[Zope-dev] interaction with local FS

Stuart Bishop zen@shangri-la.dropbear.id.au
Tue, 28 Jan 2003 10:33:00 +1100


On Tuesday, January 28, 2003, at 01:24  AM, Mario Bianchi wrote:

This thread probably belongs in the main zope mailing list.

LocalFS will let you map a local directory into Zope. AdaptableStorage
probably will too, but it will be harder to setup at the moment.

> No way to access 'someuser''s files with the uid of 'someuser'?

To do this, you would need to run Zope (or any other multi user 
application for that matter, such as Apache) as a superuser. Which you 
really don't want to do. The only other possible way of doing this 
would be to start a new process for every request which changes its 
euid (using a SUID root wrapper), authenticates itself, and does what 
you want to the FileSystem. People generally gave up on this approach 
for web systems about a decade ago due to it being a performance 
nightmare, which is why nothing does this out of the box.

A better approach can come from becoming more familiar with your OS's 
group membership features. Under many Unix variants, for example, you 
can set up a group 'zopedocs', and add your users as members of
this group. Also add the user the Zope server runs as to this group. 
Set up the local directories so that they are group writable, and group 
ownership propagates to newly created files:
	mkdir ~/ZopeDocs
	chgrp zopedocs ~/ZopeDocs
	chmod g+rwxs ~/ZopeDocs

Make sure files that get created in this folder are group readable (at 
a minimum) if created from
the shell either through chmod or setting the umask. Set the Zope 
server's umask to what you want
(probably 002 - group writable, world readable) so when a file is 
created via Zope, it is modifiable
by members of the ZopeDocs group.

If you need to make sure users can't modify or access each others 
documents, you need to do the
same thing but with a different unique group for each user (and the 
Zope user a member of all of them).

These steps can of course be scripted and even added to the account 
creation procedures to make things quicker or automatic, but you need 
to write the script as it embodies your own security policy which is 
probably different to everyone elses.

-- 
Stuart Bishop <zen@shangri-la.dropbear.id.au>
http://shangri-la.dropbear.id.au/