[Product-Developers] Re: PIL error when using effective-user on Ubuntu Hardy

David Glick davidglick at onenw.org
Tue Sep 1 00:56:24 UTC 2009


On Aug 31, 2009, at 5:25 PM, Derek Broughton wrote:
> Good guess, because www-data, by design, has very limited access to  
> anything
> on an Ubuntu system.  I would think you need to chown much more than  
> just
> parts and var (my systems all have the entire buildout tree owned by  
> the
> effective-user).


Having the entire buildout tree owned by Zope's effective user is not  
a good idea from a security perspective.  It means that if someone  
exploited a security hole in Zope, they could write to Zope's  
codespace.  See Steve McMahon's and Erik Rose's great talk on this  
topic from Plone Conference 2008 for more info on this issue and steps  
to take to avoid it: http://plone.org/events/conferences/2008-washington-dc/agenda/securing-zope-and-plone-against-the-big-bad-internet


David Glick
Web Developer
ONE/Northwest

New tools and strategies for engaging people in protecting the  
environment

http://www.onenw.org
davidglick at onenw.org
work: (206) 286-1235 x32
mobile: (206) 679-3833

Subscribe to ONEList, our email newsletter!
Practical advice for effective online engagement
http://www.onenw.org/full_signup








More information about the Product-Developers mailing list