Re: Matt's Scripts

[Philip Newton]

Robin Szemeti wrote:
> of course if you _did_ want to discover a users password its
> not that hard .. there are ways ... I believe we have some
> world renowned experts on the topic at hand ... now where is 
> 'merlin' when you need him :) 

ITYM 'merlyn' (or 'q[merlyn]').

HTH. HAND.

Cheers,
Philip
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: Matt's Scripts

[David H. Adler]

On Wed, Mar 14, 2001 at 03:16:17PM +, David Cantrell wrote:
> On Wed, Mar 14, 2001 at 12:46:45PM +, Jon Eyre wrote:
>  
> > oops...
> 
> Heh.  Just remember, Evil Dave is the paranoid nutcase, Dave Cross is the
> one with the gold-plated cat.

I wonder what that leaves me with.

On the other hand, I probably don't want to know...

dha

-- 
David H. Adler - <[EMAIL PROTECTED]> - http://www.panix.com/~dha/
"Perl Porters, Inc. today announced the release of version .006 of
their popular Perl5 compiler suite, codenamed `Rabid Rat'."
- Nathan Torkington on p5p (this was a *joke*)

RE: Mailing list details

[Clarke, Darren]

Title: RE: Mailing list details





>> I was looking for the mailing list subscription details on our 
>> london.pm.org website, and thought they were a bit hidden down on 
>> the "what we've done" page. I think they should probably be more 
>> prominent, probably on the home page. Or are we trying to maintain 
>> our exclusivity :-)


Dave replied:


>Exclusivity! Take a good look round next time you're at a meeting and 
>tell me how exclusive you think we are :)


>But, yes, I have _lots_ of ideas for a revamp of the web site. I might
>even have time to do it some time this year.


Let's face it - if _I_ can go to a meeting (and be received politely) it's not exclusive!


I could help out on the website side of things if you're _that_ busy though!


Regards,


Darren Clarke ([EMAIL PROTECTED])
Waterstones Online

Re: London.pm List Weekly Summary 2001-03-12

[Dominic Mitchell]

On Wed, Mar 14, 2001 at 06:19:54PM +, Michael Stevens wrote:
> On Wed, Mar 14, 2001 at 06:18:09PM +, Simon Cozens wrote:
> > On Wed, Mar 14, 2001 at 06:02:04PM +, Leon Brocard wrote:
> > >  a picture of him drinking a beer from the London.pm website. 
> > Misparse! Misparse! Misparse!
> 
> Content-type: matter-transport/beer-stream

For the unenlightened, please consult the standards document:

http://www.cis.ohio-state.edu/htbin/rfc/rfc1437.html

Note that the example given has unfortunately been replicated too many
times already.

-Dom

Re: London.pm List Weekly Summary 2001-03-12

[Roger Burton West]

On Wed, Mar 14, 2001 at 09:39:12PM +, Greg McCarroll wrote:
>* David Cantrell ([EMAIL PROTECTED]) wrote:
>> On Wed, Mar 14, 2001 at 06:19:54PM +, Michael Stevens wrote:
>> > Content-type: matter-transport/beer-stream
>> Isn't that what happens in the bogs of Penderels Oak?
>Is it just me who has noticed the similarities between
>the bogs of Penderels Oak and the TARDIS?

Yes. Definitely. Just you. None of the rest of us has noticed anything
odd at all.

(phew)

Roger

Re: London.pm List Weekly Summary 2001-03-12

[Greg McCarroll]

* David Cantrell ([EMAIL PROTECTED]) wrote:
> On Wed, Mar 14, 2001 at 06:19:54PM +, Michael Stevens wrote:
> 
> > Content-type: matter-transport/beer-stream
> 
> Isn't that what happens in the bogs of Penderels Oak?
> 

Is it just me who has noticed the similarities between
the bogs of Penderels Oak and the TARDIS?

Greg

-- 
Greg McCarroll  http://www.mccarroll.uklinux.net

Re: Re[2]: Matt's Scripts

[Greg McCarroll]

* Mike Jarvis ([EMAIL PROTECTED]) wrote:
> 
> And don't even get her started on child proof caps.
> 

yeah, tell me about it - those things are impossible to get open!



-- 
Greg McCarroll  http://www.mccarroll.uklinux.net

Re: Matt's Scripts

[David Cantrell]

On Wed, Mar 14, 2001 at 06:44:55PM +, Robin Szemeti wrote:

> I dont have a problem with scp .. but  I can see it would annoy the drag
> and drop brigade ... it works for me and I script those batch transfers
> and site updates anyway .. I keep meaning to look at rsync over an ssh
> tunnel but never seem to find the time.

It is indeed lovely.  Although you don't need to do tunnelling magic:
  rsync -options -e ssh source-list me@myserver:/destination

-- 
David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david/

This is a signature.  There are many like it but this one is mine.

** I read encrypted mail first, so encrypt if your message is important **

 PGP signature

Re: Matt's Scripts

[David Cantrell]

On Wed, Mar 14, 2001 at 06:28:03PM +, Robin Szemeti wrote:
> On Wed, 14 Mar 2001, you wrote:
> 
> > That's a matter of setting policy.  If there's no policy in place to
> > prevent that, then you can expect people to do it.  If you have a security
> > policy which states that you will fire people for such gross breaches -
> > and more importantly, you *enforce* it - then it won't happen more than
> > once or twice.
> 
> ahh .. 'enforce' .. lets be clear here .. when you say 'fire' someone are
> we talking about simple termination of employment, something involving a
> large cannon or something involving a stake some rope and a quantity of
> firewood? .. i believe 1) is popular in the coporate world but BOFH's
> realise that no 3) is more likely to win respect of the front line troops.

All three.  One for the legal and bean-county folks (got to stop their
pension contribs and salary you know - that frees up the budget for
getting another underling^Wassistant); Two to tenderise them before
cooking them with number three.  To *really* make an example of them, you
feed the results to the ex-cow-orkers.

> > Anyway, how on earth can the helldesk grunts get at passwords?  Not even
> > the sysadmin should be able to tell you a user's password. They should
> > *never* be stored in plain-text.  If they are, fire the sysadmin.
> 
> never a truer word ...  of course if you _did_ want to discover a users
> password its not that hard .. there are ways ... I believe we have some
> world renowned experts on the topic at hand ... now where is 'merlin' when
> you need him :) 

If crack works in reasonable time, then you should fire the sysadmin.  It
is essential nowadays to use something like MD5 shadow passwords and not
just plain ol' crypt.

-- 
David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david/

This is a signature.  There are many like it but this one is mine.

** I read encrypted mail first, so encrypt if your message is important **

 PGP signature

Re: London.pm List Weekly Summary 2001-03-12

[David Cantrell]

On Wed, Mar 14, 2001 at 06:19:54PM +, Michael Stevens wrote:

> Content-type: matter-transport/beer-stream

Isn't that what happens in the bogs of Penderels Oak?

-- 
David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david/

This is a signature.  There are many like it but this one is mine.

** I read encrypted mail first, so encrypt if your message is important **

 PGP signature

Re[2]: Matt's Scripts

[Mike Jarvis]

Wednesday, March 14, 2001, 1:55:03 PM, Robin wrote:

RS> there is a rather good ISP on Hawaii that plainly states 'the service is
RS> not suitable for clueless users' .. ring em up and ask too many docile
RS> questions and they pull your account ..

My gfriend in pharmacy school plans on having a similar policy.

If you're too clueless to know the differance between various
prescription drugs, their proper dosages and interactions, well,
you're just too stupid to live.  She'll be doing the world a great
service by helping eliminate all those losers who couldn't make it
through eight years of uni.

And don't even get her started on child proof caps.

-- 
mike

Re: Matt's Scripts

[Robin Szemeti]

On Wed, 14 Mar 2001, you wrote:
> On Wed, Mar 14, 2001 at 04:10:02PM +, David Cantrell wrote:
> > WebDAV is not OK, cos it means installing yet more stuff on the server
> > which is simply not needed.  If a user can't use scp, then I don't want
> > that user.  I mean, it's not hard FFS.
> 
> Admittedly rather unscientific research has shown you're actually wrong -
> lots of users find it very hard.

nope .. you are answering a different question .. .

NO, it's not hard FFS.

but YES, lots of users find it very hard

this is not because it is actually hard, but because most users are
painfully clueless., and he doesn;t want em .. or indeed need em. the
world is full of users (lusers ?) and you jsut can do without the
painfully clueless ones .. there are many out there to chose from. Worse
still the painfully clueless ones are the ones who will require the most
idiotic handholding and  AND want to pay the least for the service ...

there is a rather good ISP on Hawaii that plainly states 'the service is
not suitable for clueless users' .. ring em up and ask too many docile
questions and they pull your account .. 

-- 
Robin Szemeti

The box said "requires windows 95 or better"
So I installed Linux!

RE: Matt's Scripts

[Robin Szemeti]

On Wed, 14 Mar 2001, you wrote:

> Scp is not hard. Users should be able to use scp. However, the real point is
> that scp sucks. scp is to a sensible way of transfering files what
> command.com is to a good shell. scp is stateless. 

> scp makes you enter your
> password, again, all the time. 

err ... not if you use sshagent it doesnt

which is lightyears ahead of putting plain text FTP passowrd in your
.netrc file innit

> scp doesn't let you browse the remote machine

no .. but surely thats what ssh is for ?

> (hell, even ftp manages that). scp doesn't do ASCII conversion between
> differing architectures. 


> scp doesn't even let you upload two files from
> different directories in a single operation, where operation is defined in
> human rather than computer terms.

yes it does .. you can put multiple files in the source list using
absolut paths 

> sftp is obviously better in every respect than scp, and the only reason for
> inflicting scp on a user is to convince them to spend the cash on f-secure's
> sftp client for win|mac|whatever.

I dont have a problem with scp .. but  I can see it would annoy the drag
and drop brigade ... it works for me and I script those batch transfers
and site updates anyway .. I keep meaning to look at rsync over an ssh
tunnel but never seem to find the time.

