[Zope] - ZServer

Guido Sohne guido@webstar.com.gh
Wed, 27 Jan 1999 09:19:39 +0000 

Scott Robertson wrote:
> 
> On Tue, 26 Jan 1999, Amos Latteier wrote:
> > Another solution would be to limit FTP access to users defined in the
> > top-level Folder. Or maybe limit the nu
> > At 02:56 PM 1/26/99 -0500, Michel Pelletier wrote:
> > >I noticed that when you FTP into ZServer it doesn't matter
> > >what userid or password you use, it allways says 'Login Successful'.
> > >Of course, your not authorized to see anything but your still
> > >logged in and there is still an open Medusa channel.  Couldn't this
> > >be a hole into a possible Denial of Service attack?
> >
> > Sounds like it. We need to think carefully about how to limit FTP access.
> >
> > It's hard to differentiate between anonymous and non-anonymous users,
> > because authorization is defined on a per-directory basis. So basically how
> > things work now, you must 'cd' to a directory where your userid is defined
> > before you can do much. This means you can't easily evaluate the validity
> > of a user at login time. So it's hard to do things like limit the number of
> > concurrent anonymous FTP logins.

I think an expedient solution would be, if you are not authorized to see
anything, then you will be forcibly disconnected after seeing an
informational message. 

If you are connected and can't view anything, then there will be little
difference to you because what you can do (nada) when connected will be
same as what you can do (nada) when disconnected.

> 
> Maybe do some sort of port trick where if they come in on port 5000 they
> are rooted in the top of the database and have to be defined at that level and
> if they come in at 5001 it could root them at /spam/eggs/anon or something
> like that.
> 
> > These issues deserve serious thought.
> >
> > -Amos
> >
> >
> >
> >
> 
> ---------------------------------------------------
> - Scott Robertson             Phone: 714.972.2299 -
> - CodeIt Computing            Fax:   714.972.2399 -
> -                http://codeit.com                -
> ---------------------------------------------------