HP3000-L Archives

February 2003, Week 4

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: FTP issues
From:
Tony Summers <[log in to unmask]>
Reply To:
Tony Summers <[log in to unmask]>
Date:
Wed, 26 Feb 2003 09:24:11 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (98 lines) 
I had exactly the same problems and, alas, I know of no solutions.   

Starting backwards,  the Vesoft solution only worked pre mpe 6.0.  When FTP was incorporated into Jinetd then the rug was pulled from under Vesoft's feet. 

As for the traversing accounts issues,  I have had to accept that this is a security loophole in the implementation of FTP on MPE.   We have our HP3000s inside our firewall; but that still leaves the system open to attack from the wiser members of the development team.     As our "real" users use Vesoft to logon (they type their staff code which vesoft translates to the relevant Hello x,y.z) then they're not really aware of the underlying concept of mpe user/account. 

If security really is an issue then I would recommend you setup a separate (NT?) FTP server (eg BlueZone) next to the HP3000 and use this as a stepping stone to the HP3K.  In this configuration you wouldn't have JInetD running - you would only be using the FTP client part on the HP3K to collect files put on the NT server. 

For us, I ended up in restricting the HP3K FTP server to only allow connections from other HP3Ks in our network - even so, the development staff could break the system should they wish. 

>>> Greg Chaplin <[log in to unmask]> 26/02/03 01:42:19 >>>
I am setting up the FTP Server on our hp3k and am running
into a number of problems.

I have read all the FTP Server documentation that I can
find, and dozens of informative messages in the archives.
Whilst I picked up a few useful hints, none of these helped
solve my problems. My questions are being looked at by
regional HP people, but I thought I'd ask the list as well.

We are on 6.5, with the following patches for FTP as
listed in HPSWINFO:
FTPFDP2A  GENERAL FIXES FOR FTP FOR 6.5 RELEASE (A Patch).
FTPFDU8A  GENERAL FIXES FOR FTP FOR 6.5 RELEASE (B Patch).
FTPGD63A  GENERAL FIXES FOR FTP FOR 6.5 RELEASE (G Patch).

On our crash'n'burn box (named Kenny, after the poor
unfortunate character in South Park), we have applied the
latest patch, as advised by HP:
FTPGDN0A  GENERAL FIXES FOR FTP FOR 6.5 RELEASE (L Patch).

We also have Vesoft's Security/3000 running.

My problems are:

1. FTP users, other than anonymous,  can traverse to
ANYWHERE on the system.
Most accounts are secure from files being deleted or
from uploads, but any file can be downloaded from the hp.
This security hole must be blocked, but I'm not sure how
without adversely affecting other things.

I set up a user with minimal capabilities (IA,SF,ND)
the same as the anonymous user USER.FTPGUEST.
The account for that user has the same capabilities
as the FTPGUEST account. Logged on as this user
I can still traverse to, & download from, anywhere.

How can I restrict ftp users to their home group,
the same as anonymous and USER.FTPGUEST?

2. How can I restrict ftp logons to specific users?
I would like to restrict ftp logons to anonymous and to
a couple of specific users.

3. How can I use Security/3000 for ftp logon control?
I know that the latest patch mentioned above allows
session/password logon syntax, but it appears that it
does not enforce it so it doesn't help. What I want is to
use Security/3000 for ALL ftp logons.

Thanks for any help on this.

------------------------------------------------------------------------------------------
Greg Chaplin
www.unisuper.com.au 
[log in to unmask] 
UniSuper
Level 37, 385 Bourke Street
Melbourne  VIC  3000
Australia
Phone: 61 3 9691 4145
Fax:   61 3 9691 4141

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *



The contents of this email are confidential to the intended recipient and may not be disclosed.  Although it is believed that this email and any attachments are virus free, it is the responsibility of the recipient to confirm this.

Smith & Williamson Corporate Finance Limited - A member of M&A International Inc. http://www.mergers.net  Registered in England No. 4533970.  Regulated by the Financial Services Authority 
Smith & Williamson Investment Management Limited, Registered No. 976145.  Regulated by the Financial Services Authority.
Smith & Williamson Pension Consultancy Limited - Independent Intermediary.  Registered No. 3133226. Regulated by the Financial Services Authority.
Smith & Williamson Unit Trust Managers Limited, Registered No. 1934644.  Regulated by the Financial Services Authority.
Smith & Williamson Limited - A member of Nexia International.   Registered in England No. 4534022.  Regulated by the Institute of Chartered Accountants in England & Wales for a range of investment business activities.

Registered Office: No. 1 Riding House Street, London W1A 3AS
Telephone: 020 7637 5377 http://www.smith.williamson.co.uk

Nexia Audit Limited - A member of Nexia International.  Registered in England No. 4469576. Registered to carry on audit work and regulated by the Institute of Chartered Accountants in England & Wales for a range of investment business activities.

Registered Office: No. 1 Riding House Street, London W1A 3AS
Telephone: 020 7637 5377 http://www.nexiaaudit.co.uk

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2