|
Proves my point. QTMHTTP1 is read only. QTMHHTTP may not be, but user
jobs don't run as QTMHHTTP, they run as QTMHTTP1. If you can use an
Apache exploit to run a job as QTMHHTTP, feel free to let me know.
Until then, I'm pretty comfortable that normal IBM i security protocols
are sufficient.
Joe
"Which is entirely read-only."
Actually, it is not. From the 7.1 InfoCenter:
The QTMHTTP1 user profile is the default user profile that HTTP Server uses
when running CGI programs. This user profile must have read and execute
authority to the location of any CGI program. User QTMHHTTP requires *RWX
(write) authority to directory '*/tmp*'.
You can optionally specify that the QTMHHTTP or QTMHHTP1 user profile swap
to another user profile as long as that user profile has the required
authorities.
- *RX authority for root directory ("/ ") and directory "/www", including
all subdirectories in the path
- *RWX authority for directory "/www/server_name/"
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.