[Setup] ZEO cluster filestorage and blobstorage security when zeoserver effective-user = zeo and when client1 shared-blob = on

Graham Perrin G.J.Perrin at bton.ac.uk
Fri Oct 10 20:05:39 UTC 2008



Graham Perrin wrote:
> Experimenting with Plone-3.1.5.1-ex-r2-UnifiedInstaller from launchpad
> 
> Re
> <http://dev.plone.org/plone/browser/Installers/UnifiedInstaller/trunk/HISTORY.txt?rev=22529>:
> 
>> - Set up root-install cluster to run ZEO and clients under
>> separate user ids. Don't allow clients access to filestorage.
> 
> and <http://dev.plone.org/plone/changeset/22467>:
> 
>> Tighten cluster security by using a different user for ZEO;
>> restructure var/ so that clients don't need to write to anything
>> but their own subdirectories. 
> 
> If we plone.app.blob to the mix … 

To the [chown] section of my experimental buildout, which I'm using with
Unified Installer Technology Preview and plone.app.blob in root ZEO cluster
configuration, I have added the following lines: 

    chown -R root:plone ${buildout:directory}/var/blobstorage
    chmod -R 570 ${buildout:directory}/var/blobstorage

A result, in debug mode:

2008-10-10 20:49:23 WARNING ZODB.blob (1081) Blob dir
/Applications/Plone/zeocluster/var/blobstorage/ has insecure mode setting

My plone group comprises users plone and zeo -- 

[macbookpro03-centrim:~] gjp22% dscl . -read /Groups/plone
AppleMetaNodeLocation: /Local/Default
GroupMembership: plone zeo
PrimaryGroupID: 50
RecordName: plone
RecordType: dsRecTypeStandard:Groups

and unless I'm missing something: 

_both_ zeoserver (python process for which is owned by zeo) _and_ client1
(python process for which is owned by plone) require access to blobstorage
(which should be suitably secured). 

Any advice? 

Thanks
Graham
-- 
View this message in context: http://n2.nabble.com/ZEO-cluster-filestorage-and-blobstorage-security-when-zeoserver-effective-user-%3D-zeo-and-when-client1-shared-blob-%3D-on-tp1305155p1317562.html
Sent from the Installation, Setup, Upgrades mailing list archive at Nabble.com.




More information about the Setup mailing list