[nos-bbs] The UPLOAD command in sysop and user meu
Barry Siegfried
k2mf at k2mf.ampr.org
Tue Apr 3 15:33:57 EDT 2007
["(Skip) K8RRA" <k8rra at ameritech.net> wrote]:
> I believe to have stumbled into something like a bug...
> Both myself and N1OXH are focusing on UPLOAD documentation detail.
>
> This is not the first time for the UPLOAD/DOWNLOAD subject on this
> reflector in the past year.
I recall a discussion about UPLOAD/DOWNLOAD on the mailbox menu.
> The previous go-round worked itself out nicely with a change to
> documentation and help files.
> This time I favor a change to the jnos vocabulary.
>
> The sysop menu contains UPLOAD (but not DOWNLOAD) as an ascii
> transport vehicle.
When you say "sysop menu" are you talking about a human sitting
at the net> prompt on the console, or are you talking about going
to the remote net> prompt from inside a mailbox connection (for
which you *do* normally need "sysop" privileges)?
> Usage is pretty clear as documented, but jnos does not perform as
> documented on my host.
> "UPLOAD FILE" gives error messages in the context of "DOWNLOAD"
> errors.
> "UPLOAD FILE" does not toggle into a mode of accepting ascii data
> and placing it into a file.
If you're talking about a human sitting at the net> prompt on the
console, then UPLOAD means "send ASCII from a file to a session".
I don't understand what you mean mean by "mode of accepting ascii
data".
The RECORD command implements a DOWNLOAD mechanism. If you're
talking about a human sitting at the net> prompt on the console,
then RECORD means "capture ASCII from a session to a file".
> Even if I blew my site configuration, there is a bug here in
> processing UPLOAD command.
>
> At the application design level, there is a data security issue.
There is?
> Since jnos runs with root privileges, it seems pretty easy to mis-use
> UPLOAD and clobber the site.
How so. Can you explain?
> Even careful admins are known to do that (me?).
> If jnos is to manage her own security, I favor a discussion before
> fixing UPLOAD (if it gets fixed).
>
> Actually I favor deprecating the UPLOAD command only in the sysop
> menu (leave the user menu as-is).
Again. What is the "user menu" and what is the "sysop menu"?
> I am in favor of using ftp for data transfer, and fixing permissions
> under ftp (IF NEEDED).
Ok, then you must be talking about a human sitting at the net> prompt
on the console.
> I do see one circumstance where this introduces a hardship.
> I have no way of knowing if the hardship is a problem for existing
> sysops.
If you are talking about going to the remote net> prompt from inside
a mailbox connection (for which you *do* normally need "sysop"
privileges) then it is unlikely that this "hardship" is a problem
since UPLOAD and RECORD work on console sessions.
> I'm not trying to "make work" for Maiko or others. I do believe if
> work is to be done on this issue it is the best use of time to make
> UPLOAD go away as a function for sysops.
Do you mean that UPLOAD (and presumably RECORD) should not be available
to sysops at the remote net> prompt from inside the mailbox? If so,
then that DOES make sense.
> Is there adequate support for this? If so, I will modify the wiki
> to point out the bug and suggest the command not be used.
Now it sounds like you're talking about the mailbox UPLOAD command
again. I'm so confused. :\
73, de Barry, K2MF >>
o
<|> Barry Siegfried
+---------/-\---------------------------+
| Internet | bgs at mfnos.net |
| HomePage | http://www.mfnos.net/~bgs |
+----------+----------------------------+
| Amprnet | k2mf at k2mf.ampr.org |
| PBBS | k2mf at k2ge.#cnj.nj.usa.noam |
+----------+----------------------------+
More information about the nos-bbs
mailing list