I'm just making some changes to the way we run Zope following a recent security advisory. In the advisory it says:
“Make sure that the Zope/Plone service is running with with minimum privileges. Ideally, the Zope and ZEO services should be able to write only to log and data directories.”
Currently we have a dedicated linux user that runs buildout, starts and stops the server and which runs the Zope service. We're using supervisord to manage the two Zope instances we run in parallel (relstorage backend).
Our current zope user needs write permission on more than just the log and data directory so that it can run buildout so I opted to create an additional linux user, zoperun, to actually run the zope service. zoperun is in the same group as zope and only has write permissions on the var directory. This is all working fine except one thing: I'd like the original zope user to be able to start and stop the zope instances using supervisorctl.
I can't get this working. For example, when I try to run bin/supervisorctl status
I get
error: , [Errno 13] Permission denied: file: line: 1
I think this is because the supervisor socket doesn't have group read and write permissions
srw------- 1 zoperun zopeour 0 Sep 30 09:00 supervisor.sock
I've set umask = 002
in the supervisord configuration but this has no affect on this superctl socket.
Is there any way I can achieve what I'd like?