Mailing List Archive: Zope: Dev

root ZServer

Index | Next | Previous | View Threaded

alan at balclutha

Jan 18, 2005, 8:18 PM

Post #1 of 7 (951 views)
Permalink

root ZServer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have a requirement to run a root uid Z2 process and was most surprised
to see that line 334 of Zope/Startup/__init__.py expressly forbids this,
throwing a ZConfig.ConfigurationError

While it's not a good idea to configure Zope to run as root by default,
isn't it completely fascist to disallow it altogether? Similarly, I'd
now expect issues if I chose to attach a Z2 to a low port.

As far as I'm concerned, the account policy (and port too) is clearly
defined by directives in zope.conf and should be honoured - clearly
someone's consciously made these configuration changes and is thus fully
accepting of their potential consequences.

How about relaxing this requirement?

Alan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFB7d+hCfroLk4EZpkRAuBaAKCm7PnRFMDtBBVft59L5FD4gIUdfQCgtXP0
1Qi8jv96rjUGRsI/x15Rty8=
=P0J4
-----END PGP SIGNATURE-----
_______________________________________________
Zope-Dev maillist - Zope-Dev [at] zope
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

kosh at aesaeion

Jan 18, 2005, 9:34 PM

Post #2 of 7 (928 views)
Permalink

Re: root ZServer [In reply to]

On Tuesday 18 January 2005 9:18 pm, Alan Milligan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I have a requirement to run a root uid Z2 process and was most surprised
> to see that line 334 of Zope/Startup/__init__.py expressly forbids this,
> throwing a ZConfig.ConfigurationError
>
> While it's not a good idea to configure Zope to run as root by default,
> isn't it completely fascist to disallow it altogether? Similarly, I'd
> now expect issues if I chose to attach a Z2 to a low port.
>
> As far as I'm concerned, the account policy (and port too) is clearly
> defined by directives in zope.conf and should be honoured - clearly
> someone's consciously made these configuration changes and is thus fully
> accepting of their potential consequences.
>
> How about relaxing this requirement?
>
> Alan
>

Why would you need to run zope as root? You can start it as root so it can
bind to a low numbered port and then it will switch to a less privelaged user
for its normal operations. I can't think of a good reason right now for why a
network service should be run as the root user.
_______________________________________________
Zope-Dev maillist - Zope-Dev [at] zope
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

lists at andreas-jung

Jan 18, 2005, 9:46 PM

Post #3 of 7 (929 views)
Permalink

Re: root ZServer [In reply to]

--On Mittwoch, 19. Januar 2005 15:18 Uhr +1100 Alan Milligan
<alan [at] balclutha> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I have a requirement to run a root uid Z2 process and was most surprised
> to see that line 334 of Zope/Startup/__init__.py expressly forbids this,
> throwing a ZConfig.ConfigurationError
>
> While it's not a good idea to configure Zope to run as root by default,
> isn't it completely fascist to disallow it altogether? Similarly, I'd
> now expect issues if I chose to attach a Z2 to a low port.
>
> As far as I'm concerned, the account policy (and port too) is clearly
> defined by directives in zope.conf and should be honoured - clearly
> someone's consciously made these configuration changes and is thus fully
> accepting of their potential consequences.
>
> How about relaxing this requirement?

There is zero need to relax this requirement. You only have to start Zope
as root
to get port 80 but it is in general not a good idea for *any* service to run
as root for security reasons. So there is absolutely no reason to *not*
changing
the the uid of the process to a user with less permissions.

-aj
_______________________________________________
Zope-Dev maillist - Zope-Dev [at] zope
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

alan at balclutha

Jan 18, 2005, 10:04 PM

Post #4 of 7 (908 views)
Permalink

Re: root ZServer [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andreas Jung wrote:

| There is zero need to relax this requirement. You only have to start
| Zope as root
I just explained you cannot start as root ...

| to get port 80 but it is in general not a good idea for *any* service to
| run
| as root for security reasons. So there is absolutely no reason to *not*
| changing
| the the uid of the process to a user with less permissions.
Says you!!

I happen to be using zope to wrap a number of excellent Python rpm
packaging scripts/modules (eg yum, mach), and as part of this process,
need to do rpm package installs from the zope server which obviously
requires root access.

I see no reason why I should be penalised for using the excellent
workflow features of Zope in a system programming environment.

If Zope is to be useful to the widest cross community, we really MUST
stop this 'we know best' attitude and allow people at the coalface to
override default behaviour as only they are in a position to evaluate
the appropriateness of the 'security reasons'.

How about a 'yes' response this time.

