Mailing List Archive: Zope: Users

nonroot user running zope on 80

Index | Next | Previous | View Threaded

jdhunter at ace

Sep 21, 2004, 1:41 PM

Post #1 of 8 (4660 views)
Permalink

nonroot user running zope on 80

On a linux box, what is the right way to allow a non-privileged user
(eg "zope") to run a zope server on port 80. I can run on 8080 just
fine, but don't have access to the lower numbered ports.

Interestingly, when I try 'bin/runzope' as root (port 80 or 8080), I
get a segmentation fault, even though I can run on 80 as user zope.

[root [at] crcdoc bin]# ./runzope
------
2004-09-21T16:29:36 INFO(0) ZServer HTTP server started at Tue Sep 21 16:29:36 2004
Hostname: localhost.localdomain
Port: 8080
------
2004-09-21T16:29:36 INFO(0) ZServer FTP server started at Tue Sep 21 16:29:36 2004
Hostname: crcdocs.bsd.uchicago.edu
Port: 8021
Segmentation fault
[root [at] crcdoc bin]#

zope 2.7.2
_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

jdhunter at ace

Sep 21, 2004, 2:41 PM

Post #2 of 8 (4552 views)
Permalink

Re: Re: nonroot user running zope on 80 [In reply to]

>>>>> "Calvin" == Calvin Hendryx-Parker <calvin [at] sixfeetup> writes:

Calvin> You have to start the parent process as root since it is
Calvin> below 1024, but in the zope.conf you can set the
Calvin> effective-user to someone else so its children will then
Calvin> run as the non-privileged user. Not optimal, but works.

Yes, that is what I am doing:

effective-user zope

<http-server>
# valid keys are "address" and "force-connection-close"
address 80
# force-connection-close on
</http-server>

<ftp-server>
# valid key is "address"
address 21
</ftp-server>

Then starting zope as root. I chown -R zope.zope the zope root dir to
make sure zope user had access to all the log and dbase files, etc
that it needed. But I get the segfault when I try and run as root.

For good measure I did a clean re-install of python and zope from src
but still get the segfault. Here are my compile notes

# setup for zope user
user> sudo /usr/sbin/useradd -m zope
user> sudo passwd zope

# login as zope

# configure python with zlib and LFS
zope> CFLAGS='-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64' OPT="-g -O2 $CFLAGS" ./configure
# Edit Modules/Setup and uncomment the zlib line; REQUIRED!
zope> make
root# make install

# build zope
zope> cd /var/tmp/build/Zope-2.7.2-0/
zope> ./configure --with-python=/usr/local/bin/python --prefix=/usr/local/Zope-2.7.2 # add the prefix - default is opt!
zope> make
root# make install
root# /usr/local/Zope-2.7.2/bin/mkzopeinstance.py
# prompted for username and passwd
# Directory: /usr/local/Zope-2.7.2/zope_instance
# username : zope
# passwd : whatever

# set the ownership
root# chown -R zope.zope /usr/local/Zope-2.7.2

# login as zope; change effective user to zope and the ports
zope> emacs -q -nw /usr/local/Zope-2.7.2/zope_instance/etc/zope.conf

# login as root at start zope
root# /usr/local/Zope-2.7.2/zope_instance/bin/runzope
------
2004-09-21T17:29:36 INFO(0) ZServer HTTP server started at Tue Sep 21 17:29:36 2004
Hostname: localhost.localdomain
Port: 80
------
2004-09-21T17:29:36 INFO(0) ZServer FTP server started at Tue Sep 21 17:29:36 2004
Hostname: crcdocs.bsd.uchicago.edu
Port: 21
Segmentation fault
_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

calvin at sixfeetup

Sep 21, 2004, 2:59 PM

Post #3 of 8 (4570 views)
Permalink

Re: nonroot user running zope on 80 [In reply to]

John Hunter wrote:
> On a linux box, what is the right way to allow a non-privileged user
> (eg "zope") to run a zope server on port 80. I can run on 8080 just
> fine, but don't have access to the lower numbered ports.
>
> Interestingly, when I try 'bin/runzope' as root (port 80 or 8080), I
> get a segmentation fault, even though I can run on 80 as user zope.
>
> [root [at] crcdoc bin]# ./runzope
> ------
> 2004-09-21T16:29:36 INFO(0) ZServer HTTP server started at Tue Sep 21 16:29:36 2004
> Hostname: localhost.localdomain
> Port: 8080
> ------
> 2004-09-21T16:29:36 INFO(0) ZServer FTP server started at Tue Sep 21 16:29:36 2004
> Hostname: crcdocs.bsd.uchicago.edu
> Port: 8021
> Segmentation fault
> [root [at] crcdoc bin]#

You have to start the parent process as root since it is below 1024, but
in the zope.conf you can set the effective-user to someone else so its
children will then run as the non-privileged user. Not optimal, but works.

Calvin

--
S i x F e e t U p | "Nowhere to go but open-source"
Silicon Valley: +1 (650) 401-8579 | Midwest: +1 (317) 861-5948
Toll-Free: 1-866-SIX-FEET
mailto:calvin [at] sixfeetup
http://www.sixfeetup.com | Zope Hosting from $19.95/month

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

jdhunter at ace

Sep 21, 2004, 2:59 PM

Post #4 of 8 (4580 views)
Permalink

Re: Re: nonroot user running zope on 80 [In reply to]

>>>>> "John" == John Hunter <jdhunter [at] ace> writes:

John> crcdocs.bsd.uchicago.edu Port: 21 Segmentation fault

For a little more information, I ran an strace. The effective-user
information is

[root [at] crcdoc Products]# grep zope /etc/passwd
zope:x:503:503::/home/zope:/bin/bash

and the strace is at
http://nitace.bsd.uchicago.edu:8080/files/share/strace.out.

