Hi Rob,
You could indeed start limiting the CD operation... but sometimes the user needs to be able to move a level deeper, so you would need to write your own exit to check all that (not impossible). Fact is that it only limits CD, but a malicious user could also do a PUT /root/yourworstenightmarelocation (and symobolic links don't solve this neither).
This isn't security by obscurity neither but rather hiding the technical aspects from the functional ones.
Fact is that every single FTP server in the world I know of offers a virtual (which implies that you hide the physical path) root... except IBM i.
Kind regards,
Paul
________________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxx> on behalf of Rob Berendt <rob@xxxxxxxxx>
Sent: Monday, August 29, 2016 15:30
To: Midrange Systems Technical Discussion
Subject: Re: RFE's improving FTP/NetServer functionality
If I can use Application Administration to secure the "change directory"
from them then I should have no problem "keeping" them there.
Many of the products I mentioned for securing command line access also do
a fine job of securing FTP. IDK if they have the virtual directory.
I would think that you could come up with a virtual directory by using a
symbolic link.
I also question the security set up if you need to rely upon 'security by
obscurity' to keep them out of the directory they are performing ftp
operations against. I was referring to your statement that they have no
business knowing what the ftp directory is.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: Paul Nicolay <paul.nicolay@xxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 08/29/2016 08:59 AM
Subject: Re: RFE's improving FTP/NetServer functionality
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
HI,
It's not the "putting", but "keeping" the user in that directory that is
the problem.
It also doesn't hide the physical path from the user... it's not his
business which that is.
KInd regards,
Paul
________________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxx> on behalf of Aaron
Bartell <aaronbartell@xxxxxxxxx>
Sent: Monday, August 29, 2016 14:51
To: Midrange Systems Technical Discussion
Subject: Re: RFE's improving FTP/NetServer functionality
You can also use SFTP to place a user in a sub directory by modifying the
HOMEDIR option on their profile to have a period in it to the directory
you
would like them to log into. For example: HOMEDIR ('/sftp/./dir1')
On Aug 29, 2016 7:46 AM, "Rob Berendt" <rob@xxxxxxxxx> wrote:
Virtual FTP directory.
Function is available.
http://youribmi:2001
Security, Application Administration.
Host Applications, TCP/IP Utilities for iSeries, File Transfer Protocol,
FTP Server, Specific Operations, Change Directory, Customized Access
Been there like numerous releases.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: Paul Nicolay <paul.nicolay@xxxxxxxxxx>
To: "midrange-l@xxxxxxxxxxxx" <midrange-l@xxxxxxxxxxxx>
Date: 08/29/2016 08:24 AM
Subject: RFE's improving FTP/NetServer functionality
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
Hi,
Please feel free to vote for these RFE's.
- Provide virtual FTP directory?
https://www.ibm.com/developerworks/rfe/execute?
use_case=viewRfe&CR_ID=89436
- Allow authority on IFS share (logical)
https://www.ibm.com/developerworks/rfe/execute?
use_case=viewRfe&CR_ID=89435
Thanks in advance,
Paul
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related questions.
midrange.com