Alan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFB7fiFCfroLk4EZpkRAoDZAJ40UveUjpBGyN0/1VnUmZUQz0GctgCfa+R1
tvE2RP5DNwa2IlEmMmX2l0g=
=JNQg
-----END PGP SIGNATURE-----
_______________________________________________
Zope-Dev maillist - Zope-Dev [at] zope
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

lists at andreas-jung

Jan 18, 2005, 10:20 PM

Post #5 of 7 (927 views)
Permalink

Re: root ZServer [In reply to]

--On Mittwoch, 19. Januar 2005 17:04 Uhr +1100 Alan Milligan
<alan [at] balclutha> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andreas Jung wrote:
>
>| There is zero need to relax this requirement. You only have to start
>| Zope as root
> I just explained you cannot start as root ...

And I explained that Zope wants to the change the UID to a non-root account
for security reasons.

>
>| to get port 80 but it is in general not a good idea for *any* service to
>| run
>| as root for security reasons. So there is absolutely no reason to *not*
>| changing
>| the the uid of the process to a user with less permissions.
> Says you!!
>
> I happen to be using zope to wrap a number of excellent Python rpm
> packaging scripts/modules (eg yum, mach), and as part of this process,
> need to do rpm package installs from the zope server which obviously
> requires root access.
>
> I see no reason why I should be penalised for using the excellent
> workflow features of Zope in a system programming environment.
>
> If Zope is to be useful to the widest cross community, we really MUST
> stop this 'we know best' attitude and allow people at the coalface to
> override default behaviour as only they are in a position to evaluate
> the appropriateness of the 'security reasons'.
>

To be honest: if you need another behaviour than the one implemented then
fix it on your own and maybe
put a patch into the Zope collector. So if someone has the same problem it
can grab the patch. At least your usecase
does not seem to be common so I don't think we should add such a dangerous
feature (although if disabled by default)
with Zope. There are also other applications e.g. postgres that refuse to
run as root. If you need to perform
root-level operations from within a non-rooted Zope there are enough
solutions available to give
the application limited root right (sudo etc....search on freshmeat). I
consider your request as a YAGNI.

-aj

_______________________________________________
Zope-Dev maillist - Zope-Dev [at] zope
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

alan at balclutha

Jan 19, 2005, 1:01 AM

Post #6 of 7 (926 views)
Permalink

Re: root ZServer [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

S.Aeschbacher wrote:

|> You can solve this problem by using sudo. Make an external method that
|> executes sudo with the commands you want (you have to use the NOPASSWD
|> option to prevent sudo for asking for a password). This gives you both,
|> zope running as a non privileged user and your rpm commands running
as root.
|
check out mach ( http://thomas.apestaart.org/projects/mach/) ...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFB7iHhCfroLk4EZpkRAmL4AJ9J7DnBTJ6YlbkWvR5k6vrrYIUrSgCgpb5F
qHJp0lOn1dyB04fWLSaHwv0=
=Ifk0
-----END PGP SIGNATURE-----
_______________________________________________
Zope-Dev maillist - Zope-Dev [at] zope
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

zope at bturtle

Jan 19, 2005, 1:02 AM

Post #7 of 7 (923 views)
Permalink

Re: root ZServer [In reply to]

On Wed, Jan 19, 2005 at 05:04:53PM +1100, Alan Milligan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andreas Jung wrote:
>
> | There is zero need to relax this requirement. You only have to start
> | Zope as root
> I just explained you cannot start as root ...
>
> | to get port 80 but it is in general not a good idea for *any* service to
> | run
> | as root for security reasons. So there is absolutely no reason to *not*
> | changing
> | the the uid of the process to a user with less permissions.
> Says you!!
>
> I happen to be using zope to wrap a number of excellent Python rpm
> packaging scripts/modules (eg yum, mach), and as part of this process,
> need to do rpm package installs from the zope server which obviously
> requires root access.

You can solve this problem by using sudo. Make an external method that
executes sudo with the commands you want (you have to use the NOPASSWD
option to prevent sudo for asking for a password). This gives you both,
zope running as a non privileged user and your rpm commands running as root.

regards

Stefan

>
> I see no reason why I should be penalised for using the excellent
> workflow features of Zope in a system programming environment.
>
> If Zope is to be useful to the widest cross community, we really MUST
> stop this 'we know best' attitude and allow people at the coalface to
> override default behaviour as only they are in a position to evaluate
> the appropriateness of the 'security reasons'.
>
> How about a 'yes' response this time.
>
> Alan
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFB7fiFCfroLk4EZpkRAoDZAJ40UveUjpBGyN0/1VnUmZUQz0GctgCfa+R1
> tvE2RP5DNwa2IlEmMmX2l0g=
> =JNQg
> -----END PGP SIGNATURE-----
> _______________________________________________
> Zope-Dev maillist - Zope-Dev [at] zope
> http://mail.zope.org/mailman/listinfo/zope-dev
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope )
_______________________________________________
Zope-Dev maillist - Zope-Dev [at] zope
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads