You are not logged in Log in Join
You are here: Home » Members » jim » ZopeSecurity » RunningZopeAsNobody
Log in
Name

Password

 
Link icon Forgot your password?
 
Print

History for RunningZopeAsNobody

??changed:
-
Something struck me when I was looking at the Installing/Upgrading HOWTO at http://www.zope.org/Members/mcdonc/HowTos/zopeinstall/ZOPE-INSTALL-HOWTO ...

It is a very bad idea to have *any* files owned by nobody on a !UNIXish system.  nobody is relied upon to have no permissions at all, and therefore is used for tasks that should not enable someone to gain any sort of permission other than to run code in the system.

An example: as most people know, CGI scripts usually run as nobody.  If there were to be a weak CGI on a system (imagine that!) that Joe Script Kiddie was able to use to get into the system, he would then have *full* control over the Zope installation, because he'd be able to do any operations that nobody could do - including kill the Zope daemon, mess with Data.fs, read the access password (which might be set the same as the root password!)

The correct way for Zope to be run is as its own dedicated user (i.e. zope).  --[zigg]
Copyright (c) 2011 Zope Foundation. All rights reserved. Legal | Contact
If you can read this text, it means you are not experiencing the Plone design at its best. Plone makes heavy use of CSS, which means it is accessible to any internet browser, but the design needs a standards-compliant browser to look like we intended it. Just so you know ;)