 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Tue, 9 Sep 1997 13:09:04 -0400 |
| Content-Type: | Text/Plain |
| Parts/Attachments: |
|
|
In <[log in to unmask]> [log in to unmask] writes:
> At 23:04 04.09.1997 -0600, John wrote:
> >If it makes any difference, I expect we'll be running FTP on the HP3000,
> >allowing remote logins to the 3000 from the Internet (this makes me
> >nervous), allowing certain PC users to browse the web and continuing to run
> >SendMail and DNS on the NT server.
>
> Regarding the FTP Monitor Job you should keep an eye on a few gotcha's:
>
> * The FTP server in ARPA.SYS does not (yet?) support Anonymous FTP i.e.
> users supposed to get or put files will have to know some valid logon.
>
> I believe there are 3rd party solutions like OfficeExtend FTP (which
> can be found at www.3k.com) that do provide anonymous ftp (if needed).
True. :-)
> * The FTP server in ARPA.SYS does not support an equivalent to chroot()
> in Unix (Posix?) implementations i.e. the user connected via an FTP
> session will have access to the whole MPE file system (restricted by
> his individual access rights, of course).
>
> While a vanilla USER.ACCT would not be able to e.g. PUT files into
> a group like PUB.SYS, he or she would definitely be able to GET files
> from there (e.g. steal your COBOL compiler or certain config files).
> You might also want to check your system carefully for RELEASEd files
> or groups with "open" write/save access (and/or special capabilities).
>
> I do not know if 3rd party FTP's provide some chroot() equivalent that
> allows to restrict the "visible part" of the MPE/iX directory tree.
> A web server on the other hand would allow to make only subsets of the
> MPE/iX directory tree visible to the client... (by setting up appropriate
> config directives). The same applies to a Samba[iX] server, by the way.
<plug>
The Office Extend FTP product does; you can setup profiles for each logon
you want to allow, and define the "root" directory for that user (MPE GROUP)
as well as whether you want that user to "see" the server as a Unix server or
as an MPE server.
So, in addition to individual users not being able to "browse" your entire
system, you also define exactly WHICH users can logon via ftp at all (as
opposed to the HP FTP which lets any valid MPE logon get access - as long as
you know/can-guess the passwords). (And exactly what are you supposed to do
if your system has an Internet connection and someone from across the world
starts guessing at MANAGER.SYS passwords? Not pretty, especially since if they
know it's a 3000, you KNOW that there's a MANAGER.SYS, MGR.TELESUP, and a few
other logons that are even published on hacker web sites lately)
</plug>
-Chris Bartram
______________________/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_
Chris Bartram Sales (US): 800 Net-Mail Fax:+1 703 451-3720
______ +1 703 569-9189 mailto:[log in to unmask]
/__ | \__________ Sales (Europe):+44(1480)414131 Fax:+44(1480)414134
/ / | / ________ Sales (Pacific):+61 3 9489 8216 Fax:+61 3 9482 5124
| /_ |< ______ Tech Support:+1 703 569-9189 Fax:+1 703 451-3720
\ __)| \ ___ mailto:support at 3k.com Me: rcb at 3k.com
\______/Associates, 6901 Old Keene Mill Rd Suite 500 Springfield VA 22150
_________________Inc._/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_
Gopher: gopher.3k.com Anon-FTP: ftp.3k.com WWW: http://www.3k.com/
|
|
|
