[Zope] Help Please : IOError: [Errno 13] Permission denied

Behrens Matt - Grand Rapids Matt.Behrens@Kohler.Com
Wed, 17 Oct 2001 09:11:46 -0400


bak (kedai) wrote:

> On Wednesday 17 October 2001 03:42 pm, girish wrote:
> 
>>  File /home/ep/zope/Zope2.4.1/z2.py, line 757, in ?
>>IOError: [Errno 13] Permission denied: '/home/ep/zope/Zope2.4.1/var/Z2.pid'
>>
>>***************************************************************************
>>
> 
> if you started zope as root, zope will then operate as nobody.  make sure 
> nobody has access/permission to the zope tree

Please, everyone, DON'T run Zope as nobody, if you value anything in the 
Data.fs!

Recall that nobody is an unprivileged OS username.  You want nobody to 
not have access to anything that might be considered a privileged resource.

Data.fs is a bad choice to give nobody access to.  If ANY system service 
that you have that runs as nobody (CGIs often do, for example) is 
compromised, your entire Data.fs becomes fair game for the compromiser. 
  Your acl_users is in Data.fs, and it's real easy to pull the passwords 
out of there, or any other content.

Make a new user explicitly for running Zope.  Give that user rights to 
the Zope tree.  Or, better yet, use INSTANCE_HOME (see 
<http://www.zope.org/Members/4am/instancehome>), and give the user 
rights only to the instance tree.  That's how the OpenBSD zope port 
(coming in 3.0) operates.

-- 
Matt Behrens <matt.behrens@kohler.com>
System Analyst, Baker Furniture