[Zope] FTP Malarky with Gibberish Users

Tino Wildenhain tino at wildenhain.de
Tue Jan 27 04:02:48 EST 2004 

Hi Edward,

Edward Pollard schrieb:
> Hello all,
> 
> I'm seeking to improve the security of my website. Content is maintained 
> using Dreamweaver via FTP. Authentication is with LDAPUserFolder 2.3.
> 
> I've never been able to get medusa to disallow anonymous/gibberish 
> logins. Please tell me someone knows how to do this. I'd like users who 
> type in passwords incorrectly to be denied access, not stuck in "No 
> Priviledges Land - Population 1".
> 
> Those people without passwords and usernames should be denied access 
> entirely, not be allowed to flood my server with commands that are, of 
> course, denied. It's really obnoxious to have to service those that 
> would do this, rather than deny them outright.
> 
> I'm game for some monkey patches, if so required.
> 
> Zope 2.6.2, for those that would ask.
> 
Beside using an FTP-proxy, you can change some defaults
in the Code to use mechanism already built in.

Here is something I did:

in FTPServer.py, there is the comment at the beginning:

43 FTP Authorization
44
45 Zope supports both normal and anonymous logins. It can be difficult
46 to authorize Zope users since they are defined in distributed user
47 databases. Normally, all logins will be accepted and then the user must
48 proceed to 'cd' to a directory in which they are authorized. In this
49 case for the purpose of FTP limits, the user is considered anonymous
50 until they cd to an authorized directory.
51
52 Optionally, users can login with a special username which indicates
53 where they are defined. Their login will then be authenticated in
54 the indicated directory, and they will not be considered anonymous.
55 The form of the name is '<username>@<path>' where path takes the forrm
56 '<folder id>[/<folder id>...]' For example: 'amos at Foo/Bar' This will
57 authenticate the user 'amos' in the directory '/Foo/Bar'. In addition
58 the user's FTP session will be rooted in the authenticated directory,
59 i.e. they will not be able to cd out of the directory.

This means, if we fake logins without @ to have a special
folder in it, we can force authentication - and get
a changeroot for grant.

See:


460     def cmd_pass(self, line):
461         'specify password'
462         if len(line) < 2:
463             pw = ''
464         else:
465             pw = line[1]
466         self.password=pw
467         i=self.userid.find('@')
468         if i ==-1:
469             if self.server.limiter.check_limit(self):
470                 self.respond ('230 Login successful.')
471                 self.authorized = 1
472                 self.anonymous = 1
473                 self.log_info ('Successful login.')
474             else:
475                 self.respond('421 User limit reached. Closing 
connection.')
476                 self.close_when_done()
477         else:
478             path=self.userid[i+1:]
479             self.userid=self.userid[:i]
480             self.anonymous=None
481             response=make_response(self, self.pass_completion,
482                     self._join_paths('/',path))
483             request=FTPRequest(path,'PASS',self,response)
484             handle(self.module,request,response)


The else part is what we want here, so we can simple sourge it
out, for example if we modify all userids to contain @ and the
desired path, like this:

between 466 and 477:
          self.userid=self.userid.split("@")[0]+"@/rootpathforallusers"

HTH
Tino Wildenhain

More information about the Zope mailing list