> However, a million times better than any of these is to use SMB (just not
> with plain text pwords). And if the client really needs to constantly upload
> and download files in an encrypted state, setting up a VPN is the way to go,
> and then they can use whatever they want, presumably SMB or NFS if the pipe
> is at all reliable.

ugh .. SMB .. shiver ...

-- 
Robin Szemeti

The box said "requires windows 95 or better"
So I installed Linux!

Re: Matt's Scripts

[Robin Szemeti]

On Wed, 14 Mar 2001, you wrote:
> > Yes there is.  http://www.i-tree.org/ixplorer.htm. 
> 
> I've since installed WinSCP, from the list of alternatives on OpenSSH This
> is also based on PuTTY and isn't so, well, dodgy as iXplorer.  Forget I
> ever mentioned it.

Terraterm and TTSSH are what I have on the laptop for those 'emergency'
moments.

-- 
Robin Szemeti

The box said "requires windows 95 or better"
So I installed Linux!

Re: Matt's Scripts

[Robin Szemeti]

On Wed, 14 Mar 2001, you wrote:

> enough people find moving/copying files on windows complex... when
> you start introducing a second computer...

hmmm I wouldn't place such creatures as far up the food chain as 'people'
.. but I know what you mean.

-- 
Robin Szemeti

The box said "requires windows 95 or better"
So I installed Linux!

Re: Matt's Scripts

[Robin Szemeti]

On Wed, 14 Mar 2001, you wrote:

> > And they just give 'em out. No checks, no confirming with the
> > customers, nothing. There's little hope of 
> > securing stuff if people can be socially 
> > engineered so easily.
> 
> That's a matter of setting policy.  If there's no policy in place to
> prevent that, then you can expect people to do it.  If you have a security
> policy which states that you will fire people for such gross breaches -
> and more importantly, you *enforce* it - then it won't happen more than
> once or twice.

ahh .. 'enforce' .. lets be clear here .. when you say 'fire' someone are
we talking about simple termination of employment, something involving a
large cannon or something involving a stake some rope and a quantity of
firewood? .. i believe 1) is popular in the coporate world but BOFH's
realise that no 3) is more likely to win respect of the front line troops.

> Anyway, how on earth can the helldesk grunts get at passwords?  Not even
> the sysadmin should be able to tell you a user's password. They should
> *never* be stored in plain-text.  If they are, fire the sysadmin.

never a truer word ...  of course if you _did_ want to discover a users
password its not that hard .. there are ways ... I believe we have some
world renowned experts on the topic at hand ... now where is 'merlin' when
you need him :) 

-- 
Robin Szemeti

The box said "requires windows 95 or better"
So I installed Linux!

Re: London.pm List Weekly Summary 2001-03-12

[Mark Fowler]

> Content-type: matter-transport/beer-stream

That's not right.  MIMEs do type/format (e.g. image/gif.)  So it'd more
likely be:

Content-type: beer/guinness

Later.

Mark.

-- 
print "\n",map{my$a="\n"if(length$_>6);' 'x(36-length($_)/2)."$_\n$a"} (
   Name  => 'Mark Fowler',Title => 'Technology Developer'  ,
   Firm  => 'Profero Ltd',Web   => 'http://www.profero.com/'   ,
   Email => '[EMAIL PROTECTED]',   Phone => '+44 (0) 20 7700 9960'  )

Re: London.pm List Weekly Summary 2001-03-12

[Mark Fowler]

> Leo Lapworth was trying to debug something with Devel::DProf and
> couldn't understand why BEGIN was called more than once. Robert Price
> and Mark Fowler pointed out that 'use Module LIST' is exactly
> equivalent to 'BEGIN { require Module; import Module LIST; }', so the
> module was being use-d in multiple places, which is fine:
> http://www.mail-archive.com/london-pm%40lists.dircon.co.uk/msg02667.html

Did I?  It's not you know.  You forgot this bit of the perldoc -f use as
well:

   If you don't want your namespace altered,
   explicitly supply an empty list:

   use Module ();

   That is exactly equivalent to

   BEGIN { require Module }

i.e. that use Module and use Module() are ne.

Later.

Mark.

-- 
print "\n",map{my$a="\n"if(length$_>6);' 'x(36-length($_)/2)."$_\n$a"} (
   Name  => 'Mark Fowler',Title => 'Technology Developer'  ,
   Firm  => 'Profero Ltd',Web   => 'http://www.profero.com/'   ,
   Email => '[EMAIL PROTECTED]',   Phone => '+44 (0) 20 7700 9960'  )

Re: London.pm List Weekly Summary 2001-03-12

[Simon Cozens]

On Wed, Mar 14, 2001 at 06:02:04PM +, Leon Brocard wrote:
>  a picture of him drinking a beer from the London.pm website. 

Misparse! Misparse! Misparse!

