[Zope] Filesystem Permissions for a Zope Install

[Edward Pollard]

>> However, the only immediate alternative seems to be to add Apache to
>> the "Zopeadmins" group we have, but that has read-write, and letting
>> Apache have write is a potential security hazard.
>
> Apache needs access to the port Zope is running on and nothing else.
> Really, they don't even have to be on the same machine...  or the same
> OS, for that matter.
>
> Unless you're doing something *highly* unusual, Apache needs exactly
> *zero* access to Zope files.

We turned off world read and instantly got an error. This brought me 
great consternation in light of this advice.

Further investigation reveals that we had set up the Zope process to 
run under the Apache user. Duh.

This is probably poor form, and undoubtedly the cause of my error. 
Would it be wise to create a new unprived user for Zope processes, or 
is it just fine to cram Apache into the Zopeadmins group?

This is probably getting academic, but I'd love some opinions on the 
subject.

Edward