Subject: | |
From: | |
Reply To: | |
Date: | Sat, 6 Sep 1997 01:01:28 +0100 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
At 23:04 04.09.1997 -0600, John wrote:
>If it makes any difference, I expect we'll be running FTP on the HP3000,
>allowing remote logins to the 3000 from the Internet (this makes me
>nervous), allowing certain PC users to browse the web and continuing to run
>SendMail and DNS on the NT server.
Regarding the FTP Monitor Job you should keep an eye on a few gotcha's:
* The FTP server in ARPA.SYS does not (yet?) support Anonymous FTP i.e.
users supposed to get or put files will have to know some valid logon.
I believe there are 3rd party solutions like OfficeExtend FTP (which
can be found at www.3k.com) that do provide anonymous ftp (if needed).
* The FTP server in ARPA.SYS does not support an equivalent to chroot()
in Unix (Posix?) implementations i.e. the user connected via an FTP
session will have access to the whole MPE file system (restricted by
his individual access rights, of course).
While a vanilla USER.ACCT would not be able to e.g. PUT files into
a group like PUB.SYS, he or she would definitely be able to GET files
from there (e.g. steal your COBOL compiler or certain config files).
You might also want to check your system carefully for RELEASEd files
or groups with "open" write/save access (and/or special capabilities).
I do not know if 3rd party FTP's provide some chroot() equivalent that
allows to restrict the "visible part" of the MPE/iX directory tree.
A web server on the other hand would allow to make only subsets of the
MPE/iX directory tree visible to the client... (by setting up appropriate
config directives). The same applies to a Samba[iX] server, by the way.
* Be careful with BA capabilities on users that are able to "logon" via
FTP as the SITE STREAM command in the FTP server will allow them to
stream a job (either an existing file or one they just sent by "put").
SITE STREAM is frequently very useful but may sometimes be undesired...
In summary, make sure to spend a few minutes of careful planning before
opening the internet-connected 3000 regarding incoming FTP requests. Just
to avoid unpleasant surprises.
Regards, Lars Appel, Ratingen/Germany
PS: I recall a related discussion at the SIGWEB meeting of IPROF 1997.
|
|
|