Re: [Zope-dev] root ZServer

Wed, 19 Jan 2005 01:01:38 -0800 

On Wed, Jan 19, 2005 at 05:04:53PM +1100, Alan Milligan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andreas Jung wrote:
> 
> | There is zero need to relax this requirement. You only have to start
> | Zope as root
> I just explained you cannot start as root ...
> 
> | to get port 80 but it is in general not a good idea for *any* service to
> | run
> | as root for security reasons. So there is absolutely no reason to *not*
> | changing
> | the the uid of the process to a user with less permissions.
> Says you!!
> 
> I happen to be using zope to wrap a number of excellent Python rpm
> packaging scripts/modules (eg yum, mach), and as part of this process,
> need to do rpm package installs from the zope server which obviously
> requires root access.

You can solve this problem by using sudo. Make an external method that          
                                                                                
                  
executes sudo with the commands you want (you have to use the NOPASSWD          
                                                                                
                  
option to prevent sudo for asking for a password). This gives you both,         
                                                                                
                  
zope running as a non privileged user and your rpm commands running as root.    
                                                                                
                  
                                                                                
                                                                                
                  
regards                                                                         
                                                                                
                  
                                                                                
                                                                                
                  
Stefan    

> 
> I see no reason why I should be penalised for using the excellent
> workflow features of Zope in a system programming environment.
> 
> If Zope is to be useful to the widest cross community, we really MUST
> stop this 'we know best' attitude and allow people at the coalface to
> override default behaviour as only they are in a position to evaluate
> the appropriateness of the 'security reasons'.
> 
> How about a 'yes' response this time.
> 
> Alan
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFB7fiFCfroLk4EZpkRAoDZAJ40UveUjpBGyN0/1VnUmZUQz0GctgCfa+R1
> tvE2RP5DNwa2IlEmMmX2l0g=
> =JNQg
> -----END PGP SIGNATURE-----
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope )
_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to