If anyone has any insight, I'm much obliged.

JDH

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

calvin at sixfeetup

Sep 21, 2004, 7:47 PM

Post #5 of 8 (4533 views)
Permalink

Re: nonroot user running zope on 80 [In reply to]

Just did a test and it worked by making a quick test instance::

cyclone% /Applications/Zope-2.7.2/bin/mkzopeinstance.py
Directory: ~/foobar
Please choose a username and password for the initial user.
These will be the credentials you use to initially manage
your new Zope instance.

Username: calvin
Password:
Verify password:

cyclone% vim ~/foobar/etc/zope.conf

Changed as follows::
139c139
< # effective-user chrism
---
> effective-user calvin
798c798
< address 8080
---
> address 88
804c804
< address 8021
---
> address 21

cyclone% sudo ~/foobar/bin/runzope

Comes up just fine and states during start up::
------
2004-09-21T21:37:10 INFO(0) ZServer HTTP server started at Tue Sep 21
21:37:10 2004
Hostname: cyclone.sixfeetup.house
Port: 88
------
2004-09-21T21:37:10 INFO(0) ZServer FTP server started at Tue Sep 21
21:37:10 2004
Hostname: cyclone
Port: 21
------
2004-09-21T21:37:10 INFO(0) Zope Set effective user to "calvin"

then after a bit::
2004-09-21T21:37:22 INFO(0) Zope Ready to handle requests

This was on OS X, but I would think that the same would apply for linux.
I'm guessing that it is still some sort of permission issue.

Calvin
--
S i x F e e t U p | "Nowhere to go but open-source"
Silicon Valley: +1 (650) 401-8579 | Midwest: +1 (317) 861-5948
Toll-Free: 1-866-SIX-FEET
mailto:calvin [at] sixfeetup
http://www.sixfeetup.com | Zope Hosting from $19.95/month

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

jdhunter at ace

Sep 22, 2004, 5:25 AM

Post #6 of 8 (4559 views)
Permalink

Re: Re: nonroot user running zope on 80 [In reply to]

>>>>> "Calvin" == Calvin Hendryx-Parker <calvin [at] sixfeetup> writes:

Calvin> This was on OS X, but I would think that the same would
Calvin> apply for linux. I'm guessing that it is still some sort
Calvin> of permission issue.

It's also worked for me too, on other linux boxes. The strace I
posted yesterday indicates a failure on the set group call. I'll just
post the tail here

fstat(5, {st_mode=S_IFREG|0644, st_size=579, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a983ae000
lseek(5, 0, SEEK_CUR) = 0
read(5, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 579
read(5, "", 4096) = 0
close(5) = 0
munmap(0x2a983ae000, 4096) = 0
setgroups(1, [503]) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

I'm hoping that this give some zope guru-possibly-named-tim an idea of
what is going wrong. Here is my /etc/group and /etc/passwd info for
the effective user

[root [at] crcdoc Products]# grep zope /etc/group /etc/passwd
/etc/group:zope:x:503:
/etc/passwd:zope:x:503:503::/home/zope:/bin/bash

And my kernel info:

[root [at] crcdoc Products]# uname -a
Linux crcdocs.bsd.uchicago.edu 2.6.5-1.358 #1 Sat May 8 09:01:26 EDT 2004 x86_64 x86_64 x86_64 GNU/Linux

This is a brand-spanking new box from Monarch Systems with FC2
per-installed.

JDH
_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

alangmead at boston

Sep 22, 2004, 9:19 AM

Post #7 of 8 (4585 views)
Permalink

Re: nonroot user running zope on 80 [In reply to]

On Sep 21, 2004, at 4:41 PM, John Hunter wrote:

> On a linux box, what is the right way to allow a non-privileged user
> (eg "zope") to run a zope server on port 80. I can run on 8080 just
> fine, but don't have access to the lower numbered ports.

Would someone who does have root access be willing to set up some sort
of proxy that will forward requests from port 80 to a high numbered
port for you?

I've used Apache's mod_rewrite and mod_proxy, and I've used pound
<http://www.apsis.ch/pound> for this purpose.

_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

jdhunter at ace

Sep 22, 2004, 11:06 AM

Post #8 of 8 (4551 views)
Permalink

Re: Re: nonroot user running zope on 80 [In reply to]

>>>>> "John" == John Hunter <jdhunter [at] ace> writes:

John> I'm hoping that this give some zope guru-possibly-named-tim
John> an idea of what is going wrong. Here is my /etc/group and
John> /etc/passwd info for the effective user

I did some old fashioned debugging, inserting print statements into
/usr/local/Zope-2.7.2/lib/python/Zope/Startup/__init__.py
to find out which call was generating the segfault. It's occurring on
the line

initgroups.initgroups(effective_user, gid)

in the def dropPrivileges(cfg) function.

I took a look at the src
/var/tmp/build/Zope-2.7.2-0/lib/Components/initgroups/initgroups.c
and added a print statement to initgroups_initgroups

static PyObject *
initgroups_initgroups(PyObject *self, PyObject *args)
{
printf("hi mom");
char *username;
gid_t gid;

recompiled and the segfault went away. Removed the printf statement,
recompiled, and the segfault returned. I was able to repeat this
several times with the same result each time: without the irrelevant
printf, I segfaulted, with it, I didn't.

Does this typically indicate a pointer/memory bug? Is there any
reason to believe the cflags CFLAGS='-D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64' OPT="-g -O2" would cause any trouble?

JDH
_______________________________________________
Zope maillist - Zope [at] zope
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads