Date: Sun, 16 Feb 2003 16:15:33 -0600 (CST) From: Kirk Strauser <kirk@strauser.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/48343: Several issues with the www/zope port Message-ID: <200302162215.h1GMFXw3023042@kanga.honeypot.net>
next in thread | raw e-mail | index | archive | help
>Number: 48343 >Category: ports >Synopsis: Several issues with the www/zope port >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Feb 16 14:20:02 PST 2003 >Closed-Date: >Last-Modified: >Originator: Kirk Strauser <kirk@strauser.com> >Release: FreeBSD 4.7-STABLE i386 >Organization: The Strauser Group >Environment: System: FreeBSD kanga.honeypot.net 4.7-STABLE FreeBSD 4.7-STABLE #0: Tue Feb 11 18:38:37 CST 2003 root@kanga.honeypot.net:/usr/obj/usr/src/sys/HONEYPOT_KANGA i386 >Description: There are several problems with upgrading the current www/zope port, ranging from inconvenient (having to reset directory permissions to start the program) to potentially disastrous (data loss, opening of security holes). After upgrading a pre-existing Zope installation: 1) Permissions are not compatible with starting Zope. ${PREFIX}/www/Zope/var is owned by `www' instead of `root', which causes this error message to be logged to ${PREFIX}/www/Zope/var/zope-output (and Zope to refuse to start): IOError: [Errno 13] Permission denied: '/usr/local/www/Zope/var/pcgi.pid' 2) The port upgrade process overwrites ${PREFIX}/www/Zope/var/Data.fs with a minimal new data store, effectively deleting every object previously held in Zope. 3) The port overwrites ${PREFIX}/etc/rc.d/zope.sh, destroying any local customizations. 4) The default setup doesn't allow Zope to be restarted from its own control panel. Attempts cause errors such as this in ${PREFIX}/www/Zop/var/pcgi.log: Sun Feb 16 16:05:12 2003 pcgi-wrapper: Unknown error: 0 (116) unable to connect, fd=4 Sun Feb 16 16:05:25 2003 unable to write to pid file: /usr/local/www/Zope/var/pcgi.pid Traceback (most recent call last): File "/usr/local/www/Zope/pcgi/pcgi_publisher.py", line 180, in initPCGI f = open(self.pidFile, 'wb') IOError: [Errno 13] Permission denied: '/usr/local/www/Zope/var/pcgi.pid' Sun Feb 16 16:05:38 2003 pcgi-wrapper: Connection refused (102) failure during connect 5) The port overwrites ${PREFIX}/www/Zope/access, which sets the default emergency user's username and password to standard default values, potentially opening a huge security hole if the sysadmin doesn't note the change. >How-To-Repeat: Install and configure Zope. Use `portupgrade' to upgrade to a newer version (I haven't tested this with a manual upgrade, but believe that the same problems would occur. >Fix: 1) chown root:wheel ${PREFIX}/www/Zope/var 2) Leave `Data.fs' alone. 3) Create/overwrite `zope.sh.sample' instead; let the sysadmins make copies or symlinks as convenient. 4) I don't know. This used to work, but doesn't anymore. 5) Leave `access' alone. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302162215.h1GMFXw3023042>