[Zope] what user and group to use for zope install

Geoff Nordli geoff@gnaa.net
Wed, 27 Oct 1999 12:44:21 -0700 

So if I was using a team model for development I would create a
group called "zope".  Insert all people who need access to the
code into the zope group.

Add the new zope group, and user.

groupadd zope
adduser zope

login as the zope user:

su zope

Unzip the tarball into the /usr/local/zope directory.

change the permissions for zope directory to add the zope group
to the entire directory

chgrp zope /usr/local/zope -R
chown zope /usr/local/zope -R

Change the permissions of the /usr/local/zope/Zope-2.0.1-src/var

to allow root to modify files

chgrp nobody /usr/local/zope/Zope-2.0.1-src/var -R


Now what about the permissions.  They are different for the user,
and group.  How does one deal with this, or is this even a concern.

I would think that these docs should be added to the INSTALL.doc
file to help out other people.

thanks,

geoff



> -----Original Message-----
> From: Pavlos Christoforou [mailto:pavlos@gaaros.msrc.sunysb.edu]
> Sent: Wednesday, October 27, 1999 12:24 PM
> To: Geoff Nordli
> Cc: Zope List (E-mail)
> Subject: Re: [Zope] what user and group to use for zope install
> 
> 
> On Wed, 27 Oct 1999, Geoff Nordli wrote:
> 
> > Should I create a user, and group for zope install?
> > 
> > Where should I put the installation? "/usr/local/zope"
> 
> /usr/local/zope is fine. And yes you could create a new 
> user/group just
> for Zope.
> 
> > 
> > Should the user/group own Zope's entire directory 
> > structure.
> 
> yes, even though is not required, it certainly makes things easier.
> 
> The exception is if you run Zope as root. in that case 
> ZServer changes the
> process id to nobody for security reasons. Therefore your var 
> directory
> and *all* the subdirectories/files should be owned by nobody including
> write permissions for nobody.
> 
> > In the documentation it says that the user that
> > starts Zope must own the var directory.  How do
> > you know what user is being used to start Zope, 
> > and how do you control it.  I did the compile using
> > "root".
> 
> Zope will run as the user who started the process, ie the login user,
> unless that is root, in which case it will change to nobody.
> 
> > What kind of security implication is having root
> > own the zope directory.
> 
> I do not know of any security problems having root own the 
> zope dir, as
> long as the process is running as nobody.
> 
> > 
> > If I want to add additional components to zope
> > like mysql, apache, and whatever--does this
> > affect the user that zope runs under?
> 
> I suppose most of the services you mention have their own ideas about
> authentication, so you will need to explicitly deal with them anyway. 
> 
> Regards
> 
> 
> Pavlos
> 
>