[Setup] Installation guide update - non-root recommendation

Steve McMahon steve at dcn.org
Wed Feb 6 02:12:08 UTC 2013


On Tue, Feb 5, 2013 at 2:36 PM, Mikko Ohtamaa <mikko+plone at redinnovation.com
> wrote:

> ...
> Questions I have immediately in my mind include:
>
> Does 4.3 installer mean Ineed two UNIX user accounts (one for buildouting,
> one for launching the daemon)
>

By default yes. It also sets up a group that contains both users.


>
> How one is suppose to update src/ files on run buildout? As a sudo and
> root?
>

With a command like:

sudo -u plone_buildout bin/buildout

The buildout also has a component that precompiles .py and .po files so
that the daemon user doesn't have to do this. The common group is used so
that the daemon and buildout users can both write to ./var.


>
> Do you still need to launch the site as a root and you cannot do
> bin/instance restart as a normal user?
>

It would typically be:

sudo -u plone_daemon bin/instance ...

or by having supervisor set up to run it as plone_daemon.

The security gain from all this extra work is to prevent the daemon user
processes from being able writing into anything other than var. In
particular, prevent them from writing into code and configuration
directories.


>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plone.org/pipermail/plone-setup/attachments/20130205/95740beb/attachment.html>


More information about the Setup mailing list