[Zope] Possible Resolution to Disable Anonymous FTP

[Edward Pollard]

As per previous discussions, I've been looking for a solution to 
abolishing anonymous FTP while allowing users who authenticate against 
a nested user folder to be able to execute the CWD / command, which our 
FTP client (Dreamweaver) expects to be allowed to do (and rightly so).

I've found a solution to this problem that I would like to request 
comment on:

FTPServer.py
228        elif status==401:
229            if path =='/':
230                self.respond('250 CWD command successful.')
231            else:
232                self.respond('530 Unauthorized.')

This causes the server to return a success command when the CWD / 
command is executed, but the underlying mechanics (which I do not fully 
comprehend) actually prevent the command from doing anything unless you 
have proper privileges at the root. Indeed 'CWD /' now, for users that 
do not have access to /, leaves you in the same directory.

Aside from the obvious - changing a FTP command to do something other 
than what has been asked for - can anyone see anything wrong with this?

And, does line 229 need to be
229 if self.path == '/' or path == '/'
?
I'm not so sure about what self.path is compared to path.

Thanks

Edward


(For those not keeping track, a previous hack that roots all 
unqualified logins in a specific acl_user folder combined with this 
completely disables anonymous FTP while not preventing proper FTP 
client functionality)