Validate user on FreeBSD

Dan Nyanko cp_ru at chilitech.net
Fri Mar 21 18:52:32 CET 2003


Steven Taschuk <staschuk at telusplanet.net> wrote in message news:<mailman.1048222276.31387.python-list at python.org>...
> Quoth Dan Nyanko:
> > What I have working so far is the client can send a file across the
> > link to the server, and it is written into the directory that the
> > server program resides in.  I would like to add an authentication step
> > that would send it to the valid users home directory, e.g.
> > /home/cp_ru/filename.tar.gz
> 
> Can't the client just specify a filename of "/home/cp_ru/filename"?

Yes, but I want transparency.  The server should be smart enough to
say, "hey this is cp_ru, and his password is valid.  Therefore, I
should store his file into his home directory.

> That seems to do more or less what you want, but it points out a
> gaping security hole in the server; the client could specify a
> filename of, say, "/etc/passwd", which would be bad.  (I assume
> the server is running as root so it can bind to port 510.)

Yes I see your point.  Obviously I'll need the server to run as an
unprivileged user that only has read/write to the validated user's
home directory.

I put port 510 for no other reason that I was reading about FCP when I
wrote the program.  I guess I was thinking along the lines of
cryptography and a secure protocol for sending files across tcp/ip... 
Of course, my code does not accomplish any of that but I would like
for it to do so in the future.

> Why not just use ftp or sftp?

This is a learning project and a hobby.  Using existing programs is
not why a person visits comp.lang.*




More information about the Python-list mailing list