-- 
We use Linux for all our mission-critical applications. Having the source code
means that we are not held hostage by anyone's support department.
(Russell Nelson, President of Crynwr Software)

London.pm List Weekly Summary 2001-03-12

[Leon Brocard]

This is the eighth of hopefully many weekly summaries of the London
Perl Mongers mailing list. For the somewhat hectic week (we hit more
than a hundred messages a day again) starting 2001-03-12:

Don't forget the London.pm website for meetings etc. There isn't a
technical meeting on Thursday due to too much recent Perl
mongering. The next meeting is on Thursday 5th April, and it looks
like Marcel Grunauer might attend:
http://london.pm.org/

Leo Lapworth was trying to debug something with Devel::DProf and
couldn't understand why BEGIN was called more than once. Robert Price
and Mark Fowler pointed out that 'use Module LIST' is exactly
equivalent to 'BEGIN { require Module; import Module LIST; }', so the
module was being use-d in multiple places, which is fine:
http://www.mail-archive.com/london-pm%40lists.dircon.co.uk/msg02667.html

Jonathan Peterson asked about simple RPC modules. Suggestions
included: XML-RPC (Frontier::Client), SOAP::Lite, PlRPC, and even
CORBA::ORBit:

DJ Adams posted another interesting article on Jabber, using a picture
of him drinking a beer from the London.pm website. The thread then got
silly: Dave Cross added the line "The use of the beer glass image in
association with the Perl language is a trademark of the London Perl
Mongers" to the bottom of the website, and David Adler argued the
NY.pm should have had the honour. Marty Pauley, an impartial observer,
disagreed (pizza for NY.pm instead). Some talk of actually
trademarking this was made:
http://www.mail-archive.com/london-pm%40lists.dircon.co.uk/msg02689.html
http://www.openp2p.com/pub/a/p2p/2001/03/09/adams_1.html
http://www.jabber.org/
http://london.pm.org/dj.jpg

Deal Wilson foolishly asked about bad Perl scripts. Cue huge thread to
rewrite Matt Wright's Script Archive (a collection of notoriously
bug/security-ridden scripts), including a recommendation by Randal to
buy Matt Wright's book, bugs on the book's website, why projects to
rewrite Matt's scripts always fail, Dave Cross organising said
project, security issues, having to not use to cool modules,
idiot-installability, "Have you ever tried herding cats?"... "Food and
lots of stroking", why sendmail isn't a standard, Selena Sol having
the same name as Darren Clarke's dad, inverse sponsoring Matt Wright,
giggling, "it's just a simple matter of programming", and maybe some
work on said project:
http://www.mail-archive.com/london-pm%40lists.dircon.co.uk/msg02692.html
http://www.mail-archive.com/london-pm%40lists.dircon.co.uk/msg02810.html
http://www.worldwidemart.com/scripts/
http://www.mattwright.com/

Simon Wistow asked about autoconf, and Dean Wilson supplied a URL to
the oh-so-useful Goat Book:
http://www.mail-archive.com/london-pm%40lists.dircon.co.uk/msg02726.html
http://sources.redhat.com/autobook/

David Cantrell spilled an IRC discussion about version control into
the list, asking for better version control alternatives to CVS and
RCS. Commercial: Perforce, ClearCase, free: Aegis (used at BlackStar),
CVS ;-):
http://www.mail-archive.com/london-pm%40lists.dircon.co.uk/msg02732.html
http://www.mail-archive.com/london-pm%40lists.dircon.co.uk/msg02737.html
http://www.perforce.com/
http://www.rational.com/products/clearcase/index.jsp
http://www.pcug.org.au/~millerp/aegis/aegis.html
http://www.cvshome.org/

Dave Cross pointed out that Damian Conway had written up the London.pm
meeting. We 0wn3d him:
http://www.mail-archive.com/london-pm%40lists.dircon.co.uk/msg02748.html
http://www.yetanother.org/damian/diary_February_2001.html#day_31

And finally, Andrew Bowman kidded around with Greg McCarroll in a mail
that I couldn't find in the archive so here it is for your amusment:

  From: Andrew Bowman <[EMAIL PROTECTED]>
  Subject: RE: heretics meeting

  > From: Greg McCarroll [SMTP:[EMAIL PROTECTED]]
  > i should be there from 4:30~5 ish, enjoying a relaxing
  > pint and explaining why i have a limp

  A limp what?

  Your message seems to have been truncated Greg ;-)

  Andrew.

Phew! Leon
-- 
Leon Brocard.http://www.astray.com/
yapc::Europehttp://yapc.org/Europe/

... It is morally wrong to allow naive computer users to keep their money

Re: Matt's Scripts

[Mike Jarvis]

Wednesday, March 14, 2001, 11:34:16 AM, grep wrote:

GM> * Dave Cross ([EMAIL PROTECTED]) wrote:

>> An admirable point of view in my opinion. Why would anyone possibly
>> want to run an ISP and have to deal with all the clueless people?

GM> Mike J, you used to work for AOL, you should be more than qualified
GM> to answer this one ;-)

There are far more clueless people in the universe than clueful.  As
long as their money is green, or has pictures of the queen, their cc
numbers pass mod 10,  or other appropriate symbols, they're good customers.

Also, back in the day, they didn't stay online as long as clueful
people do.  In fact, at one point 1/3rd of all AOL users logged on
once a month or less, but still paid the $10/month.  Those were the
best customers.  This is not as likely to happen these days though.

Some people even *become* clueful.  Believe it or not.

