irrelevenat when binding to ports under 1024 on Unix. -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password. --__--__-- ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
Interesting argument. However, consider this: if you completely trust your 'firewalled' box, then why not run the web server as root? One response, Protection of the system from simple mistakes by trusted users? Also root can do a lot more, such as putting interfaces into promiscious mode. So the idea is to just lift the bind-to-low-ports check. in your case is the fact that you mention your trust on users(humans are the most easy to compromise, however that argument is a bit OT). However, do you trust all of your webserver code? Do you trust your cgi-bin scripts and applications? And by trust I not only mean harmful intent by the authors of software, but unintentional bugs which can be exploited, and will be given the privilege to bind to 1024 ports even when they run as a user with least privileges. My revised thinking is that the patch should only lift the restriction for just the necessary ports. Another idea is to do it with groups, say let group n be a "net-privileged" group. -- cary Just my opinion. nitesh. On Sun, 30 Jul 2000, Cary O'Brien wrote: Cary O'Brien wrote: Well... If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did. Which is an even worse idea. Why? On a sufficiently firewalled off box, where the few logins are completly trusted, what's the diff? If you were worried about people cracking a user account and getting underneath telnet, than limit the lifting of the restriction to port 80. If you are concerned that non-root users could launch attacks from low ports at other machines, assuming that only good guys can come from low ports is pretty naive. The whole business about not letting anyone but root bind to low ports makes sense for a public access machine where all the first year engineering students have an account, but for a dedicated application server it is kind of misdirected. You ought to be running next to nothing but the application, and you had better trust everyone that you give a login to, and you out to have the thing locked down/firewalled well. So the tiny bit of possible protection may not be worth the hassle/risks of writing your own suid-wrapper, or the complexity of having a redirect and messing with site-access so that the port numbers in the zope -- what it is that parameter -- base or whatever, comes out write. Just for fun - does NT have the same restriction? -- cary ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) --__--__-- ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
Hello I'm the man who generate this jungly mailing Simply, I use thesescripts: ---/usr/local/scripts/zstart- #!/bin/bash $ZOPE_BASE/start -u $ZOPE_USER -w 80 1/dev/null 21 --- the previous is invoked by the next one: ---/etc/rc.d/init.d/zope--- #!/bin/bash # zope # # chkconfig: 345 90 10 # description: Starts and stops the Zope instances # processname: z2.py # ZOPE ENVIRONMENT export ZOPE_BASE=/Zope-2.2.0 export ZOPE_USER=zope # Source function library. .. /etc/rc.d/init.d/functions # Get config. .. /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] exit 1 [ -x /usr/local/scripts/zstart ] || exit 1 [ -x /usr/local/scripts/zstop ] || exit 1 # See how we were called. case "$1" in start) echo -n "Starting Zope instances: " if /usr/local/scripts/zstart; then success zope startup else failure zope startup fi echo ;; stop) echo -n "Stopping Zope instances: " if /usr/local/scripts/zstop /etc/zope.conf; then success zope shutdown else failure zope shutdown fi echo ;; status) status /Zope-2.2.0/bin/python exit $? ;; restart) $0 stop sleep 2 $0 start ;; *) echo "Usage: $0 {start|stop|status|restart}" exit 1 esac exit 0 which invokes also this one to stop all. ---/usr/local/scripts/zstop--- #!/bin/bash kill `/bin/cat "$ZOPE_BASE/var/Z2.pid"` -- Many thanks to jec who's the author of the original suite of scripts that a mangled, stupidely, to realize which ones I shown to you here. Thanx to all. -- / * * / / / __oOOo__/__/_oOOo (° Giovanni Costagliola (jancos) //\ email: [EMAIL PROTECTED] V_/_voice: +39 (0)347 1174139 _ / / / / ( (__ \ \ / /#*** * ** \ \/ /*** * * \ /###*** * ** \ /##*** * * \___/#*** * ** ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
I've done it this way: http://www.zope.org/Members/otto/portfw It's also relatively easy to convince a hosting provider to add this, as long as you have a dedicated IP address. Perhaps I should have done a news item when I created this... seems a lot of people have hacked around the issue is all sorts of odd ways. :) -Otto. Costagliola Giovanni wrote: Hello All, How can I to start Zope whit a different user than root and cath the default HTTP port? If I try for example: su - -c './start -w 80 -u zope' I receive an error becouse root hasn't granted the need privileges on /Zope/var/ directory. Thanx ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
