In addition to giving folks their own user directories, the root should be Read/Only to prevent anyone from writing to it.
-----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Paul Gilmartin Sent: Tuesday, March 20, 2012 4:10 PM To: [email protected] Subject: Re: Prevent FTP from root On Tue, 20 Mar 2012 13:25:09 -0500, Kirk Wolf wrote: >I can agree that OMVS segments should usually have their own directory. > It would be possible to have them share a common directory, but in >that case you would usually want to make it ready only, which would >prevent some z/OS Unix stuff from working but not, AFAIK, FTP. > >But in order to have complete control over FTP access, you may want to >implement a FTCHKCMD exit. See the z/OS Comm Server documentation for >details; a sample is provided by IBM. > Where's "chroot" when you need it? >On Tue, Mar 20, 2012 at 1:01 PM, Bruce Wheatley wrote: > >> We have numerous external clients and on occasion have found that >> depending on what product they use for FTP, their file transfer may >> in some fashion refer to our root directory or potentially the file >> transfer client being used defaults to a root directory. >> "In some fashion" may mean the conventional command, "cd /". The customary way to sequester this is to "chroot" after forking the child. >> In order to prevent such access we're planning to change each >> userid's OMVS segment to have a HOME directory of: /u/userid. >> (Currently we just use ' / '.) >> <GASP!/> -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
