Date: 04-04-06 03:04
I am obviously a sub newbie, but here goes...
I'm thoroughly confused by the permission system in FreeBSD and need some clarification.
I'm trying to install Zope and have been advised to install it as a user not as root and also not as nobody, for security reasons - the idea being that if another program is running as nobody and is breached, then an intruder might gain access to Zope's database. And I guess this also means that if Zope was breached and it was owned by root that would be even worse. Right?
OK, so if I install Zope as a user I create called 'zope' and make that user belong to the group 'zope' does that cause any problems like zope not being able to run programs not owned by 'zope'? I was imagining that if Zope wasn't a member of the wheel group, then I wouldn't be able to su to root if I needed to at some point, or is making Zope a member of the wheel group a security risk, and if so why?
Also, one set of installation instructions I ran across (on the Plone site) indicated that it was important to install as a regular user (not root), but NOT as the user Zope would ultimately run under, for security reasons. So why can't I just install Zope as user 'zope' ?
This is where more confusion lies: I noticed in the makefile from the zope 2.7.8_1 port that the "zope user" is set to be 'www'. But I thought users were real people. Also Apache is frequently set to run as user 'www'. What's going on?
Now for more confusion. Zope runs on Python. My system (PCBSD) already has Python 2.4 installed but the latest version of Plone requires Zope 2.7.8_1 which only runs on Python 2.3. So the Zope port installed Python 2.3 in the same /usr/local/bin as version 2.4. Is this going to cause a problem? If I have to uninstall Python 2.3 and reinstall as user 'zope' or my regular account, will some files of the same name common to Python 2.3 and 2.4 get erased? This is potentially a big problem as I don't know how PCBSD installed Python 2.4. If I had to reinstall version 2.4 I wouldn't know what compiler switches to use for optimum performance. I'll be damned if I have ot reinstall PCBSD too! Should I use 'pkg_delete' or 'make deinstall' in the port tree? What's the difference?
I originally installed Zope as root, so Python 2.3 also got installed that way. Now I uninstalled Zope so as to do it over as user 'zope' but haven't yet uninstalled Python to reinstall as another user, presumably 'zope'. Is this necessary or can I just chown Python and Zope?
Wait, there's more! Zope instructions talk about setting SUID bit in the zope.conf file. What's that for?
I'm confused as to what users are, and if programs get installed in different directories depending on who I am when I install them and whether a program's ability to access other necessary programs (like Zope using Python 2.3) requires identical permissions, or do programs just figure out where other programs they need reside? I did notice that part of the configure shell script explicitly shows the path to Python, however.
All the books I've read don't really address these issues in depth.
To make matters worse, Zope has its own definition of a user, but I think I understand that and that it's not related to the Unix definitons above.