[Zope] some confusion on ftp security.
Steve Spicklemire
steve@spvi.com
Thu, 22 Mar 2001 06:04:26 -0500 (EST)
Hmm.. if I recall correctly the problem goes something
like this:
say I have a user: joe defined in:
/company/division/branch/group/acl_users
when joe tries to FTP should Zope be expected to search all the 400
acl_users folders in the hierarchy until if finds a match? Or... what
if there are *two* joe's which should I check?
I think that the FTP permissions work just like HTTP permissions, they
need a context to make any sense.. and if you can't log in at the root
level.... you can't *get* to the context where you have any
permissions. Unlike HTTP, FTP has the concept of a 'login' that is
independent of traversal. I think the current behavior is a more or
less reasonable attempt to deal with that problem.
-steve
>>>>> "CW" == Chris Withers <chrisw@nipltd.com> writes:
CW> Patrick wrote:
>> Thanks for that Chris, but isn't that quite risky? What I
>> mean is that Medusa should not allow unauthenticated users to
>> login at all because though one is not allowed to do anything
>> as yet, you never know when someone will find a hack round that
>> and then you end up with a denial of service attack or
>> something??
>>
>> ...Or am I just being over-paraniod :-(
CW> Not at all, I totally agree... stick it in the collector :-)
CW> cheers,
CW> Chris
CW> _______________________________________________ Zope maillist
CW> - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope **
CW> No cross posts or HTML encoding! ** (Related lists -
CW> http://lists.zope.org/mailman/listinfo/zope-announce
CW> http://lists.zope.org/mailman/listinfo/zope-dev )