You are not logged in Log in Join
You are here: Home » Members » jim » ZopeSecurity » RunningZopeAsNobody » wikipage_view

Log in


FrontPage »


Something struck me when I was looking at the Installing/Upgrading HOWTO at ...

It is a very bad idea to have any files owned by nobody on a UNIXish system. nobody is relied upon to have no permissions at all, and therefore is used for tasks that should not enable someone to gain any sort of permission other than to run code in the system.

An example: as most people know, CGI scripts usually run as nobody. If there were to be a weak CGI on a system (imagine that!) that Joe Script Kiddie was able to use to get into the system, he would then have full control over the Zope installation, because he'd be able to do any operations that nobody could do - including kill the Zope daemon, mess with Data.fs, read the access password (which might be set the same as the root password!)

The correct way for Zope to be run is as its own dedicated user (i.e. zope). --[zigg]?