-- 
mike

Re: Matt's Scripts

[David Cantrell]

On Wed, Mar 14, 2001 at 03:50:14PM +, Struan Donald wrote:
> * at 14/03 15:22 + Michael Stevens said:
> > On Wed, Mar 14, 2001 at 04:10:02PM +, David Cantrell wrote:
> > > WebDAV is not OK, cos it means installing yet more stuff on the server
> > > which is simply not needed.  If a user can't use scp, then I don't want
> > > that user.  I mean, it's not hard FFS.
> > 
> > Admittedly rather unscientific research has shown you're actually wrong -
> > lots of users find it very hard.
> 
> enough people find moving/copying files on windows complex...

I said "it's not hard", not "no-one finds it hard".  Stupid people will
always find simple things difficult.  I recognise that there are stupid
people, I just want nothing to do with them.

If my sister - a computer-illiterate tree-hugger - can manage scp, then
it's not hard.

-- 
David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david/

This is a signature.  There are many like it but this one is mine.

** I read encrypted mail first, so encrypt if your message is important **

 PGP signature

Re: Matt's Scripts

[Lucy McWilliam]

On Wed, 14 Mar 2001, Dominic Mitchell wrote:

> "In a recent survey, 9 out of 10 MS Windows users were found to have
>  difficulties maximising and moving their windows.  Macintosh users were
>  not admitted to the tests because they had difficulties with the door
>  handle at the lab where the tests were being conducted."

Re: Matt's Scripts

[Dominic Mitchell]

On Wed, Mar 14, 2001 at 03:22:59PM +, Michael Stevens wrote:
> On Wed, Mar 14, 2001 at 04:10:02PM +, David Cantrell wrote:
> > WebDAV is not OK, cos it means installing yet more stuff on the server
> > which is simply not needed.  If a user can't use scp, then I don't want
> > that user.  I mean, it's not hard FFS.
> 
> Admittedly rather unscientific research has shown you're actually wrong -
> lots of users find it very hard.

"In a recent survey, 9 out of 10 MS Windows users were found to have
 difficulties maximising and moving their windows.  Macintosh users were
 not admitted to the tests because they had difficulties with the door
 handle at the lab where the tests were being conducted."

-Dom

Re: Matt's Scripts

[Struan Donald]

* at 14/03 15:22 + Michael Stevens said:
> On Wed, Mar 14, 2001 at 04:10:02PM +, David Cantrell wrote:
> > WebDAV is not OK, cos it means installing yet more stuff on the server
> > which is simply not needed.  If a user can't use scp, then I don't want
> > that user.  I mean, it's not hard FFS.
> 
> Admittedly rather unscientific research has shown you're actually wrong -
> lots of users find it very hard.

enough people find moving/copying files on windows complex... when
you start introducing a second computer...

struan

Scalar Context vs List Context

[Dave Cross]

... and how much trouble you can get in for not knowing the difference:



Dave...

Re: Matt's Scripts

[Greg McCarroll]

* Dave Cross ([EMAIL PROTECTED]) wrote:
> At Wed, 14 Mar 2001 16:10:02 +, David Cantrell <[EMAIL PROTECTED]> wrote:
> 
> > On Wed, Mar 14, 2001 at 03:01:17PM +, Dominic Mitchell wrote:
> > 
> > > WebDAV is ok, but you'd need to run it over HTTPS to be secure.
> > 
> > WebDAV is not OK, cos it means installing yet more stuff on the server
> > which is simply not needed.  If a user can't use scp, then I don't 
> > want that user.  I mean, it's not hard FFS.
> 
> An admirable point of view in my opinion. Why would anyone possibly
> want to run an ISP and have to deal with all the clueless people?
> 
> Beats me.
> 

Mike J, you used to work for AOL, you should be more than qualified
to answer this one ;-)


-- 
Greg McCarroll  http://www.mccarroll.uklinux.net

Re: Matt's Scripts

[Jon Eyre]

On Wed, 14 Mar 2001, David Cantrell wrote:
> WebDAV is not OK, cos it means installing yet more stuff on the server
> which is simply not needed.

Using WebDAV on a internal staging server and then updating the live 
server with something rsync-ish using scp might be a good
usability/security compromise 

> If a user can't use scp, then I don't want
> that user.  I mean, it's not hard FFS.

alas, some of us don't get to choose our users...

j

Re: Matt's Scripts

[Mark Fowler]

> Yes there is.  http://www.i-tree.org/ixplorer.htm. 

I've since installed WinSCP, from the list of alternatives on OpenSSH This
is also based on PuTTY and isn't so, well, dodgy as iXplorer.  Forget I
ever mentioned it.

Seems to work well for me.  The interface is clunky (i.e. you have to
press F5 to copy rather than drag and drop) but is still something your
average windows user would have no problems using.

http://winscp.vse.cz/eng/   (we should have just googled for winscp in the 
 first place)

Later.

Mark.

-- 
print "\n",map{my$a="\n"if(length$_>6);' 'x(36-length($_)/2)."$_\n$a"} (
   Name  => 'Mark Fowler',Title => 'Technology Developer'  ,
   Firm  => 'Profero Ltd',Web   => 'http://www.profero.com/'   ,
   Email => '[EMAIL PROTECTED]',   Phone => '+44 (0) 20 7700 9960'  )

RE: Matt's Scripts

[Jonathan Peterson]

> which is simply not needed.  If a user can't use scp, then I
> don't want
> that user.  I mean, it's not hard FFS.

