#5 — harmonise plone.app.blob with greater security applied to directories and to Python processes in (for example) ZEO cluster environment
| State | Rejected |
|---|---|
| Version: |
—
|
| Area | Functionality |
| Issue type | Bug |
| Severity | Medium |
| Submitted by | Graham Perrin |
| Submitted on | Oct 24, 2008 |
| Responsible |
—
|
| Target release: |
—
|
Last modified on
Feb 21, 2009
by
Matthew Wilkes
See for example
http://dev.plone.org/plone/ticket/8629
> chown and chmod commands might apply to ${buildout:directory}/var/????storage
> (that is: both var/blobstorage and var/filestorage)
— in particular, considerations (1), (2) and (3) within that ticket 8629.
http://dev.plone.org/plone/ticket/8629
> chown and chmod commands might apply to ${buildout:directory}/var/????storage
> (that is: both var/blobstorage and var/filestorage)
— in particular, considerations (1), (2) and (3) within that ticket 8629.
Added byAndreas ZeidleronOct 30, 2008 04:00 PM
as setting the storage directory's permission isn't a responsibility of `plone.app.blob`, but rather of the buildout/installer used to set up that directory, i'll leave this to be resolved via the above mentioned ticket, i.e. probably by steve (where it's in good hands anyway ;))
Issue state:
unconfirmed
→
rejected
Added by(anonymous)onOct 30, 2008 11:18 PM
I've tried to use plone.app.blob but run into this issue.
drwx------ 2 zeo root 4096 Oct 23 17:28 blobstorage
drwx------ 3 plone root 4096 Oct 30 15:30 client1
drwx------ 3 plone root 4096 Oct 30 15:55 client2
drwx------ 2 zeo root 4096 Oct 30 15:55 filestorage
where buildout.cfg contains:
[zeoserver]
...
effective-user = zeo
[client1]
...
effective-user = plone
shared-blob = on
I believe this means that client1 runs as user "plone" and needs to access the blobstorage directory that is shares with the zeoserver. With the set of permissions shown that is not possible.
Starting client1 in debug mode (plonectl client1 debug) yields:
OSError: [Errno 13] Permission denied: '.../zeocluster/var/blobstorage'
It seems that either a putting zeo in the plone group, or making both zeoserver and clients run as the same user would work. This does not seem to be the intent of the default zeocluster setup.
I'd love to see a solution and thanks in advance
Added byGraham PerrinonOct 31, 2008 12:44 PM
To (anonymous):
We have some discussion at
http://n2.nabble.com/ZEO-cl[…]D-on-tp1305155p1305155.html
and more recently, a guiding comment at
http://dev.plone.org/plone/ticket/8629#comment:2
In this context, http://plone.org/products/plone.app.blob/issues/5 is rejected.
To Andreas:
Thanks, understood :)
No responses can be added.
If you can, please log in before submitting a reaction.