Date: Sun, 16 Feb 2003 16:15:33 -0600 (CST) From: Kirk Strauser <kirk@strauser.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/48343: Several issues with the www/zope port Message-ID: <200302162215.h1GMFXw3023042@kanga.honeypot.net>
next in thread | raw e-mail | index | archive | help
>Number: 48343
>Category: ports
>Synopsis: Several issues with the www/zope port
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Feb 16 14:20:02 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Kirk Strauser <kirk@strauser.com>
>Release: FreeBSD 4.7-STABLE i386
>Organization:
The Strauser Group
>Environment:
System: FreeBSD kanga.honeypot.net 4.7-STABLE FreeBSD 4.7-STABLE #0: Tue Feb 11 18:38:37 CST 2003 root@kanga.honeypot.net:/usr/obj/usr/src/sys/HONEYPOT_KANGA i386
>Description:
There are several problems with upgrading the current www/zope port, ranging
from inconvenient (having to reset directory permissions to start the program)
to potentially disastrous (data loss, opening of security holes). After
upgrading a pre-existing Zope installation:
1) Permissions are not compatible with starting Zope. ${PREFIX}/www/Zope/var
is owned by `www' instead of `root', which causes this error message to be
logged to ${PREFIX}/www/Zope/var/zope-output (and Zope to refuse to start):
IOError: [Errno 13] Permission denied: '/usr/local/www/Zope/var/pcgi.pid'
2) The port upgrade process overwrites ${PREFIX}/www/Zope/var/Data.fs with a
minimal new data store, effectively deleting every object previously held in
Zope.
3) The port overwrites ${PREFIX}/etc/rc.d/zope.sh, destroying any local
customizations.
4) The default setup doesn't allow Zope to be restarted from its own control
panel. Attempts cause errors such as this in ${PREFIX}/www/Zop/var/pcgi.log:
Sun Feb 16 16:05:12 2003
pcgi-wrapper: Unknown error: 0 (116) unable to connect, fd=4
Sun Feb 16 16:05:25 2003 unable to write to pid file: /usr/local/www/Zope/var/pcgi.pid
Traceback (most recent call last):
File "/usr/local/www/Zope/pcgi/pcgi_publisher.py", line 180, in initPCGI
f = open(self.pidFile, 'wb')
IOError: [Errno 13] Permission denied: '/usr/local/www/Zope/var/pcgi.pid'
Sun Feb 16 16:05:38 2003
pcgi-wrapper: Connection refused (102) failure during connect
5) The port overwrites ${PREFIX}/www/Zope/access, which sets the default
emergency user's username and password to standard default values, potentially
opening a huge security hole if the sysadmin doesn't note the change.
>How-To-Repeat:
Install and configure Zope. Use `portupgrade' to upgrade to a newer version
(I haven't tested this with a manual upgrade, but believe that the same
problems would occur.
>Fix:
1) chown root:wheel ${PREFIX}/www/Zope/var
2) Leave `Data.fs' alone.
3) Create/overwrite `zope.sh.sample' instead; let the sysadmins make copies
or symlinks as convenient.
4) I don't know. This used to work, but doesn't anymore.
5) Leave `access' alone.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302162215.h1GMFXw3023042>