Kent Polk wrote:
Now this gets really convoluted... :^( We have it up and running, but user/permissions/role translation quickly turns into a really bad nightmare.
Why can't root launch ZServer and have port 20 permissions? jftpgw has to do that to have active ftp work anyway. Why add yet another Point of Entry/Confusion? As I mentioned earlier, why not have it respond on port 20 if it has permissions, otherwise respond via high port#??
What am I missing here?
I did some research into this today. Note that this is actually a problem with the Medusa server used by Zope. 1) Zope will never have root privileges during normal operation (at least, it's not supposed to!) It uses root privileges to create the server sockets then drops them just before entering the main loop (z2.py). 2) wu-ftpd uses seteuid() to bind to the correct port. It has to call seteuid() every time someone makes an active connection. The current version of Python does not provide the seteuid() call, only the setuid() call, which is irreversible. 3) The only remaining solution would be to bind to the data port at startup. However, the accept() call and the connect() call have a very subtle difference: accept() creates a new socket, while connect() uses the socket already created. So it would be possible to use that socket once but it would be necessary to close it at the end of the transfer, leaving subsequent connections in the same situation as before. If connect() created a new socket instead, Medusa would work much better and I bet wu-ftpd could be less convoluted. I don't think there is any alternative to connect(). I'm sorry I don't have a better answer for you. I really thought we could solve this. I'm surprised the proxy acted so strangely for you--there's no reason why it should be dealing with user permissions, etc.; it should only pass the data from the client to the server (with minor re-parsing along the way). Perhaps a different proxy will work better. Shane