[nos-bbs] The UPLOAD command in sysop and user meu

(Skip) K8RRA k8rra at ameritech.net
Tue Apr 3 10:51:26 EDT 2007

I believe to have stumbled into something like a bug...
Both myself and N1OXH are focusing on UPLOAD documentation detail.

This is not the first time for the UPLOAD/DOWNLOAD subject on this
reflector in the past year.
The previous go-round worked itself out nicely with a change to
documentation and help files.
This time I favor a change to the jnos vocabulary.

The sysop menu contains UPLOAD (but not DOWNLOAD) as an ascii transport
Usage is pretty clear as documented, but jnos does not perform as
documented on my host.
"UPLOAD FILE" gives error messages in the context of "DOWNLOAD" errors.
"UPLOAD FILE" does not toggle into a mode of accepting ascii data and
placing it into a file.
Even if I blew my site configuration, there is a bug here in processing
UPLOAD command.

At the application design level, there is a data security issue.
Since jnos runs with root privileges, it seems pretty easy to mis-use
UPLOAD and clobber the site.
Even careful admins are known to do that (me?).
If jnos is to manage her own security, I favor a discussion before
fixing UPLOAD (if it gets fixed).

Actually I favor deprecating the UPLOAD command only in the sysop menu
(leave the user menu as-is).
I am in favor of using ftp for data transfer, and fixing permissions
under ftp (IF NEEDED).
I do see one circumstance where this introduces a hardship.
I have no way of knowing if the hardship is a problem for existing

I'm not trying to "make work" for Maiko or others.  I do believe if work
is to be done on this issue it is the best use of time to make UPLOAD go
away as a function for sysops.  Is there adequate support for this?  If
so, I will modify the wiki to point out the bug and suggest the command
not be used.

de [George (Skip) VerDuin] K8RRA k
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20070403/9cd7a15d/attachment.html>

More information about the nos-bbs mailing list