RE: FTP question

["Stone, Brad V (TC)" <bvstone@xxxxxxxxxxxxxx>]

> Richard J. Serrano wrote:
> > 
> > Agreed: It does take a valid user id & password to log onto 
> the AS/400 through FTP.
> > BUT, when 86% of theft or misuse of data is attributed to 
> the "authorized user" with a valid
> > user id & password, they are more of a security threat than 
> anyone cares to admit.
> > 
> > Disagree: Appropriate object authority to the file(s) being 
> accessed is needed.
> > Using FTP, an authorized user has unabated access to ALL 
> objects on the AS/400. Try it.
> 
> This is nonsense.   Object authority reigns supreme on the AS/400, you
> just have to understand how it works.  A user must have authority to
> an object (either directly or indirectly) or must have one of the
> relevant special authorities in order to have access to AS/400
> objects.  FTP cannot magically bypass OS/400 object authority.

John is correct.  Object authority reigns supreme even for FTP.  I've done
enough testing to know this is true with my FTPTOOL application.
 
> > Set up a test profile, with a valid user id & password, but 
> grant NO authority to anything on
> > the 400.
> > Then, use FTP through DOS, as outlined, and see what 
> happens... Access to the whole enchilada...
> 
> Wouldn't this new user be a member of *PUBLIC?  Does *PUBLIC have
> authority to the whole enchilada?  

Good point.  Most don't take the time to exclude *PUBLIC on their systems.
if *PUBLIC has authority to directories, libraries, sure you'll be able to
access them.

Bradley V. Stone
e-RPG! - www.bvstools.com/erpg.html
BVS/Tools - www.bvstools.com
Netshare400 - www.netshare400.com
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---