Scp is not hard. Users should be able to use scp. However, the real point is
that scp sucks. scp is to a sensible way of transfering files what
command.com is to a good shell. scp is stateless. scp makes you enter your
password, again, all the time. scp doesn't let you browse the remote machine
(hell, even ftp manages that). scp doesn't do ASCII conversion between
differing architectures. scp doesn't even let you upload two files from
different directories in a single operation, where operation is defined in
human rather than computer terms.

sftp is obviously better in every respect than scp, and the only reason for
inflicting scp on a user is to convince them to spend the cash on f-secure's
sftp client for win|mac|whatever.

However, a million times better than any of these is to use SMB (just not
with plain text pwords). And if the client really needs to constantly upload
and download files in an encrypted state, setting up a VPN is the way to go,
and then they can use whatever they want, presumably SMB or NFS if the pipe
is at all reliable.

Re: Matt's Scripts

[Matthew Byng-Maddick]

On Wed, 14 Mar 2001, Dave Cross wrote:
> At Wed, 14 Mar 2001 16:10:02 +, David Cantrell <[EMAIL PROTECTED]> wrote:
> > On Wed, Mar 14, 2001 at 03:01:17PM +, Dominic Mitchell wrote:
> > > WebDAV is ok, but you'd need to run it over HTTPS to be secure.
> > WebDAV is not OK, cos it means installing yet more stuff on the server
> > which is simply not needed.  If a user can't use scp, then I don't 
> > want that user.  I mean, it's not hard FFS.
> An admirable point of view in my opinion. Why would anyone possibly
> want to run an ISP and have to deal with all the clueless people?

Well, quite. Of course, if their computer hasn't got a queueing mail
system, then I don't want that either :)

MBM

-- 
Matthew Byng-Maddick   Home: <[EMAIL PROTECTED]>  +44 20  8980 5714  (Home)
http://colondot.net/   Work: <[EMAIL PROTECTED]> +44 7956 613942  (Mobile)
I don't know who my grandfather was; I am much more concerned to know what
his grandson will be.   -- Abraham Lincoln

Re: Matt's Scripts

[David Cantrell]

* at 14/03 14:59 + Mark Fowler said:

> > Do what we do.  Keep everything running, but shove a whopping great
> > ipchains (or firewall of choice) in the way.  If you want to access it,
> > ssh tunnel it first.

Would not ipsec be a better solution?  It's transparent to the users,
and more reliable than ssh tunnels which tend to drop if not used.

-- 
David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david/

This is a signature.  There are many like it but this one is mine.

** I read encrypted mail first, so encrypt if your message is important **

 PGP signature

Re: Matt's Scripts (SCP)

[Greg McCarroll]

* Neil Ford ([EMAIL PROTECTED]) wrote:
> >On Wed, Mar 14, 2001 at 02:57:41PM +, Roger Burton West wrote:
> >>  On or about Wed, Mar 14, 2001 at 02:34:32PM +, Jon Eyre typed:
> >>
> >>  >is there an idiot-proof graphical front-end for scp? windows
> >>  >clients?
> >>
> >>  PuTTY.
> >
> >SCP for Windoz = http://winscp.vse.cz/eng/
> >SCP for Linux = well, command line scp or what ever else there is.
> >SCP for OSX = http://www.macorchard.com/ftp.html download Rbrowser
> 
> Also see Linux above, seeing as OS X has comes with OpenSSH. (10 days 
> and counting :-) )
> 

OS X shall be a truly wonderful thing, of course the fact that
it is even possible is down to the BSD license IIRC, discuss ...  

;-)

-- 
Greg McCarroll  http://www.mccarroll.uklinux.net

Re: Matt's Scripts

[Dave Cross]

At Wed, 14 Mar 2001 16:10:02 +, David Cantrell <[EMAIL PROTECTED]> wrote:

> On Wed, Mar 14, 2001 at 03:01:17PM +, Dominic Mitchell wrote:
> 
> > WebDAV is ok, but you'd need to run it over HTTPS to be secure.
> 
> WebDAV is not OK, cos it means installing yet more stuff on the server
> which is simply not needed.  If a user can't use scp, then I don't 
> want that user.  I mean, it's not hard FFS.

An admirable point of view in my opinion. Why would anyone possibly
want to run an ISP and have to deal with all the clueless people?

Beats me.

Dave...

Re: Matt's Scripts

[Dominic Mitchell]

On Wed, Mar 14, 2001 at 03:13:46PM -, Jonathan Peterson wrote:
> >
> > There is a GUI front-end for pscp, available from
> > http://www.i-tree.org/, apparently, although I haven't tried it.
> 
> This is kind of flakey, and has trouble with stuff like files owned by a
> user or group with more than 8 characters in its name. This is because it
> determines filenames by doing ls and then counting a fixed number of columns
> in from the left. :-(

Well, if you've got Delphi handy, you can go in and fix it...

