Linux – Allow all users of a group to start and stop zope using supervisorctl

linuxpermissionsplonesupervisordzope

I'm just making some changes to the way we run Zope following a recent security advisory. In the advisory it says:

“Make sure that the Zope/Plone service is running with with minimum
privileges. Ideally, the Zope and ZEO services should be able to write
only to log and data directories.”

Currently we have a dedicated linux user that runs buildout, starts and stops the server and which runs the Zope service. We're using supervisord to manage the two Zope instances we run in parallel (relstorage backend).

Our current zope user needs write permission on more than just the log and data directory so that it can run buildout so I opted to create an additional linux user, zoperun, to actually run the zope service. zoperun is in the same group as zope and only has write permissions on the var directory. This is all working fine except one thing: I'd like the original zope user to be able to start and stop the zope instances using supervisorctl.

I can't get this working. For example, when I try to run bin/supervisorctl status I get

error: , [Errno 13] Permission denied: file: line: 1

I think this is because the supervisor socket doesn't have group read and write permissions

srw——- 1 zoperun zopeour 0 Sep 30 09:00 supervisor.sock

I've set umask = 002 in the supervisord configuration but this has no affect on this superctl socket.

Is there any way I can achieve what I'd like?

Best Answer

Take a look at unix-http-server section. Change your configuration file as belows:

[unix_http_server]
file=/tmp/supervisor.sock   ; (the path to the socket file)
chmod=0770                  ; sockef file mode (default 0700)
chown=zope:zoperun          ; socket file uid:gid owner
;username=user              ; (default is no username (open server))
;password=123               ; (default is no password (open server))

This make the socket file can be read, write by users in zoperun group:

ll /tmp/supervisor.sock 
srwxrwx--- 1 zope zoperun 0 Sep 30 16:54 /tmp/supervisor.sock

Finally, add all users you want to allow start/stop Zope instance into zoperun group and testing with normal user, you will see something like this:

$ supervisorctl status
foo                              STARTING

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.

sudo usermod -a -G developer user1 (add each user to developer group)
sudo chgrp -R developer /var/www/site.com/ so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/ so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads so that www-data (apache/nginx) can create uploads.

Since git runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.

Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

windows – Granting Service Permissions to Users on Non-Domain Servers

There doesn't appear to be a GUI-based way of doing this unless you're joined to a domain - at least not one I could find anywhere - so I did a bit more digging and I've found an answer that works for our situation.

I didn't understand what the string representation meant in the knowledge base article, but doing a bit of digging led me to discover that it's SDDL syntax. Further digging led me to this article by Alun Jones which explains how to get the security descriptor for a service and what each bit means. MS KB914392 has more details.

To append to the service's existing security descriptor, use sc sdshow "Service Name" to get the existing descriptor. If this is a plain old .NET Windows Service - as is the case with ours - the security descriptor should look something like this:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA
;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

We needed to grant permissions RP (to start the service), WP (to stop the service), DT (to pause/continue the service) and LO (to query the service's current status). This could be done by adding our service account to the Power Users group, but I only want to grant individual access to the account under which the maintenance service runs.

Using runas to open a command prompt under the service account, I ran whoami /all which gave me the SID of the service account, and then constructed the additional SDDL below:

(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)

This then gets added to the D: section of the SDDL string above:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOC
RRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;RPWP
DTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;WD)

This is then applied to the service using the sc sdset command (before the S: text):

sc sdset "Service Name" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;
CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU
)(A;;RPWPDTLO;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx)S:(AU;FA;CCDCLCSW
RPWPDTLOCRSDRCWDWO;;;WD)

If all goes according to plan, the service can then be started, stopped, paused and have it's status queried by the user defined by the SID above.

Best Answer

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

windows – Granting Service Permissions to Users on Non-Domain Servers

Related Topic