[nos-bbs] The UPLOAD command in sysop and user meu

Barry Siegfried k2mf at k2mf.ampr.org
Tue Apr 3 15:33:57 EDT 2007


["(Skip) K8RRA" <k8rra at ameritech.net> wrote]:

> I believe to have stumbled into something like a bug...
> Both myself and N1OXH are focusing on UPLOAD documentation detail.
>
> This is not the first time for the UPLOAD/DOWNLOAD subject on this
> reflector in the past year.

I recall a discussion about UPLOAD/DOWNLOAD on the mailbox menu.

> The previous go-round worked itself out nicely with a change to
> documentation and help files.
> This time I favor a change to the jnos vocabulary.
>
> The sysop menu contains UPLOAD (but not DOWNLOAD) as an ascii
> transport vehicle.

When you say "sysop menu" are you talking about a human sitting
at the net> prompt on the console, or are you talking about going
to the remote net> prompt from inside a mailbox connection (for
which you *do* normally need "sysop" privileges)?

> Usage is pretty clear as documented, but jnos does not perform as
> documented on my host.
> "UPLOAD FILE" gives error messages in the context of "DOWNLOAD"
> errors.
> "UPLOAD FILE" does not toggle into a mode of accepting ascii data
> and placing it into a file.

If you're talking about a human sitting at the net> prompt on the
console, then UPLOAD means "send ASCII from a file to a session".
I don't understand what you mean mean by "mode of accepting ascii
data".

The RECORD command implements a DOWNLOAD mechanism.  If you're
talking about a human sitting at the net> prompt on the console,
then RECORD means "capture ASCII from a session to a file".

> Even if I blew my site configuration, there is a bug here in
> processing UPLOAD command.
>
> At the application design level, there is a data security issue.

There is?

> Since jnos runs with root privileges, it seems pretty easy to mis-use
> UPLOAD and clobber the site.

How so.  Can you explain?

> Even careful admins are known to do that (me?).
> If jnos is to manage her own security, I favor a discussion before
> fixing UPLOAD (if it gets fixed).
>
> Actually I favor deprecating the UPLOAD command only in the sysop
> menu (leave the user menu as-is).

Again.  What is the "user menu" and what is the "sysop menu"?

> I am in favor of using ftp for data transfer, and fixing permissions
> under ftp (IF NEEDED).

Ok, then you must be talking about a human sitting at the net> prompt
on the console.

> I do see one circumstance where this introduces a hardship.
> I have no way of knowing if the hardship is a problem for existing
> sysops.

If you are talking about going to the remote net> prompt from inside
a mailbox connection (for which you *do* normally need "sysop"
privileges) then it is unlikely that this "hardship" is a problem
since UPLOAD and RECORD work on console sessions.

> I'm not trying to "make work" for Maiko or others.  I do believe if
> work is to be done on this issue it is the best use of time to make
> UPLOAD go away as a function for sysops.

Do you mean that UPLOAD (and presumably RECORD) should not be available
to sysops at the remote net> prompt from inside the mailbox?  If so,
then that DOES make sense.

> Is there adequate support for this?  If so, I will modify the wiki
> to point out the bug and suggest the command not be used.

Now it sounds like you're talking about the mailbox UPLOAD command
again.  I'm so confused.  :\

73, de Barry, K2MF >>
           o
          <|>      Barry Siegfried
+---------/-\---------------------------+
| Internet | bgs at mfnos.net              |
| HomePage | http://www.mfnos.net/~bgs  |
+----------+----------------------------+
| Amprnet  | k2mf at k2mf.ampr.org         |
| PBBS     | k2mf at k2ge.#cnj.nj.usa.noam |
+----------+----------------------------+




More information about the nos-bbs mailing list