[Product-Developers] Re: PIL error when using effective-user on Ubuntu Hardy
David Glick
davidglick at onenw.org
Tue Sep 1 00:56:24 UTC 2009
On Aug 31, 2009, at 5:25 PM, Derek Broughton wrote:
> Good guess, because www-data, by design, has very limited access to
> anything
> on an Ubuntu system. I would think you need to chown much more than
> just
> parts and var (my systems all have the entire buildout tree owned by
> the
> effective-user).
Having the entire buildout tree owned by Zope's effective user is not
a good idea from a security perspective. It means that if someone
exploited a security hole in Zope, they could write to Zope's
codespace. See Steve McMahon's and Erik Rose's great talk on this
topic from Plone Conference 2008 for more info on this issue and steps
to take to avoid it: http://plone.org/events/conferences/2008-washington-dc/agenda/securing-zope-and-plone-against-the-big-bad-internet
David Glick
Web Developer
ONE/Northwest
New tools and strategies for engaging people in protecting the
environment
http://www.onenw.org
davidglick at onenw.org
work: (206) 286-1235 x32
mobile: (206) 679-3833
Subscribe to ONEList, our email newsletter!
Practical advice for effective online engagement
http://www.onenw.org/full_signup
More information about the Product-Developers
mailing list