Re: [Zope] installation security best practice question
Currently i am installing zope as root and then logging in as a user and making an instance. When i go to run the zope instance as the user its says i do not have the permissions to run the files. If i change the permissions on the zope folder so that everyone has all permissions then it works however this isnt a great securtiy option Does anyone have any ideas on how to sort this one out The best way to install and run Zope is to have a dedicated user account and install and run it as that user. Most everything else will lead to problems and frustration. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] installation security best practice question
I have tried this method i have made a zope instance as a dedicated user the owner of this file is that of the dedicated user. when i go to run zope as this user i get an error message saying that there is an error opening a file in the install directory ( not the zope instance) if i change the permssions on that file i get an error saying that there is an error opening another file (in the install directory). any ideas how i can avoid this. -- View this message in context: http://www.nabble.com/installation-security-best-practice-question-t1278137.html#a3395576 Sent from the Zope - General forum at Nabble.com. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] installation security best practice question
On 14 Mar 2006, at 12:31, JulianRead wrote: I have tried this method i have made a zope instance as a dedicated user the owner of this file is that of the dedicated user. when i go to run zope as this user i get an error message saying that there is an error opening a file in the install directory ( not the zope instance) if i change the permssions on that file i get an error saying that there is an error opening another file (in the install directory). any ideas how i can avoid this. I repeat: *Install* and run with the same user. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] installation security best practice question
En/na Jens Vagelpohl ha escrit: The best way to install and run Zope is to have a dedicated user account and install and run it as that user. Most everything else will lead to problems and frustration. Only because the zope-2.8.6 tarball has wrong permissions. It worked before, it will work once you fix the permission on the installed zope. Bye -- Luca Olivetti Wetron Automatización S.A. http://www.wetron.es/ Tel. +34 93 5883004 Fax +34 93 5883007 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] installation security best practice question
On 14 Mar 2006, at 14:09, Luca Olivetti wrote: En/na Jens Vagelpohl ha escrit: The best way to install and run Zope is to have a dedicated user account and install and run it as that user. Most everything else will lead to problems and frustration. Only because the zope-2.8.6 tarball has wrong permissions. It worked before, it will work once you fix the permission on the installed zope. The advice has nothing to do with Zope 2.8.6 or any other tarball. Trying to be overly clever and not using a dedicated account for both installation and running your Zope doesn't add much security, it only adds complication. Unless you install software that lets users write to the file system through the web people cannot get to the filesystem. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] installation security best practice question
En/na Jens Vagelpohl ha escrit: On 14 Mar 2006, at 14:09, Luca Olivetti wrote: En/na Jens Vagelpohl ha escrit: The best way to install and run Zope is to have a dedicated user account and install and run it as that user. Most everything else will lead to problems and frustration. Only because the zope-2.8.6 tarball has wrong permissions. It worked before, it will work once you fix the permission on the installed zope. The advice has nothing to do with Zope 2.8.6 or any other tarball. Trying to be overly clever and not using a dedicated account for both installation and running your Zope doesn't add much security, it only adds complication. But one zope instance doesn't need write access to zope itself, only to the instance directory. It needs read access though, and it's not setup this way by the latest zope, so I think that the problem of the OP come from this change in permissions in the tarball. Unless you install software that lets users write to the file system through the web people cannot get to the filesystem. I usually install zope as root to /usr/local, then setup (or actually use the already set up) instances for two different users, one for production and the other for testing, so I don't want to install as the same user, since I don't want to duplicate the zope installation, only the instance, and that should be possible (in fact it has been until now) without compromising security. Bye -- Luca Olivetti Wetron Automatización S.A. http://www.wetron.es/ Tel. +34 93 5883004 Fax +34 93 5883007 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] installation security best practice question
On 14 Mar 2006, at 15:13, Luca Olivetti wrote: Unless you install software that lets users write to the file system through the web people cannot get to the filesystem. I usually install zope as root to /usr/local, then setup (or actually use the already set up) instances for two different users, one for production and the other for testing, so I don't want to install as the same user, since I don't want to duplicate the zope installation, only the instance, and that should be possible (in fact it has been until now) without compromising security. My point was that the security you speak of is illusory. You don't win anything. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] installation security best practice question
En/na Jens Vagelpohl ha escrit: On 14 Mar 2006, at 15:13, Luca Olivetti wrote: [...] the same user, since I don't want to duplicate the zope installation, only the instance, and that should be possible (in fact it has been until now) without compromising security. My point was that the security you speak of is illusory. You don't win anything. I win 58M of space (since I install zope only once), and I lose nothing (unless you're saying that the product of ./configure; make; make install is a security problem if world readable). Bye -- Luca Olivetti Wetron Automatización S.A. http://www.wetron.es/ Tel. +34 93 5883004 Fax +34 93 5883007 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )