I'm just making some changes to the way we run Zope following a recent security advisory. In the advisory it says:
“Make sure that the Zope/Plone service is running with with minimum privileges. Ideally, the Zope and ZEO services should be able to write only to log and data directories.”
Currently we have a dedicated linux user that runs buildout, starts and stops the server and which runs the Zope service. We're using supervisord to manage the two Zope instances we run in parallel (relstorage backend).
Our current zope user needs write permission on more than just the log and data directory so that it can run buildout so I opted to create an additional linux user, zoperun, to actually run the zope service. zoperun is in the same group as zope and only has write permissions on the var directory. This is all working fine except one thing: I'd like the original zope user to be able to start and stop the zope instances using supervisorctl.
I can't get this working. For example, when I try to run bin/supervisorctl status
I get
error: , [Errno 13] Permission denied: file: line: 1
I think this is because the supervisor socket doesn't have group read and write permissions
srw------- 1 zoperun zopeour 0 Sep 30 09:00 supervisor.sock
I've set umask = 002
in the supervisord configuration but this has no affect on this superctl socket.
Is there any way I can achieve what I'd like?
Take a look at unix-http-server section. Change your configuration file as belows:
This make the socket file can be read, write by users in
zoperun
group:Finally, add all users you want to allow start/stop Zope instance into
zoperun
group and testing with normal user, you will see something like this:The acepted answer did not work for me. I had to do an extra step. I'm running supervisor on a centos 7 server.
After change the file and chown variables in /etc/supervisord.conf
The following error came up:
To solve it, I changed the variable serverurl under the [supervisorctl] section, to point to the same path in "file".
After that, restart supervisor and check the status to make sure everything is ok.
Hope this helps.