2

I'm just making some changes to the way we run Zope following a recent security advisory. In the advisory it says:

“Make sure that the Zope/Plone service is running with with minimum privileges. Ideally, the Zope and ZEO services should be able to write only to log and data directories.”

Currently we have a dedicated linux user that runs buildout, starts and stops the server and which runs the Zope service. We're using supervisord to manage the two Zope instances we run in parallel (relstorage backend).

Our current zope user needs write permission on more than just the log and data directory so that it can run buildout so I opted to create an additional linux user, zoperun, to actually run the zope service. zoperun is in the same group as zope and only has write permissions on the var directory. This is all working fine except one thing: I'd like the original zope user to be able to start and stop the zope instances using supervisorctl.

I can't get this working. For example, when I try to run bin/supervisorctl status I get

error: , [Errno 13] Permission denied: file: line: 1

I think this is because the supervisor socket doesn't have group read and write permissions

srw------- 1 zoperun zopeour 0 Sep 30 09:00 supervisor.sock

I've set umask = 002 in the supervisord configuration but this has no affect on this superctl socket.

Is there any way I can achieve what I'd like?

scarba05
  • 333
  • 6
  • 15

2 Answers2

6

Take a look at unix-http-server section. Change your configuration file as belows:

[unix_http_server]
file=/tmp/supervisor.sock   ; (the path to the socket file)
chmod=0770                  ; sockef file mode (default 0700)
chown=zope:zoperun          ; socket file uid:gid owner
;username=user              ; (default is no username (open server))
;password=123               ; (default is no password (open server))

This make the socket file can be read, write by users in zoperun group:

ll /tmp/supervisor.sock 
srwxrwx--- 1 zope zoperun 0 Sep 30 16:54 /tmp/supervisor.sock

Finally, add all users you want to allow start/stop Zope instance into zoperun group and testing with normal user, you will see something like this:

$ supervisorctl status
foo                              STARTING   
quanta
  • 50,327
  • 19
  • 152
  • 213
  • I haven't done quite this but your answer included the clue I needed. I have a zope group the zope and zoperun are in so I set `chmod=0660` in the `[unix_http_server]` section and that did the trick – scarba05 Sep 30 '11 at 10:03
0

The acepted answer did not work for me. I had to do an extra step. I'm running supervisor on a centos 7 server.

After change the file and chown variables in /etc/supervisord.conf

file=/tmp/supervisor.sock       ;custom
chown=carlos:mygroup       ; socket file uid:gid owner

The following error came up:

unix:///var/run/supervisor/supervisor.sock no such file

To solve it, I changed the variable serverurl under the [supervisorctl] section, to point to the same path in "file".

serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket

After that, restart supervisor and check the status to make sure everything is ok.

systemctl restart supervisord
systemctl status supervisord

Hope this helps.

  • Its the same as the accepted up voted answer, the only difference was the sock path to adjust, but in fact it were more a comment instead an answer IMHO – djdomi Jul 22 '21 at 10:11