[Zope] ftp and virtual hosting question

Richard Barrett R.Barrett@ftel.co.uk
Wed, 13 Mar 2002 12:05:23 +0000 

At 13:44 12/03/2002 -0500, Jiann-Ming Su wrote:
>On Tue, 12 Mar 2002, Richard Barrett wrote:
>
> > Are you asking whether standard Zope can accept an FTP login and, 
> depending
> > on the user ID  presented, automatically do an FTP cd to the user's "home"
> > folder, having determined where that is by computation from which acl_user
> > folder their user ID is defined in?
> >
>
>Yes, that's what I'm asking.  What's the alternative for doing a wholesale
>upload?  Is WebDAV the solution?

The database being handled by Zope is a tree rooted at '/'. From your 
earlier posts you have sub-trees below the root each of which constitutes a 
web site.

When delivering data to users via HTTP, you are using Apache 
Proxypass/RewriteRule with Zope's the Virtual Host Monster to give the 
appearance of multiple separate web sites.

However, viewed through Zope direct interfaces i.e. through the TCP 
interfaces it provides, regardless of protocol, be it HTTP, FTP or WebDAV, 
the fact that the 'virtual web sites' all exist within a common 
hierarchical structure cannot be totally hidden.

So the answer to the question is No, not through Zope's direct interfaces. 
But bearing in mind what you said previously the effects of this can be 
mitigated.

At 10:21 12/03/2002 -0500, Jiann-Ming Su wrote:
>That is, if I have an acl_uers/ folder in /VirtualHost/Host1, how do I
>get a defined user for Host1 to ftp directly into /VirtualHost/Host1?
>
>Right now, I have to authenticate through the acl_users/ in the root folder,
>which gives me access to a bunch of other folders as well.

You may be able to achieve part of what you want to do as follows :

1. You do not have to put have all the user ids declared in acl_users in 
the root '/' folder.

2. You can declare the user ids, per virtual host, in acl_users within each 
virtual host's 'root' folder as per the following example layout.

     /--|
        |--hosta--|
        |         |--vhost1--|
        |         |          |--acl_users
        |         |          |
        |         |
        |         |--vhost2--|
        |         |          |--acl_users
        |         |          |

3. Remove the 'FTP Access' privilege for everybody except role Manager from 
'/' and 'hosts'.

4. Assign your users the local role of Member for the 'home' virtual host 
folder.

5. Give the Member role 'FTP Access' privilege for each of the virtual host 
folder.

6. With this set up each user can FTP login and then FTP cd to their 'home' 
virtual host folder.

7. The fact that the user do not have 'FTP Access' privilege over '/' 
folder, indeed that their user id doesn't exist at the root folder level 
doesn't prevent them FTP logging in.

8. The user's can successfully FTP cd to their 'home' virtual host folder 
having logged in but will be prevented from FTP cd'ing to any other virtual 
host folder.

9.  Users cannot discover by examination the content of intermediate 
folders between '/' and their 'home' virtual host folder as they cannot FTP 
cd to these intermediate folders or perform FTP ls operations on them.

10. The downside is that the users have to know the path to their 'home' 
virtual host folder from '/'.

How well this will work from the user standpoint depends to some extent on 
the FTP access tools the user chooses.

a. I find that with this arrangement I can access and upload directory 
trees and their contents using IE5 under Win2K using a ftp scheme URLs of 
the form ftp://<userid>:<passwd>@wickwar.ftel.co.uk:8021/hosts/vhost1/. But 
note the need to embed the user id and password in the URL. You do not get 
a prompt for credentials with ftp scheme URLs like you do with http scheme 
URLs. You have to present them as part of the URL. This is nasty in that 
someone looking over your shoulder can see them on the screen on they are 
'visible' un-encrypted in transit between your browser and the server to 
any intermediate proxies. In the worst case they might even appear in some 
logs.

b. WS_FTP works OK as long as the the Remote Site Folder for the connection 
is preset to the correct value. Otherwise, WS_FTP tries to list the folder 
it first gets to: typically '/'. This fails if the user doesn't have 'FTP 
Access' permissions and WS_FTP then regards the connection attempt as 
having failed. Security should be better in that this is proper connection 
oriented working and the credentials are only exposed at login time.

c. Linux command line FTP presents no particular problems in use.

As for WebDAV, I cannot say how this would work as I'm not familiar with 
using it.

Hope this helps your thinking on the topic.


>--
>Jiann-Ming Su  jsu2@emory.edu  404-712-2603
>Development Team Systems Administrator
>General Libraries Systems Division