Access rights for zope webserver
Posted: Tue Nov 23, 2004 6:08 am
I need to restrict access to a file to be allowed by zope webserver script only. The Zope server is runned as a interpreted python code - there is no single file daemon like "httpd".
I created a renamed copy of python binary which I use to run the Zope server to be able to identify it in policy file. I added the following to the default role:
subject /
...
/dev/log r
/var/lib/zope/instancename r
/etc/restricted_file h
subject /usr/local/bin/python-myzope
/dev/log rw
/var/lib/zope/instancename rwx
/etc/restricted_file r
Then I reload the policy but scripts runned by Zope server still are not able to access those files. In syslog grsec reports:
Nov 23 10:47:06 myserver kernel: grsec: From 192.168.1.1: (default:D:/) denied connect to the unix domain socket /dev/log by /usr/sbin/kadmin[kadmin:25795] uid/euid:1000/1000 gid/egid:100/100, parent /usr/local/bin/python-myzope[python-myzope:24328] uid/euid:1000/1000 gid/egid:100/100
Nov 23 10:47:06 myserver kernel: grsec: From 192.168.1.1: (default:D:/) denied access to hidden file /etc/restricted_file by /usr/sbin/kadmin[kadmin:25795] uid/euid:1000/1000 gid/egid:100/100, parent /usr/local/bin/python-myzope[python-myzope:24328] uid/euid:1000/1000 gid/egid:100/100
Am I doing something wrong? Should I use some different design of rights to restrict the access?
Thank you.
kukacz
I created a renamed copy of python binary which I use to run the Zope server to be able to identify it in policy file. I added the following to the default role:
subject /
...
/dev/log r
/var/lib/zope/instancename r
/etc/restricted_file h
subject /usr/local/bin/python-myzope
/dev/log rw
/var/lib/zope/instancename rwx
/etc/restricted_file r
Then I reload the policy but scripts runned by Zope server still are not able to access those files. In syslog grsec reports:
Nov 23 10:47:06 myserver kernel: grsec: From 192.168.1.1: (default:D:/) denied connect to the unix domain socket /dev/log by /usr/sbin/kadmin[kadmin:25795] uid/euid:1000/1000 gid/egid:100/100, parent /usr/local/bin/python-myzope[python-myzope:24328] uid/euid:1000/1000 gid/egid:100/100
Nov 23 10:47:06 myserver kernel: grsec: From 192.168.1.1: (default:D:/) denied access to hidden file /etc/restricted_file by /usr/sbin/kadmin[kadmin:25795] uid/euid:1000/1000 gid/egid:100/100, parent /usr/local/bin/python-myzope[python-myzope:24328] uid/euid:1000/1000 gid/egid:100/100
Am I doing something wrong? Should I use some different design of rights to restrict the access?
Thank you.
kukacz