|
Rob, Our security programs are built on the exit points for FTP and don't look to see which version of the crtxxx command the IBM FTP server might be using. If you give a user the ability to upload a file via put (or equivalent like mput, etc.) they can do it. If you don't give them the ability to do an upload they can't regardless of how many copies of the crtxxx command might be in the library list. It's granular to the file level. Also, we restrict use of the OS/400 commands on the FTP command line via the exit points. You can deny use of any AS/400 commands, create a list of valid commands, or provide unrestricted access to commands. Securing FTP via the exit points is what IBM recommends for FTP security. Patrick Rob Berendt wrote: > > Tim, > > I agree with Pat that IBM likes to qualify their command names > with QSYS. > > Pat, > Can your product actually address Tim's problem? Can it take an > incoming command; and qualify it with a library name, NEWSYS? We > use our inhouse FTP program that we downloaded off of IBM's web > site and modified for our purposes. This kind of flexibility is > what I like about in house programs. > > townsend@patownsend.com on 10/15/98 03:08:30 PM > Please respond to MIDRANGE-L@midrange.com@Internet > To: MIDRANGE-L@midrange.com@Internet > cc: > > Subject: Re: FTP server authority issue > > Hi Tim, > > It is quite common for IBM to qualify command usage to point to the QSYS > library. Just look at the source for QSTRUPPGM as an example. It would > probably take an IBM'er to really answer this question. I would suspect > that the proper way to secure FTP is with the exit points. Gee, who do > we know who has an FTP security product <g> ??? > > Patrick > -- > IBM AS/400 communications, FTP automation, and network security > software and consulting services. > > mailto:townsend@patownsend.com > http://www.patownsend.com > > Tim McCarthy wrote: > > > > Can anyone verify this: > > > > A customer is running the OS/400 FTP server under V4R2. They have a > > modified system library list that has a user library NEWSYS prior to QSYS > > in which they have created versions of IBM commands - one of which is > > CRTPF. All users have had authority revoked to the original commands in >QSYS. > > When running an FTP session, users authorized to the new CRTPF command can > > run the command QUOTE RCMD CRTPF QGPL/myfile etc.. successfully. However > > when they try to use PUT to send to the file QGPL/myfile (which does not > > exist) they get an error "Unable to open or create target file MYFILE in > > library QGPL". I've checked out the FTP server job log and the library list > > does include NEWSYS in the library list ahead of QSYS. Interestingly the > > server joblog error states "Not authorized to command CRTPF in library > > QSYS". Has the FTP server program changed to use the CRTPF command in QSYS > > explicitely? If so, this would seem to be a security hole. > > > > Tim > > Tim McCarthy > > TrailBlazer Systems Inc. > > AS/400 E-Commerce communications > > +--- > > | This is the Midrange System Mailing List! > > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > > | Questions should be directed to the list owner/operator: >david@midrange.com > > +--- > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- -- IBM AS/400 communications, FTP automation, and network security software and consulting services. mailto:townsend@patownsend.com http://www.patownsend.com +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.