On Mon, 24 Apr 2017 13:34:09 -0500, John McKown wrote:
>
>NO!
>
>You can NOT do a "!cp ..." to copy the file on the _server_ to a dataset on
>the _server_. That is because the "!..." sftp command runs the given
>command _ON THE CLIENT_ (i.e. your machine). Otherwise, some clever person
>could possibly do untold damage by running some arbitrary command that they
>just ftp'd to the server on the server. The thought makes me shudder.
>
sftp depends on ssh. But ... is it possible to configure ssh so only the sftp
agent, not a shell, is allowed as an ssh agent on the server?
Otherwise, there's the possibility of:
cat malicious.script | ssh z/OS "sh" # to do untold damage.
Or, in fact:
ssh z/OS
put malicious.script .profile
... and wait for untold damage to happen.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
