LISTSERV - HP3000-L Archives

HP3000-L Archives

September 1997, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L September 1997, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Need Tutorial Info / Incoming FTP Gotchas
From:	Lars Appel <[log in to unmask]>
Reply To:	Lars Appel <[log in to unmask]>
Date:	Sat, 6 Sep 1997 01:01:28 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (45 lines)

At 23:04 04.09.1997 -0600, John wrote:
>If it makes any difference, I expect we'll be running FTP on the HP3000,
>allowing remote logins to the 3000 from the Internet (this makes me
>nervous), allowing certain PC users to browse the web and continuing to run
>SendMail and DNS on the NT server.

Regarding the FTP Monitor Job you should keep an eye on a few gotcha's:

* The FTP server in ARPA.SYS does not (yet?) support Anonymous FTP i.e.
  users supposed to get or put files will have to know some valid logon.

  I believe there are 3rd party solutions like OfficeExtend FTP (which
  can be found at www.3k.com) that do provide anonymous ftp (if needed).

* The FTP server in ARPA.SYS does not support an equivalent to chroot()
  in Unix (Posix?) implementations i.e. the user connected via an FTP
  session will have access to the whole MPE file system (restricted by
  his individual access rights, of course).

  While a vanilla USER.ACCT would not be able to e.g. PUT files into
  a group like PUB.SYS, he or she would definitely be able to GET files
  from there (e.g. steal your COBOL compiler or certain config files).
  You might also want to check your system carefully for RELEASEd files
  or groups with "open" write/save access (and/or special capabilities).

  I do not know if 3rd party FTP's provide some chroot() equivalent that
  allows to restrict the "visible part" of the MPE/iX directory tree.
  A web server on the other hand would allow to make only subsets of the
  MPE/iX directory tree visible to the client... (by setting up appropriate
  config directives). The same applies to a Samba[iX] server, by the way.

* Be careful with BA capabilities on users that are able to "logon" via
  FTP as the SITE STREAM command in the FTP server will allow them to
  stream a job (either an existing file or one they just sent by "put").

  SITE STREAM is frequently very useful but may sometimes be undesired...

In summary, make sure to spend a few minutes of careful planning before
opening the internet-connected 3000 regarding incoming FTP requests. Just
to avoid unpleasant surprises.

Regards, Lars Appel, Ratingen/Germany

PS: I recall a related discussion at the SIGWEB meeting of IPROF 1997.

ATOM RSS1 RSS2

RAVEN.UTC.EDU