[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Exit points
Hi Dennis,
Quite honestly, I don't see "securing" a client program to be a means of
providing security. That goes double for one that's open source, where
the user can go in and change the way it calls the exit point!
1) What's to stop the user from downloading/installing another FTP
client program? (None of the ones in PASE understand exit points!)
2) On your Windows or Linux box (where FTP software is easy to come by)
would you rely on an exit point if such a thing existed? When the user
can easily download and install another program? Wouldn't you think the
whole idea of an exit point is kinda silly?
3) Unlike the IBM client, FTPAPI is designed for use only from a
computer program. i.e., a user will never use it directly, and it's
operation will always be automated by a programmer's RPG program. Given
that, isn't the security supposed to be provided by the program that
calls FTPAPI? Rather than FTPAPI itself?
4) If you add exit point support to FTPAPI, what's to stop a programmer
from writing their own FTP client and bypassing the exit points that way?
I guess, to me, there's a pretty big difference between a tool designed
for the user to use, and a tool designed only as an API to be called
from programs.
Having said all of that... if you really want to integrate it with the
IBM exit point system, feel free to write the code and contribute it
back to the project.
On 9/29/2010 6:56 PM, Dennis Lovelady wrote:
>
> Hi, folks, this is my first post here.
>
>
> As a preface, I have searched the archives for "exit program" and for QIBM_QTMF
> _CLIENT_REQ and for PowerLock with not much result.
>
> There was a question from someone in 2004 asking why settings in PowerLock have
> no apparent effect on FTPAPI. Apparently the poster didn't know how PowerLock
> works (or how it doesn't, in this case). Answer: PowerLock control is install
> ed at the QIBM_QTMF_CLIENT_REQ exit point.
>
> Until I started working with FTPAPI very recently, I had assumed that IBM someh
> ow tied that exit point to the FTP ports. (Naive, now I think about it.) Appar
> ently instead, the FTP client program itself makes the necessary hooks.
>
> I mentioned on another list that our auditors wouldn't allow this program on on
> e of the main systems I work with since it seems to lack the kind of control th
> at they want (for example, some users can GET, some can PUT or GET, and some ca
> n only do DIR operations). (This is all managed by PowerLock controls at this
> point.)
>
> So my question is, Have any on this list made an attempt to fit the IBM exit po
> ints with FTPAPI? (I have no clue how that would be done, nor if it even *can*
> be done in a supported manner.) I'd love to use this decidedly better solution
> but am stymied except on my development machines.
>
> I appreciate your responses.
>
>
> Dennis E. Lovelady
> AIM/Skype: delovelady MSN: fastcounter@xxxxxxxxxxxx
> [1]www.linkedin.com/in/dennislovelady --
> "Since I moved to suburbia I found out the purpose of those railroad
> timetables. Without them there would be no way of knowing how late
> your train is."
> -- Gregory Nunn
>
> References
>
> 1. http://www.linkedin.com/in/dennislovelady
>
>
>
>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------