I'm launching a new business this summer that will focus on public/private partnerships to address cybersecurity policy and infrastructure certification in the hopes of preventing attacks in the first place--or at least mitigating risk through something more comprehensive than just defensive posture. Cyber vendors are still almost entirely response-oriented. Someone has to work the other end. Most especially vital within critical infrastructure, industrial SCADA, and co-lo or other network providers.
At any rate, I'm brand new to Plone and am leaning towards Plone 5 for the CMS for the underlying site for which I'm just now starting to put the architecture together. WordPress, Drupal, Joomla, etc. are non-starters for their extensive history of security vulnerabilities.
I'm using a Pair Networks VPS for the hosting, and will move to their dedicated servers as soon as needed after we launch. I've been with them for 22 years. I know them. I trust them. They are world-class and top-notch with security. However, Pair (IMHO understandably) does not provide root access except for co-location and a few other services I'm not ready for.
I know that Plone requires root to install some of the required libraries, and presumably to setup the ZEO daemon. I can work with this -- Pair's support team can do the install for me for a very minor fee. What I can't tell from the Plone documentation and install instructions I've seen so far is whether or not it requires root after it is installed and up-and-running. If that's the case, I'll need to switch to one of Pair's other service lines sooner rather than later.
Can anyone here tell me if I'm going to need that kind of access on a day-to-day or regular basis after everything is up and running?
The server will be running Ubuntu. My local testing/pre-production server will be either Ubuntu or Kali.
(Caveat: understood and accepted that I may need it again to install updates or patches every now and then. I'm talking day-to-day operation as the CMS powering both a public-facing website and a secure extranet for clients.)
Neither you nor your hoster has experience with Plone...this is not a good combination for running a Plone installation. Either search for a Plone hoster with dedicated Plone background or outsource the Plone responsibility to a Plone consultant or a Plone company.
Fair enough, but I'm perfectly capable of learning and you gotta start somewhere, right? I've spent years working on a broad range of CMS platforms and deploying complex enterprise software. I've engineered some myself. I know Linux reasonably well. I'm not a casual or technically unsophisticated user. I have MUCH to learn -- it is a new platform after all. But I also have time and flexibility on my side to do so. And yes, I will be working with Plone consultants at some point and have already reached out to two firms over the last few days.
For now though, I just need some basic requirements questions answered. That said, I would appreciate actual specifics about what makes Plone, in your mind, require a host with experience running it.
So what is the question? You can install Plone itself in userland and ask your hoster for further support as root when needed...what is the further quesiton here?
I have looked at your provider web site and if you can't ask them to setup LXD and a few redirection rules on your server and deploy Plone yourself in a container (where you can be 'root' while being a mere user at the main computer level), using Ansible Plone (for example) I'd say that at 200 $ a month their service is too expensive.
It is perfectly possible to learn hosting of Plone sites. I coached several teams in past to do so and all learned it. Without coaching it will take longer but it's possible. But there are plenty of possible problems to run in, as always if it comes to complex systems. So in any case, having an experienced coach in the background may save money and gives happier customers.
If all the required system libraries are in place, Plone may be installed and run by an unprivileged user.
You can gain some operating security, though, by installing Plone and running it via separate user profiles. This is a common Unix paradigm, and the idea is that the long-running (daemon) processes should run under restricted user identities that can't change configuration and program files. (Also, these special user identities are usually setup so that they don't allow logins.)
One of the common problems that some PHP programs have had over the years is that they often don't follow this paradigm. That makes them easy to install -- because the program itself can be used to modify its configuration files -- but hard to secure.
So, while it's easy to install and run Plone without having superuser rights, most experienced Plone admins don't do it that way for the same reasons we wouldn't run Nginx, haproxy or Varnish as normal login users. And, speaking of those programs, it's important to realize that Plone installation is nearly always going to require administering all those programs (or their equivalents). Again, superuser rights required.
If Plone has a strong security record, it's in part because we have a generally security-conscious community that knows that security is hard and its work ongoing. It requires an understanding of the full system and stack. The negative reaction of some of the folks in this thread may have come because they wondered if you we seeking a shortcut to avoid this commitment.
Steve, thanks for the most helpful and thorough of replies -- this addresses the original post question perfectly, and gives me all the amplifying details I needed. I appreciate the time.
Incidentally, the reaction from some was somewhat surprising. An assumption without asking of someone's skill and capacity to work with the system or that they would be trying to circumvent a sincere commitment to security is, I find, rather baffling. On the latter point especially since, as I noted in the original post, I work professionally in cybersecurity and technology certification.
But anyway, I thank you again.
And to everyone else above, thank you also for your time.
Quite many people use two unprivileged users for Plone purposes - one to buildout with and one to run the instance with. The default installers have nudged people this way for a while now.