-Dom

Re: Matt's Scripts

[David Cantrell]

On Wed, Mar 14, 2001 at 03:01:17PM +, Dominic Mitchell wrote:

> WebDAV is ok, but you'd need to run it over HTTPS to be secure.

WebDAV is not OK, cos it means installing yet more stuff on the server
which is simply not needed.  If a user can't use scp, then I don't want
that user.  I mean, it's not hard FFS.

-- 
David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david/

This is a signature.  There are many like it but this one is mine.

** I read encrypted mail first, so encrypt if your message is important **

 PGP signature

Re: Matt's Scripts (SCP)

[Chris Devers]

At 03:00 PM 14.3.2001 +, Leo Lapworth wrote:
>If anyone hears of a good gui SCP client for non-OSX mac's I'd
>really like to know (I've got users on my machine that need it!).

Can Fetch do it? At a glance, I don't see anything about SCP there, but then I've only 
done a cursory check; it may be in there somewhere. 




--
Chris Devers [EMAIL PROTECTED]

Re: Matt's Scripts (SCP)

[Neil Ford]

>On Wed, Mar 14, 2001 at 02:57:41PM +, Roger Burton West wrote:
>>  On or about Wed, Mar 14, 2001 at 02:34:32PM +, Jon Eyre typed:
>>
>>  >is there an idiot-proof graphical front-end for scp? windows
>>  >clients?
>>
>>  PuTTY.
>
>SCP for Windoz = http://winscp.vse.cz/eng/
>SCP for Linux = well, command line scp or what ever else there is.
>SCP for OSX = http://www.macorchard.com/ftp.html download Rbrowser

Also see Linux above, seeing as OS X has comes with OpenSSH. (10 days 
and counting :-) )

>SCP for Mac = http://www.macorchard.com/ftp.html download 
>NiftyTelnet (the open option has an SCP radio button)
>
>The Mac one is NASTY! - the OSX and Windoz ones are just like
>standard FTP clients (your computer on the left, remove server one the right).
>
>If anyone hears of a good gui SCP client for non-OSX mac's I'd
>really like to know (I've got users on my machine that need it!).
>
 me too! 

And if anyone finds a mac client that does SSH2 reliably, including 
port forwarding, using keys 'generated' using OpenSSH I'd be 
interested too.

Neil.
-- 
Neil C. Ford
Managing Director, Yet Another Computer Solutions Company
[EMAIL PROTECTED]

RE: Matt's Scripts

[Jonathan Peterson]

>
> There is a GUI front-end for pscp, available from
> http://www.i-tree.org/, apparently, although I haven't tried it.

This is kind of flakey, and has trouble with stuff like files owned by a
user or group with more than 8 characters in its name. This is because it
determines filenames by doing ls and then counting a fixed number of columns
in from the left. :-(

Re: Matt's Scripts

[Dominic Mitchell]

On Wed, Mar 14, 2001 at 03:08:03PM +, Struan Donald wrote:
> and people are worrying about plain scp confusing people? ssh
> tunneling is one of those things that appears close enough to magic
> that people assume it is. damn useful magic though.
> 
> plus it always seems such a pain on windows

It is.  And a word of warning in case anybody tries it:  Don't tunnel
ftp over ssh.  It doesn't work properly.  Only 1 tunnel goes over the
secure connection.  Admittedly, it keeps the password out of the way,
but it also leads to a false sense of security about your data being
encrypted.

-Dom (had to whinge to a Linux Journal author about this one)

Re: Matt's Scripts

[Greg McCarroll]

* Roger Burton West ([EMAIL PROTECTED]) wrote:
> On or about Wed, Mar 14, 2001 at 04:00:22PM +, Greg McCarroll typed:
> >* Dave Cross ([EMAIL PROTECTED]) wrote:
> >> They won't if you stop running the ftp daemon on the server :)
> >Rule one of security:
> > Ensure availability for authorised users
> 
> Rule zero of security:
>A system with no users is a system with no unauthorised users. For
> extra points, turn it off.
> 

best to destroy it, and crush it to powder then scatter it into the winds 
of the earth ;-)

oh and you might like to plant its CPU on hallowed ground just in case
its a lichOS system.

-- 
Greg McCarroll  http://www.mccarroll.uklinux.net

Re: Matt's Scripts

[Dominic Mitchell]

On Wed, Mar 14, 2001 at 02:57:41PM +, Roger Burton West wrote:
> On or about Wed, Mar 14, 2001 at 02:34:32PM +, Jon Eyre typed:
> >is there an idiot-proof graphical front-end for scp? windows 
> >clients?
> 
> PuTTY.

http://www.chiark.greenend.org.uk/~sgtatham/putty/

In case anybody hasn't seen it, it's a very useful win32 ssh program
with a terminal emulator.  It even comes with an ssh-agent, which is
pretty damned useful.

Regarding scp, putty comes with pscp, a command line tool for uploading
files.  The next version also has a beginning implemntation of an sftp
client and the latest version of OpenSSH also comes with an sftp server,
which you could use.  It's still all command line though (and its not
released yet).

There is a GUI front-end for pscp, available from
http://www.i-tree.org/, apparently, although I haven't tried it.

