Rob,
If it could be done by exit programs... believe me it was already long done ;-)
And yes, basic functionality in Windows for ages and any other OS (see
https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/53e0e247-be2b-4b0d-8dee-04f71ad6c14a.mspx?mfr=true for example).
I know that there are external tools which provide this functionality if they've rewritten the entire FTP server from scratch as exit programs won't help you (solves only part of the problem), but telling a customer that their beloved secure system doesn't have it is what I was trying to avoid in the furure by this RFE.
Kind regards,
Paul
________________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxx> on behalf of Rob Berendt <rob@xxxxxxxxx>
Sent: Monday, August 29, 2016 16:10
To: Midrange Systems Technical Discussion
Subject: Re: RFE's improving FTP/NetServer functionality
The IBM supplied Application Administration doesn't allow the level of
granularity to allow a put but restrict it to a particular directory.
Does the FTP server that comes with Windows do this?
Does the FTP server that comes with many other OS's do this?
Or, are you also talking about third party packages for those also?
Because there are third party packages for IBM i for ftp also.
Some are built around the IBM ftp exit points (one, when showing us their
wares and I showed them what we were doing already pulled me aside and
asked me if I was ever looking for a job elsewhere to look them up).
Some write their own server.
Doing it internally got to be a pain. It also makes it easier to cover
yourself against losing "that one critical employee" (even if that was
me).
We now do it using GoAnywhere by Linoma.
http://www.linomasoftware.com/products/goanywhere
However, one wonders if this will affect their licensing, etc, and how it
will fare against Powertech. Just thinking about Message Labs vs Halcyon
when they were combined under Help Systems.
6/03/2016 HelpSystems Acquires Linoma Software to Meet Rising
Security Demand
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: Paul Nicolay <paul.nicolay@xxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 08/29/2016 09:52 AM
Subject: Re: RFE's improving FTP/NetServer functionality
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
Hi Rob,
You could indeed start limiting the CD operation... but sometimes the user
needs to be able to move a level deeper, so you would need to write your
own exit to check all that (not impossible). Fact is that it only limits
CD, but a malicious user could also do a PUT
/root/yourworstenightmarelocation (and symobolic links don't solve this
neither).
This isn't security by obscurity neither but rather hiding the technical
aspects from the functional ones.
Fact is that every single FTP server in the world I know of offers a
virtual (which implies that you hide the physical path) root... except IBM
i.
Kind regards,
Paul
________________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxx> on behalf of Rob
Berendt <rob@xxxxxxxxx>
Sent: Monday, August 29, 2016 15:30
To: Midrange Systems Technical Discussion
Subject: Re: RFE's improving FTP/NetServer functionality
If I can use Application Administration to secure the "change directory"
from them then I should have no problem "keeping" them there.
Many of the products I mentioned for securing command line access also do
a fine job of securing FTP. IDK if they have the virtual directory.
I would think that you could come up with a virtual directory by using a
symbolic link.
I also question the security set up if you need to rely upon 'security by
obscurity' to keep them out of the directory they are performing ftp
operations against. I was referring to your statement that they have no
business knowing what the ftp directory is.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: Paul Nicolay <paul.nicolay@xxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 08/29/2016 08:59 AM
Subject: Re: RFE's improving FTP/NetServer functionality
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
HI,
It's not the "putting", but "keeping" the user in that directory that is
the problem.
It also doesn't hide the physical path from the user... it's not his
business which that is.
KInd regards,
Paul
________________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxx> on behalf of Aaron
Bartell <aaronbartell@xxxxxxxxx>
Sent: Monday, August 29, 2016 14:51
To: Midrange Systems Technical Discussion
Subject: Re: RFE's improving FTP/NetServer functionality
You can also use SFTP to place a user in a sub directory by modifying the
HOMEDIR option on their profile to have a period in it to the directory
you
would like them to log into. For example: HOMEDIR ('/sftp/./dir1')
On Aug 29, 2016 7:46 AM, "Rob Berendt" <rob@xxxxxxxxx> wrote:
Virtual FTP directory.
Function is available.
http://youribmi:2001
Security, Application Administration.
Host Applications, TCP/IP Utilities for iSeries, File Transfer Protocol,
FTP Server, Specific Operations, Change Directory, Customized Access
Been there like numerous releases.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: Paul Nicolay <paul.nicolay@xxxxxxxxxx>
To: "midrange-l@xxxxxxxxxxxx" <midrange-l@xxxxxxxxxxxx>
Date: 08/29/2016 08:24 AM
Subject: RFE's improving FTP/NetServer functionality
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
Hi,
Please feel free to vote for these RFE's.
- Provide virtual FTP directory?
https://www.ibm.com/developerworks/rfe/execute?
use_case=viewRfe&CR_ID=89436
- Allow authority on IFS share (logical)
https://www.ibm.com/developerworks/rfe/execute?
use_case=viewRfe&CR_ID=89435
Thanks in advance,
Paul
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related
questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxx for any subscription related questions.
midrange.com
