|
Joe Pluta wrote:
From: Tom Liotta Unfortunately, that isn't actually required. There are a couple ways to get programs into an AS/400 (iSeries, System i) that don't involve savefiles. (Hmmm... in fact, I just reminded myself of another way.)Unless I completely miss the point, the only way to create a program (other than restoring it) is to compile it. This is another reason why many production machines don't even have compilers on them! But in any event, if you give unauthorized users the ability to upload a file and execute it (especially to create programs!), then you have a huge hole in your system.
Joe:I was going to have a short discussion with David rather than get into a more public discussion, but replies to gmane posts are just enough different from those directly through Midrange-L that my mis-click on which reply type made "Off-List" moot. Besides, Scott had already expanded in the list on the topic I was touching on.
But then, there wasn't anything painfully significant in what I sent; so it makes a useful discussion point. If nothing else, it's a demonstration of how mistakes can happen even when things might be locked down.
Not much to speak of there. I clicked wrong and the post went where it wasn't intended. Personally, I see that as a mistake that's easier to make in a GUI -- for a program, e.g., I might mistakenly double-click when I intended to single-right-click in order to select <Delete>.
Heck, even the lowliest FTP servers on the planet don't let anonymous users upload files and execute them. If an iSeries administrator isn't smart enough to lock down FTP, then you need a new iSeries administrator.
Definitely true. I was intending only to clarify for David that a savefile operation simply wasn't required; that was as far as my discussion was intending to go which is why I trimmed at that point. And it's also true that allowing anonymous execution of an uploaded file is enough to question the competence of the administrator.
Yet, it isn't easy to spread that word in this market. Percentage-wise, few in the iSeries world think in terms of 'executing files' because of how many years have gone into building the mindset -- "You can't read programs as files and you can't run files as programs." The missing element is the reference to *PGM objects which aren't exactly equal to the more general "program" label.
Convincing administrators that it's _necessary_ to be diligent is where discussions such as this one become valuable. They help illustrate why such controls are important even on a system where "you can't run files as programs".
At the same time, I agree that too many people allow remote command execution, but it's pretty easy to stop it. And in any case, that's all the more reason to be very careful of unfettered external access, including ODBC and EDRS!
Amen.Overall, as you know, bear in mind that a whole bunch of AS/400s were sold over a lot of years into sites with advice something like "You don't have to worry. This box has it covered." (I worked at a large government site that was sold into in that way. Sheesh.) I'd love to know how many sites exist where _no one_ ever does any research. Never knowing that the Midrange lists exist, no Ignite forums, no comp.sys.ibm.as400.* newsgroups,... blissfully unaware of what _should_ be done.
Regular discussions help spread the word.Running AV on an iSeries has its place for smaller sites (or larger ones that want strong control). An AS/400 won't be the best file server, but it's serviceable in small offices. AV on iSeries can even help make competing file servers unnecessary.
If nothing else, by reducing the need for a Windows file server, the iSeries moves up a notch in competition. Small sites that already were using them as file servers suddenly got a server AV solution, and that _might_ have been enough to keep a small number of Windows servers from popping up where they weren't needed. Small consolation, I know, but I won't begrudge small victories.
The only reason that seems relevant to me for this thread...? Well, you're right that no virus-infected object should ever reach the iSeries. But then, I should've clicked <Reply to sender> rather than <Reply to newsgroup>.
Sometimes a detail slips past. When it slips for someone with high authority... ouch.
Tom Liotta
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.