You are not logged in Log in Join
You are here: Home » Zope Documentation » Misc » Zope Installation Security » View Document

Log in
Name

Password

 

Zope Installation Security

Setting the Zope "super manager" name and password

Because Zope is managed through the web, user names and passwords must be used to assure that only authorized people can make changes to a Zope installation. User names and passwords are normally defined by creating and modifying user folders within Zope.

A special "super manager" user name and password are defined outside the application for two reasons

  • Some user name and password is needed to authorize creation of normal managers of your Zope site.
  • The "super manager" provides an all-powerful user that can do anything in the application, and whose password cannot be changed through the application user interface.

This user name and password is defined in the access file located in the Zope directory. It should be readable only by the user as which your web server runs.

The super manager username and password should only be used when defining the normal management users and passwords and when dealing with unusual situations, like lost (or hacked) manager user names and passwords.

In order to provide a somewhat higher level of security, various encoding schemes are supported which provide access to either SHA-1 encryption or the standard UNIX crypt facility if it's been compiled into Python. Unless you have some special requirements (see below), you should use the SHA-1 facility, which is the default.

The access file should consist of a single line of the form:

name:password

The build scripts automatically create an access file for you, using a default username and a randomly generated password which will be given at the end of the build script. The default is to encode this with SHA, so please remember this password as there is no way to recover it.

Note that you may also add an optional third component to the line in the access file to restrict super manager access by domain. For example, the line:

mario:nintendoRules:*.mydomain.com

in your access file will only allow super manager access to your installation from *.mydomain.com machines. Attempts to access the system from other domains will fail, even if the correct superuser name and password are used.

Note that there is now a program to change the password, zpasswd.py, which if run will explain how to use it, and if run it its most basic form will prompt for all information.

Please note that if you use the ZServer monitor capability, you will need to run with a clear text password in this beta release.

Setting permissions on the var directory.

You need to set permissions on the Zope var directory. Zope needs to read and write data from its var directory. Before running Zope you should ensure that you give adequate permissions to the Zope var directory for the userid Zope will run under.

Depending on how you choose to run Zope you will need to give different permissions to the var directory. If you use Zope with an existing web server, it will probably run Zope as nobody. In this case nobody needs read and write permissions to the var directory.

If you change the way you run Zope you may need to modify the permissions of the var directory and the files in it to allow Zope to read and write under its changed userid.