I've done it this way: http://www.zope.org/Members/otto/portfw It's also relatively easy to convince a hosting provider to add this, as long as you have a dedicated IP address. Perhaps I should have done a news item when I created this... seems a lot of people have hacked around the issue is all sorts of odd ways. :) -Otto. How can this work? Won't Zope put a "base href=http://server:8080" tag into the head of the document and mess things up? Won't you need site-access to work around this? -- cary Costagliola Giovanni wrote: Hello All, How can I to start Zope whit a different user than root and cath the default HTTP port? If I try for example: su - -c './start -w 80 -u zope' I receive an error becouse root hasn't granted the need privileges on /Zope/var/ directory. Thanx --__--__-- ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] OT: Unix Permissions (was Re: [Zope] Starting Zope)
Cary O'Brien wrote: [...] in your case is the fact that you mention your trust on users(humans are the most easy to compromise, however that argument is a bit OT). However, do you trust all of your webserver code? Do you trust your cgi-bin scripts and applications? And by trust I not only mean harmful intent by the authors of software, but unintentional bugs which can be exploited, and will be given the privilege to bind to 1024 ports even when they run as a user with least privileges. My revised thinking is that the patch should only lift the restriction for just the necessary ports. Another idea is to do it with groups, say let group n be a "net-privileged" group. And yet another (and perhaps the better) is to look into the ACL support work being done atthe kernel level. You can search the Linux Kernel mailing list archives for further details. Note: this is not production work, last I heard. Then again, neither is modifying the kenrel in non-standard ways ;^) -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
Nitesh Dhanjani wrote: yes, but it would solve the permission problem the original poster mentioned. No, because the orignal user wanted to _start_ Zope as user zope. Unless that user has a UID/GID of 0 (is, is root by another name), the file permissions are irrelevant. Now, as to _running_ (ie, switch to once bound), the directory permissions come into play. I was basing my response of of: How can I to start Zope whit a different user than root and cath the default HTTP port? AND I see Oleg, more exactly I would start ZServer with an user like 'zope', for example, but at the same time I want it links the port 80! Of course, it is entirely possible the user meant something other than s/he wrote. ;) But that last one doesn't seem to indicate that. To put it succinctly: If you want Zope to bind to port 80 on *nix you have few options: o Change Zope to run SID ** Bad Idea o Modify the kernel so _anyone_ can bind to ports under 1024 ** even worse o START Zope as root, run it as a non-priviledged user, preferably one without a login. File permissions are irrelevenat when binding to ports under 1024 on Unix. -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
I receive an error becouse root hasn't granted the need privileges on /Zope/var/ directory. That is what i was responding to. I am aware of the facts you mention regarding the 3 points you make below, and agree with them. nitesh. On Sun, 30 Jul 2000, Bill Anderson wrote: Nitesh Dhanjani wrote: yes, but it would solve the permission problem the original poster mentioned. No, because the orignal user wanted to _start_ Zope as user zope. Unless that user has a UID/GID of 0 (is, is root by another name), the file permissions are irrelevant. Now, as to _running_ (ie, switch to once bound), the directory permissions come into play. I was basing my response of of: How can I to start Zope whit a different user than root and cath the default HTTP port? AND I see Oleg, more exactly I would start ZServer with an user like 'zope', for example, but at the same time I want it links the port 80! Of course, it is entirely possible the user meant something other than s/he wrote. ;) But that last one doesn't seem to indicate that. To put it succinctly: If you want Zope to bind to port 80 on *nix you have few options: o Change Zope to run SID ** Bad Idea o Modify the kernel so _anyone_ can bind to ports under 1024 ** even worse o START Zope as root, run it as a non-priviledged user, preferably one without a login. File permissions are irrelevenat when binding to ports under 1024 on Unix. -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
Cary O'Brien wrote: Well... If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did. Which is an even worse idea. Why? On a sufficiently firewalled off box, where the few logins are completly trusted, what's the diff? If you were worried about people cracking a user account and getting underneath telnet, than limit the lifting of the restriction to port 80. If you are concerned that non-root users could launch attacks from low ports at other machines, assuming that only good guys can come from low ports is pretty naive. The whole business about not letting anyone but root bind to low ports makes sense for a public access machine where all the first year engineering students have an account, but for a dedicated application server it is kind of misdirected. You ought to be running next to nothing but the application, and you had better trust everyone that you give a login to, and you out to have the thing locked down/firewalled well. So the tiny bit of possible protection may not be worth the hassle/risks of writing your own suid-wrapper, or the complexity of having a redirect and messing with site-access so that the port numbers in the zope -- what it is that parameter -- base or whatever, comes out write. Just for fun - does NT have the same restriction? -- cary ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
Interesting argument. However, consider this: if you completely trust your 'firewalled' box, then why not run the web server as root? One response, in your case is the fact that you mention your trust on users(humans are the most easy to compromise, however that argument is a bit OT). However, do you trust all of your webserver code? Do you trust your cgi-bin scripts and applications? And by trust I not only mean harmful intent by the authors of software, but unintentional bugs which can be exploited, and will be given the privilege to bind to 1024 ports even when they run as a user with least privileges. Just my opinion. nitesh. On Sun, 30 Jul 2000, Cary O'Brien wrote: Cary O'Brien wrote: Well... If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did. Which is an even worse idea. Why? On a sufficiently firewalled off box, where the few logins are completly trusted, what's the diff? If you were worried about people cracking a user account and getting underneath telnet, than limit the lifting of the restriction to port 80. If you are concerned that non-root users could launch attacks from low ports at other machines, assuming that only good guys can come from low ports is pretty naive. The whole business about not letting anyone but root bind to low ports makes sense for a public access machine where all the first year engineering students have an account, but for a dedicated application server it is kind of misdirected. You ought to be running next to nothing but the application, and you had better trust everyone that you give a login to, and you out to have the thing locked down/firewalled well. So the tiny bit of possible protection may not be worth the hassle/risks of writing your own suid-wrapper, or the complexity of having a redirect and messing with site-access so that the port numbers in the zope -- what it is that parameter -- base or whatever, comes out write. Just for fun - does NT have the same restriction? -- cary ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
(Quoting reversed for sake of continuity. On Sun, 30 Jul 2000, Cary O'Brien wrote: Cary O'Brien wrote: Well... If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did. Which is an even worse idea. Why? On a sufficiently firewalled off box, where the few logins are completly trusted, what's the diff? If you were worried about people cracking a user account and getting underneath telnet, than limit the lifting of the restriction to port 80. If you are concerned that non-root users could launch attacks from low ports at other machines, assuming that only good guys can come from low ports is pretty naive. The whole business about not letting anyone but root bind to low ports makes sense for a public access machine where all the first year engineering students have an account, but for a dedicated application server it is kind of misdirected. You ought to be running next to nothing but the application, and you had better trust everyone that you give a login to, and you out to have the thing locked down/firewalled well. So the tiny bit of possible protection may not be worth the hassle/risks of writing your own suid-wrapper, or the complexity of having a redirect and messing with site-access so that the port numbers in the zope -- what it is that parameter -- base or whatever, comes out write. Just for fun - does NT have the same restriction? Nitesh Dhanjani wrote: Interesting argument. However, consider this: if you completely trust your 'firewalled' box, then why not run the web server as root? One response, in your case is the fact that you mention your trust on users(humans are the most easy to compromise, however that argument is a bit OT). However, do you trust all of your webserver code? Do you trust your cgi-bin scripts and applications? And by trust I not only mean harmful intent by the authors of software, but unintentional bugs which can be exploited, and will be given the privilege to bind to 1024 ports even when they run as a user with least privileges. Exactly. In addition, relying solely on a firewall is a bad idea from a security standpoint. Firewalls can. and do get breached. I don't run many services on _any_ of my machines for security reasons. I certainly don't want Joe Random User to fire them up either. Consider tftpd, or telnetd, or rlogin, rusers, rwho, ruptime, etc.. There are many ways a user can compromise, not only the machine he is on, but other machines by having the capability to bind to ports under 1024. Nearly all of them are off topic for this list; thus I would recommend a number of the security resources available on the web, such as: http://www.rootshell.com http://www.securityfocus.com Just a quick example: A user can upload a custom compiled version of (insert servie such as DNS, NIS, telnetd, httpd, etc that uses his/her local libraries, bypass /etc/services. since they can bind to ports under 1025, they can be started by the user. Whereas, for example, on other systems, their app would fail. Now, consider that if they used a version of, say ftpd, or fingerd, or named, that has known security openings, they can then exploit this to get root accounts; the firewall being bypassed by being local to the machine. Remember, Cary, if you don't think like a cracker/hacker, you can't stop them. If you can't see why allowing users (and users' programs) can be a problem, doing so is an violaiton of the basic premise of good security: That which is not specifically allowed, is denied. And, BTW, for the record, I handle Unix/Network security for a company known as Hewlett-Packard, so I think I have a good idea of the risks and potnetial exploits ;) -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Starting Zope
Not to continue offtopic for too much longer, but IMHO, the "only root can bind to ports under 1025" was, and continues to be, a terrible UNIX hack that was possibly reasonable at its time of inception, but that has since *caused* more security holes than it ever helped to prevent. The argument for the hack is backwards compatibility, any other explanation usually ends up as rationalization or circular logic. My $.02. -Original Message- From: Bill Anderson [mailto:[EMAIL PROTECTED]] Sent: Sunday, July 30, 2000 5:04 PM To: [EMAIL PROTECTED] Subject: Re: [Zope] Starting Zope (Quoting reversed for sake of continuity. On Sun, 30 Jul 2000, Cary O'Brien wrote: Cary O'Brien wrote: Well... If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did. Which is an even worse idea. Why? On a sufficiently firewalled off box, where the few logins are completly trusted, what's the diff? If you were worried about people cracking a user account and getting underneath telnet, than limit the lifting of the restriction to port 80. If you are concerned that non-root users could launch attacks from low ports at other machines, assuming that only good guys can come from low ports is pretty naive. The whole business about not letting anyone but root bind to low ports makes sense for a public access machine where all the first year engineering students have an account, but for a dedicated application server it is kind of misdirected. You ought to be running next to nothing but the application, and you had better trust everyone that you give a login to, and you out to have the thing locked down/firewalled well. So the tiny bit of possible protection may not be worth the hassle/risks of writing your own suid-wrapper, or the complexity of having a redirect and messing with site-access so that the port numbers in the zope -- what it is that parameter -- base or whatever, comes out write. Just for fun - does NT have the same restriction? Nitesh Dhanjani wrote: Interesting argument. However, consider this: if you completely trust your 'firewalled' box, then why not run the web server as root? One response, in your case is the fact that you mention your trust on users(humans are the most easy to compromise, however that argument is a bit OT). However, do you trust all of your webserver code? Do you trust your cgi-bin scripts and applications? And by trust I not only mean harmful intent by the authors of software, but unintentional bugs which can be exploited, and will be given the privilege to bind to 1024 ports even when they run as a user with least privileges. Exactly. In addition, relying solely on a firewall is a bad idea from a security standpoint. Firewalls can. and do get breached. I don't run many services on _any_ of my machines for security reasons. I certainly don't want Joe Random User to fire them up either. Consider tftpd, or telnetd, or rlogin, rusers, rwho, ruptime, etc.. There are many ways a user can compromise, not only the machine he is on, but other machines by having the capability to bind to ports under 1024. Nearly all of them are off topic for this list; thus I would recommend a number of the security resources available on the web, such as: http://www.rootshell.com http://www.securityfocus.com Just a quick example: A user can upload a custom compiled version of (insert servie such as DNS, NIS, telnetd, httpd, etc that uses his/her local libraries, bypass /etc/services. since they can bind to ports under 1025, they can be started by the user. Whereas, for example, on other systems, their app would fail. Now, consider that if they used a version of, say ftpd, or fingerd, or named, that has known security openings, they can then exploit this to get root accounts; the firewall being bypassed by being local to the machine. Remember, Cary, if you don't think like a cracker/hacker, you can't stop them. If you can't see why allowing users (and users' programs) can be a problem, doing so is an violaiton of the basic premise of good security: That which is not specifically allowed, is denied. And, BTW, for the record, I handle Unix/Network security for a company known as Hewlett-Packard, so I think I have a good idea of the risks and potnetial exploits ;) -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinf
