[Zope-dev] ZServer Ftp Active mode through firewall

Shane Hathaway shane@digicool.com
Fri, 19 May 2000 12:42:46 -0400 

Kent Polk wrote:
> Now this gets really convoluted... :^( We have it up and running,
> but user/permissions/role translation quickly turns into a really
> bad nightmare.
> 
> Why can't root launch ZServer and have port 20 permissions? jftpgw
> has to do that to have active ftp work anyway. Why add yet another
> Point of Entry/Confusion? As I mentioned earlier, why not have it
> respond on port 20 if it has permissions, otherwise respond via
> high port#??
> 
> What am I missing here?

I did some research into this today.  Note that this is actually a
problem with the Medusa server used by Zope.

1) Zope will never have root privileges during normal operation (at
least, it's not supposed to!)  It uses root privileges to create the
server sockets then drops them just before entering the main loop
(z2.py).

2) wu-ftpd uses seteuid() to bind to the correct port.  It has to call
seteuid() every time someone makes an active connection.  The current
version of Python does not provide the seteuid() call, only the
setuid() call, which is irreversible.

3) The only remaining solution would be to bind to the data port at
startup.  However, the accept() call and the connect() call have a very
subtle difference: accept() creates a new socket, while connect() uses
the socket already created.  So it would be possible to use that socket
once but it would be necessary to close it at the end of the transfer,
leaving subsequent connections in the same situation as before.  If
connect() created a new socket instead, Medusa would work much better
and I bet wu-ftpd could be less convoluted.  I don't think there is any
alternative to connect().

I'm sorry I don't have a better answer for you.  I really thought we
could solve this.  I'm surprised the proxy acted so strangely for
you--there's no reason why it should be dealing with user permissions,
etc.; it should only pass the data from the client to the server (with
minor re-parsing along the way).  Perhaps a different proxy will work
better.

Shane