home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
kermit.columbia.edu
/
kermit.columbia.edu.tar
/
kermit.columbia.edu
/
newsgroups
/
misc.19981211-19990422
/
000407_news@watsun.cc.columbia.edu _Wed Mar 24 09:16:36 1999.msg
< prev
next >
Wrap
Internet Message Format
|
1999-04-21
|
3KB
Return-Path: <news@watsun.cc.columbia.edu>
Received: from newsmaster.cc.columbia.edu (newsmaster.cc.columbia.edu [128.59.59.30])
by watsun.cc.columbia.edu (8.8.5/8.8.5) with ESMTP id JAA12749
for <kermit.misc@watsun.cc.columbia.edu>; Wed, 24 Mar 1999 09:16:35 -0500 (EST)
Received: (from news@localhost)
by newsmaster.cc.columbia.edu (8.8.5/8.8.5) id IAA15795
for kermit.misc@watsun.cc.columbia.edu; Wed, 24 Mar 1999 08:47:37 -0500 (EST)
X-Authentication-Warning: newsmaster.cc.columbia.edu: news set sender to <news> using -f
From: jaltman@watsun.cc.columbia.edu (Jeffrey Altman)
Subject: Re: Kermit and protection.
Date: 24 Mar 1999 13:47:34 GMT
Organization: Columbia University
Message-ID: <7daqdm$fdg$1@newsmaster.cc.columbia.edu>
To: kermit.misc@watsun.cc.columbia.edu
In article <01be75e4$f1ea9af0$456f6f0a@pp-016>,
Eric Tonissen <eric@pharmapartners.nl> wrote:
: I have a question ??
:
: Is it possible to control the files c.q. directories the user may access.
: This user all login with the same name, but depending on the tty-port
: they are different.
User access to the file system is controlled by userid and groupid.
If all of your users have the same userid then you are ignoring the
most secure mechanism available to you for restricting access.
: Now is the procedure
: Unix user >
: login :
: > kermit
:
: On Pc-side >
: Start a kermit-programma (such as Mirror).
: Give in the name of the file on the Unix-side to transfer.
: Transfer.
:
: The problem is that the name of the Unix-file can be a absolute filename.
: So they are able to transfer files, which they are not allowed to.
: I tried to use the restricted Shell, but this did not restrict kermit.
This is documented in the manual.
To restrict users from accessing system commands from within Kermit
you should either recompile Kermit with the NOPUSH #define; issue the
"nopush" command in the .kermrc file; or define the CK_NOPUSH
environment variable before starting Kermit.
Instead of giving the end user command line access in Kermit insist
that they use a Kermit Server with DISABLE CD active. Then absolute
paths will be refused.
Of course, in order to use a Kermit Server your client software
will have to provide a mechanism to issue a FINISH command to send
the Server. Kermit software from the Kermit Project has this
capability. I have never heard of "Mirror".
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * kermit-support@kermit-project.org