[Zope-Checkins] CVS: Zope/doc - SETUID.txt:1.2

[Chris McDonough]

Update of /cvs-repository/Zope/doc
In directory cvs.zope.org:/tmp/cvs-serv7380

Modified Files:
	SETUID.txt 
Log Message:
Update for 2.7.


=== Zope/doc/SETUID.txt 1.1 => 1.2 ===
--- Zope/doc/SETUID.txt:1.1	Fri Aug  9 12:38:30 2002
+++ Zope/doc/SETUID.txt	Sun Jul 20 19:04:22 2003
@@ -1,30 +1,29 @@
-ZServer 'setuid()' support
+Zope effective user support
 
-  ZServer (Zope's server) supports 'setuid()' on POSIX systems in order to
-  be able to listen on low ports such as 21 (FTP) and 80 (HTTP) but drop
-  root privileges when running; on most POSIX systems only the 'root' user
-  can do this.  Versions of Zope prior to 2.6 had less robust versions
-  of this support.  Several problems were corrected for the 2.6 release.
+  Zope can bind its network service to low ports such as 21 (FTP) and
+  80 (HTTP).  In order to bind to low ports, Zope must be started as
+  the root user.  However, Zope will only run as root long enough to
+  bind to these low ports.  It will then attempt to setuid to a less
+  privileged user.
 
-  The most important thing to remember about this support is that you
-  don't *have* to start ZServer as root unless you want to listen for
-  requests on low ports.  In fact, if you don't have this need, you are
-  much better off just starting ZServer as a user account dedicated to
-  running Zope.  'nobody' is not a good idea for this user account;
-  see below.
+  You must specify the user to which Zope will attempt to setuid by
+  changing the 'effective-user' parameter in the zope.conf
+  configuration file to an existing username or UID.  All runtime
+  files will be written as this user.  If you do not specify an
+  'effective-user' in the configuration file, and you attempt to start
+  Zope, it will refuse to start.
 
-  If you do need to have ZServer listening on low ports, you will need to
-  start 'z2.py' as the 'root' user, and also specify what user ZServer
-  should 'setuid()' to.  Do this by specifying the '-u' option followed
-  by a username or UID, either in the 'start' script or on the 'z2.py'
-  command line.  The default used to be 'nobody'; however if any other
-  daemon on a system that ran as 'nobody' was compromised, this would
-  have opened up your Zope object data to compromise.
+  Zope additionally emits a warning if you specify 'nobody' as the
+  'effective-user'.  The rationale for this warning stems from the
+  fact that, historically, many other UNIX services dropped privileges
+  to the 'nobody' account after starting as root.  Any security
+  defects in these services could cause someone to gain access as the
+  'nobody' account on your system.  If someone was to gain control of
+  your 'nobody' account they could compromise your Zope files.
 
-  You must also make sure the var directory is owned by root, and that
-  it has the sticky bit set.  This is done by the command 'chmod o+t
-  var' on most systems.  When the sticky bit is set on a directory,
-  anyone can write files, but nobody can delete others' files in order
-  to rewrite them.  This is necessary to keep others from overwriting
-  the PID file, tricking root into killing processes when 'stop' is run.
+  The most important thing to remember about effective user support is
+  that you don't have to start Zope as root unless you want to listen
+  for requests on low ports (ports beneath 1024).  In fact, if you
+  don't have this need, you are much better off just starting Zope
+  under a dedicated user account.