[Zope] Can't build resource file for PCGI on Zope 2.7b1

Tiller, Michael (M.M.) mtiller at ford.com
Thu Aug 28 12:16:16 EDT 2003


> From: Jens Vagelpohl [mailto:jens at zope.com]
> Subject: Re: [Zope] Can't build resource file for PCGI on Zope 2.7b1
> 
> > BUT, it still seems to me that it isn't as good a named 
> pipe (although 
> > I'd be glad to be proven wrong) because with a named pipe *you can 
> > control the permissions of the pipe* whereas anyone can 
> connect to the 
> > localhost port if they have an account on the machine.
> >
> > Am I missing something again? :-)
> >
> 
> I have never seen any situation in which I needed to exert 
> control over 
> the connection between the frontend web server and Zope beyond 
> "securing" access so no one from the outside can talk to it. I don't 
> quite get what the problem is.
> 
> jens

Hmm...I'm not sure how to interpret your response.  There are two possibilities.  Either you don't understand what I'm trying to do...or you don't understand why I'm doing it.  Let me just clarify both.

I would like to be able to restrict access to the Zope server to only those people who belong to a certain UNIX group on the server machine.  Since authentication will be handled by the front end, we don't want to allow any "anonymous" connections to the Zope server.  I know I can handle this with the Zope permissions, but I'd rather build the security into the hardware setup rather than have to worry about permissions on all the objects.  So that is what I'm trying to do.

Note, much of this is dictated by corporate security guidelines and I can't really argue with it because a) I'm powerless to and b) it is quite reasonable give the number of users of our corporate intranet.

Why do I want to do it this way?  Well, if I open a port on localhost then any user of the server can access that port.  With the named pipe, I can control the permissions on the port.

Hopefully that clarifies things.  You may not agree the steps are necessary (and I have no say in the matter), but at least now I hope I have explained what steps I'm trying to take. :-)

--
Mike



More information about the Zope mailing list