[Zope] hard-coded pcgi
Phillip J. Eby
pje@telecommunity.com
Wed, 03 Feb 1999 14:04:10 -0500
At 01:41 PM 2/3/99 -0500, Kevin Dangoor wrote:
>On Wed, Feb 03, 1999 at 12:18:04PM -0500, Phillip J. Eby wrote:
>,-----
>|
>| Only if your shared hosting environment doesn't give every domain its own
>| Unix user ID and executes CGI's under that ID... :)
>
>Hmm... If the hosting company doesn't give you your own Unix uid, I don't
>think there's any way to prevent people from getting at your data...
Oops, that was unclear. I meant to say that if your host gives you your
own ID, *and* executes CGI under that ID, then you have nothing else to do
except keep permissions straight.
>But pcgi *is* the wrapper, right? pcgi starts up Zope when it isn't
running and then passes requests to it after that. So, if pcgi is running
setuid, the it will start up Zope under my uid as well. (I have tried this
already, and it works. Zope runs as my user id if I chmod u+s pcgi-wrapper.)
True, but my understanding is that PCGI is moving away from being the
process management part of the system. This may be especially true if
there ends up being a PCGI handler in ZServer, or you're running ZServer on
a different machine than the web server.