Re: [Zope] Starting Zope
Costagliola Giovanni wrote: Il gio, 27 lug 2000, Oleg Broytmann ha scritto: On Thu, 27 Jul 2000, Costagliola Giovanni wrote: How can I to start Zope whit a different user than root and cath the default HTTP port? Use different way - start Zope as root, catch port 80 and drop uid. I receive an error becouse root hasn't granted the need privileges on /Zope/var/ directory. This is a different error, not a problem with port 80, ah? I see Oleg, more exactly I would start ZServer with an user like 'zope', for example, but at the same time I want it links the port 80! I could use the root user simply but I'll lose my sleep :^) Can you give me some input? If you want to bind to ports 1024 you _must_ be root. ZXope can run as another user (the -u user option), but it must be _started_ as root, if you want to bind to port 80. Period. Sorry, there is no other way, short of making Sope SUID, which is a very, very, very, very, very, very bad idea. Well... If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did. -- cary ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
Cary O'Brien wrote: Well... If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did. Which is an even worse idea. -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
chown the var directory to the zope user. This is what I do with my setup. On Sat, 29 Jul 2000, Cary O'Brien wrote: Costagliola Giovanni wrote: Il gio, 27 lug 2000, Oleg Broytmann ha scritto: On Thu, 27 Jul 2000, Costagliola Giovanni wrote: How can I to start Zope whit a different user than root and cath the default HTTP port? Use different way - start Zope as root, catch port 80 and drop uid. I receive an error becouse root hasn't granted the need privileges on /Zope/var/ directory. This is a different error, not a problem with port 80, ah? I see Oleg, more exactly I would start ZServer with an user like 'zope', for example, but at the same time I want it links the port 80! I could use the root user simply but I'll lose my sleep :^) Can you give me some input? If you want to bind to ports 1024 you _must_ be root. ZXope can run as another user (the -u user option), but it must be _started_ as root, if you want to bind to port 80. Period. Sorry, there is no other way, short of making Sope SUID, which is a very, very, very, very, very, very bad idea. Well... If you are running on Linux you could simply edit the kernel code to elimitate the check on being root to bind to low ports. That's what we did. -- cary ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
Nitesh Dhanjani wrote: chown the var directory to the zope user. This is what I do with my setup. That will not let you bind to ports 1024. -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
yes, but it would solve the permission problem the original poster mentioned. On Sat, 29 Jul 2000, Bill Anderson wrote: Nitesh Dhanjani wrote: chown the var directory to the zope user. This is what I do with my setup. That will not let you bind to ports 1024. -- Do not meddle in the affairs of sysadmins, for they are easy to annoy, and have the root password. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope
Il gio, 27 lug 2000, Oleg Broytmann ha scritto: On Thu, 27 Jul 2000, Costagliola Giovanni wrote: How can I to start Zope whit a different user than root and cath the default HTTP port? Use different way - start Zope as root, catch port 80 and drop uid. I receive an error becouse root hasn't granted the need privileges on /Zope/var/ directory. This is a different error, not a problem with port 80, ah? I see Oleg, more exactly I would start ZServer with an user like 'zope', for example, but at the same time I want it links the port 80! I could use the root user simply but I'll lose my sleep :^) Can you give me some input? Oleg.(All opinions are mine and not of my employer) Oleg Broytmann Foundation for Effective Policies [EMAIL PROTECTED] Programmers don't die, they just GOSUB without RETURN. -- / * * / / / __oOOo__/__/_oOOo (° Giovanni Costagliola (jancos) //\ email: [EMAIL PROTECTED] V_/_voice: +39 (0)347 1174139 _ / / / / ( (__ \ \ / /#*** * ** \ \/ /*** * * \ /###*** * ** \ /##*** * * \___/#*** * ** ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Starting Zope on FreeBSD 2.2.8---Python dumps core
+[ Loren M. McCarter ]- | I'm having difficulty starting Zope. | | Versions: | Zope: 2.1.6, compiled from source with "python wo_pcgi.py" | Python: 1.5.2, (#2, Jan 17 2000) [GCC 2.7.2.1] on freebsd2 | Python is compiled with pthreads enabled. | FreeBSD: 2.2.8 (yes, I know it is outdated). The FreeBSD threads support even up until 4.0-RELEASE was attrocious. You will probably find that it is this thread support that is hosing your python, and therfore your Zope. Zope will run on FreeBSD 3.4, 3.5 quite well, but, you really want to have 4.0-Stable on your machine. You will have to upgrade the OS on your machine, be it a switch to Linux, or an upgrade in FreeBSD. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068|[EMAIL PROTECTED]| ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )