On Sunday 06 Oct 2002 4:56 pm, Chris McDonough wrote:

> > It's probably unavoidable that the log file is opened as root --
> > it's used to report "can't setuid()". :-)

Thats what syslog is for.

It is good security practice that a daemon should *never* have a writeable 
file descriptor for its log file. If it does, and the daemon is compromised, 
an attacker can trivially cover his tracks by removing the incriminating 
evidence from the log file.

> Pidfiles too.

Currently it is common practice for Zope's 'stop' scripts to be run as root. 
We cant allow the pid files to be written by non-root users, otherwise those 
users could trick root into killing an arbitrary process.

>  The only real
> purpose to running as root is to be able to bind to low-numbered TCP
> ports.

IMO there are better solutions to the problems to which low-numbered ports are 
a common solution. Zope/ZSS never *needs* a low numbered port, and zope 
should never be started as root.

(I have cc'ed zope-dev. I suggest we continue there, rather than zodb-dev)

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to