[Zope-dev] ZServer Ftp Active mode through firewall

Kent Polk kent@goathill.org
Fri, 19 May 2000 12:23:01 -0500 (CDT)


Shane Hathaway wrote:
> 
> I did some research into this today.  Note that this is actually a
> problem with the Medusa server used by Zope.

Thanks

> 3) The only remaining solution would be to bind to the data port at
> startup.  However, the accept() call and the connect() call have a very
> subtle difference: accept() creates a new socket, while connect() uses
> the socket already created.  So it would be possible to use that socket
> once but it would be necessary to close it at the end of the transfer,
> leaving subsequent connections in the same situation as before.  If
> connect() created a new socket instead, Medusa would work much better
> and I bet wu-ftpd could be less convoluted.  I don't think there is any
> alternative to connect().

Yep.

> I'm sorry I don't have a better answer for you.  I really thought we
> could solve this.  I'm surprised the proxy acted so strangely for
> you--there's no reason why it should be dealing with user permissions,
> etc.; it should only pass the data from the client to the server (with
> minor re-parsing along the way).  Perhaps a different proxy will work
> better.

Part of the problme is that we need to be able to set different
'anonymous' roles based on where one comes from. This is supported
by wuftpd and by Zope. When you pass everything through a proxy on
the zope server host however, that capability is destroyed as the
proxy is now the only client. We tried having the proxy set usernames,
but then we need two users for each role; one for http and one for
ftp. And we will have to rewrite the proxy code to send remapped
usernames in a fashion that Zope can comprehend, as the current
proxy name remapping doesn't work with Zope. Couple these problems
with having to keep two different authentication schemes synced
leads us off a cliff very quickly.

From the number of messages I located on the net regarding this
issue it is clear that a number of people have tried this and
failed, not discovering the true cause of the problem. The use of
firewalls is quickly increasing and the problem will only get worse.
Have you considered a C shared module to handle the seteuid issue?
Maybe an option for those who really need it? Import only when
permissions indicate that seteuid is to be used?

Tahnks