[Zope-dev] Re: [ZODB-Dev] ZEO signal feature

[Guido van Rossum]

[Guido]
> > > It's probably unavoidable that the log file is opened as root --
> > > it's used to report "can't setuid()". :-)

[Toby]
> Thats what syslog is for.
> 
> It is good security practice that a daemon should *never* have a
> writeable file descriptor for its log file. If it does, and the
> daemon is compromised, an attacker can trivially cover his tracks by
> removing the incriminating evidence from the log file.

Well, there goes zLOG's MinimalLogger implementation.

(This only holds for log files owned by a root, right?)

[Chris]
> > Pidfiles too.
> 
> Currently it is common practice for Zope's 'stop' scripts to be run
> as root.  We cant allow the pid files to be written by non-root
> users, otherwise those users could trick root into killing an
> arbitrary process.

The current design, for whatever reason, writes the pidfile as *late*
as possible.  That's often bugged me, because there's a failure mode
where the process dies before the pidfile is written; zdaemon restarts
it over and over (that's what prompted my zdaemon hack proposal), and
the stop script won't stop it.  (And of course, being an very
infrequent Zope user, I always forget how to set up the environment so
that Zope will run correctly.  Fortunately I never run it as root. :-)

> > The only real purpose to running as root is to be able to bind to
> > low-numbered TCP ports.
> 
> IMO there are better solutions to the problems to which low-numbered
> ports are a common solution. Zope/ZSS never *needs* a low numbered
> port, and zope should never be started as root.

Correct.

> (I have cc'ed zope-dev. I suggest we continue there, rather than zodb-dev)

I wish there were fewer lists.  I can never decide which list is
right. :-(

--Guido van Rossum (home page: http://www.python.org/~guido/)