[Zope] some confusion on ftp security.

Steve Spicklemire steve@spvi.com
Thu, 22 Mar 2001 06:04:26 -0500 (EST)


Hmm.. if I recall correctly the problem goes something 
like this:

say I have a user: joe defined in:

/company/division/branch/group/acl_users

when joe tries to FTP should Zope be expected to search all the 400
acl_users folders in the hierarchy until if finds a match?  Or... what
if there are *two* joe's which should I check?

I think that the FTP permissions work just like HTTP permissions, they
need a context to make any sense.. and if you can't log in at the root
level.... you can't *get* to the context where you have any
permissions. Unlike HTTP, FTP has the concept of a 'login' that is
independent of traversal.  I think the current behavior is a more or
less reasonable attempt to deal with that problem.

-steve

>>>>> "CW" == Chris Withers <chrisw@nipltd.com> writes:

    CW> Patrick wrote:
    >>  Thanks for that Chris, but isn't that quite risky?  What I
    >> mean is that Medusa should not allow unauthenticated users to
    >> login at all because though one is not allowed to do anything
    >> as yet, you never know when someone will find a hack round that
    >> and then you end up with a denial of service attack or
    >> something??
    >> 
    >> ...Or am I just being over-paraniod :-(

    CW> Not at all, I totally agree... stick it in the collector :-)

    CW> cheers,

    CW> Chris

    CW> _______________________________________________ Zope maillist
    CW> - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope **
    CW> No cross posts or HTML encoding!  ** (Related lists -
    CW> http://lists.zope.org/mailman/listinfo/zope-announce
    CW> http://lists.zope.org/mailman/listinfo/zope-dev )