You can also defined a profile in class APPL. The profile name is the name of the ftp server's started task. Once this profile is defined, a user will need access to it in order to use ftp.
This will not solve the problem of using the ftp client on z/OS to send files to a remote system. Gadi -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of R.S. Sent: Wednesday, September 13, 2006 8:57 AM To: [email protected] Subject: Re: Access to FTP Ted MacNEIL wrote: > We recently found out (or rather our auditers found out) that you > don't need a TSO segment to use FTP from a PC to z/OS. > > I tested with an id that was only defined to one CICS region. > I could not sign on to TSO with it. > But, I could access FTP. > > Our security and audit people think this is a security exposure. > Two questions: > 1. Is it? > 2. If it is, how do we close it? FTP access does not require TSO, it requires OMVS segment. However there is also "default OMVS segment for everyone" - see CL(FACILITY) BPX.DEFAULT.USER. Having own OMVS segment or default'ed one you also have access to ftp. Is access to ftp dangerous ? It depends. In fact it is one of the interfaces, similar to IND$FILE in TSO. Is IND$FILE dangerous ? IMHO not, because user can download only those files to he's permitted. It can be UACC(READ) or access list entry. If you want to close ftp to those people you can do the following: 1. Close ftp server on z/OS. No ftp at all. 2. Delete BPX.DEFAULT.USER and use OMVS segments only. IMHO the most reasonable method. 3. Play with some exits to deny ftp only. 4. Use TCP/IP router facilities to block ftp ports to specific networks. Possibly ftp is needed to "internal" machines and few named external ones, but not to thousands of clerks in the WAN. -- Radoslaw Skorupka Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
