On Aug 31, 2009, at 5:25 PM, Derek Broughton wrote:
Good guess, because www-data, by design, has very limited access to
anything
on an Ubuntu system. I would think you need to chown much more than
just
parts and var (my systems all have the entire buildout tree owned by
the
effective-user).
Having the entire buildout tree owned by Zope's effective user is not
a good idea from a security perspective. It means that if someone
exploited a security hole in Zope, they could write to Zope's
codespace. See Steve McMahon's and Erik Rose's great talk on this
topic from Plone Conference 2008 for more info on this issue and steps
to take to avoid it: http://plone.org/events/conferences/2008-washington-dc/agenda/securing-zope-and-plone-against-the-big-bad-internet
David Glick
Web Developer
ONE/Northwest
New tools and strategies for engaging people in protecting the
environment
http://www.onenw.org
[email protected]
work: (206) 286-1235 x32
mobile: (206) 679-3833
Subscribe to ONEList, our email newsletter!
Practical advice for effective online engagement
http://www.onenw.org/full_signup
_______________________________________________
Product-Developers mailing list
[email protected]
http://lists.plone.org/mailman/listinfo/product-developers
