#5 — harmonise plone.app.blob with greater security applied to directories and to Python processes in (for example) ZEO cluster environment
by
Graham Perrin
—
last modified
Feb 21, 2009 10:15 PM
| State | Rejected |
|---|---|
| Version: |
—
|
| Area | Functionality |
| Issue type | Bug |
| Severity | Medium |
| Submitted by | Graham Perrin |
| Submitted on | Oct 24, 2008 |
| Responsible |
—
|
| Target release: |
—
|
See for example
http://dev.plone.org/plone/ticket/8629
> chown and chmod commands might apply to ${buildout:directory}/var/????storage
> (that is: both var/blobstorage and var/filestorage)
— in particular, considerations (1), (2) and (3) within that ticket 8629.
http://dev.plone.org/plone/ticket/8629
> chown and chmod commands might apply to ${buildout:directory}/var/????storage
> (that is: both var/blobstorage and var/filestorage)
— in particular, considerations (1), (2) and (3) within that ticket 8629.
Added by
Andreas Zeidler
on
Oct 30, 2008 04:00 PM
as setting the storage directory's permission isn't a responsibility of `plone.app.blob`, but rather of the buildout/installer used to set up that directory, i'll leave this to be resolved via the above mentioned ticket, i.e. probably by steve (where it's in good hands anyway ;))
Issue state:
unconfirmed
→
rejected
Added by
(anonymous)
on
Oct 30, 2008 11:18 PM
I've tried to use plone.app.blob but run into this issue.
drwx------ 2 zeo root 4096 Oct 23 17:28 blobstorage
drwx------ 3 plone root 4096 Oct 30 15:30 client1
drwx------ 3 plone root 4096 Oct 30 15:55 client2
drwx------ 2 zeo root 4096 Oct 30 15:55 filestorage
where buildout.cfg contains:
[zeoserver]
...
effective-user = zeo
[client1]
...
effective-user = plone
shared-blob = on
I believe this means that client1 runs as user "plone" and needs to access the blobstorage directory that is shares with the zeoserver. With the set of permissions shown that is not possible.
Starting client1 in debug mode (plonectl client1 debug) yields:
OSError: [Errno 13] Permission denied: '.../zeocluster/var/blobstorage'
It seems that either a putting zeo in the plone group, or making both zeoserver and clients run as the same user would work. This does not seem to be the intent of the default zeocluster setup.
I'd love to see a solution and thanks in advance
Added by
Graham Perrin
on
Oct 31, 2008 12:44 PM
To (anonymous):
We have some discussion at
http://n2.nabble.com/ZEO-cl[…]D-on-tp1305155p1305155.html
and more recently, a guiding comment at
http://dev.plone.org/plone/ticket/8629#comment:2
In this context, http://plone.org/products/plone.app.blob/issues/5 is rejected.
To Andreas:
Thanks, understood :)
No responses can be added.
If you can, please log in before submitting a reaction.