I don't know, but you may be able to download an eval version of some
nicer copying tools courtesy of one of the professional ssh outfits.

-Dom

Re: Matt's Scripts

[Struan Donald]

* at 14/03 14:59 + Mark Fowler said:
> On Wed, 14 Mar 2001, Greg McCarroll wrote:
> > * Dave Cross ([EMAIL PROTECTED]) wrote:
> > > At Wed, 14 Mar 2001 14:34:32 + (GMT), Jon Eyre <[EMAIL PROTECTED]> 
>wrote:
> > > > 
> > > > > My several users use scp.
> > > > 
> > > > is there an idiot-proof graphical front-end for scp? windows 
> > > > clients? my several users require them, or they'll just continue 
> > > > using ftp, because it's *easier*... 
> > > 
> > > They won't if you stop running the ftp daemon on the server :)
> > > 
> > 
> > Rule one of security:
> > Ensure availability for authorised users
> > 
> > this breaks it ;-)
> > 
> 
> Do what we do.  Keep everything running, but shove a whopping great
> ipchains (or firewall of choice) in the way.  If you want to access it,
> ssh tunnel it first.

and people are worrying about plain scp confusing people? ssh
tunneling is one of those things that appears close enough to magic
that people assume it is. damn useful magic though.

plus it always seems such a pain on windows

struan

Re: Matt's Scripts

[David Cantrell]

On Wed, Mar 14, 2001 at 02:34:32PM +, Jon Eyre wrote:

> > My several users use scp.
> 
> is there an idiot-proof graphical front-end for scp? windows 
> clients? my several users require them, or they'll just continue 
> using ftp, because it's *easier*... People are lazy, and security 
> measures which are a pain in the arse will fail to work because the 
> users will bypass them (summarizing from Schneier's Secrets and Lies). 

I'd like to see my users try to bypass them :-)  There is simply no
other way of uploading a file.  No ftp uploads, no rcp, no http uploads,
and none of the sneaky ways of getting in via smtp.  Oh, and no smb, no
appletalk, and no nfs server.  Of course, I don't acept idiots for
users.

But for Windows users, I recommend Secure iXplorer, for Mac users, macssh.

> >  All of them can put anything they want on there.
> > If you're doing hosting and letting people upload code, you have no choice
> > but to trust your users.  *BUT* by avoiding grotesqities like ftp, and by
> > setting permissions sanely, third-parties are hard-pressed to compromise
> > the server.
> 
> dealing with clients who can't remember or don't know
> usernames/passwords, and the subsequent calls to isp 
> helpdesks:
> 
> "Hello, I am from web agency X, we need ftp details for customer Y
> so we can upload their site."

Evil reply: "that's your fucking problem, ask your client"

> And they just give 'em out. No checks, no confirming with the
> customers, nothing. There's little hope of 
> securing stuff if people can be socially 
> engineered so easily.

That's a matter of setting policy.  If there's no policy in place to
prevent that, then you can expect people to do it.  If you have a security
policy which states that you will fire people for such gross breaches -
and more importantly, you *enforce* it - then it won't happen more than
once or twice.

Anyway, how on earth can the helldesk grunts get at passwords?  Not even
the sysadmin should be able to tell you a user's password. They should
*never* be stored in plain-text.  If they are, fire the sysadmin.

BTW, when I've made those calls to ISPs in the past, my client has always
told them in advance that I'll be calling.  Perhaps I just have a higher
class of clientele :-)

-- 
David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david/

This is a signature.  There are many like it but this one is mine.

** I read encrypted mail first, so encrypt if your message is important **

 PGP signature

Re: Matt's Scripts

[Matthew Byng-Maddick]

On Wed, 14 Mar 2001, Dominic Mitchell wrote:
> On Wed, Mar 14, 2001 at 02:55:28PM +, Michael Stevens wrote:
> > I've been thinking that, while not ideal, webDAV is probably the best
> > option here. I'm told it's a) secure-ish, and b) integrates nicely
> > with Dreamweaver and whatever microsoft's thing is.
> WebDAV is ok, but you'd need to run it over HTTPS to be secure.

The other thing is that *WHEN* subversion comes out, the protocol allows
for version control, and there'll actually be a decent way of implementing
version control, so if the people who are doing the uploading screw up,
you have some chance of rolling back.

DAV over HTTPS is not that bad, though...

MBM

-- 
Matthew Byng-Maddick   Home: <[EMAIL PROTECTED]>  +44 20  8980 5714  (Home)
http://colondot.net/   Work: <[EMAIL PROTECTED]> +44 7956 613942  (Mobile)
I don't know who my grandfather was; I am much more concerned to know what
his grandson will be.   -- Abraham Lincoln

Re: Matt's Scripts (SCP)

[Leo Lapworth]

On Wed, Mar 14, 2001 at 02:57:41PM +, Roger Burton West wrote:
> On or about Wed, Mar 14, 2001 at 02:34:32PM +, Jon Eyre typed:
> 
> >is there an idiot-proof graphical front-end for scp? windows 
> >clients?
> 
> PuTTY.

SCP for Windoz = http://winscp.vse.cz/eng/ 
SCP for Linux = well, command line scp or what ever else there is. 
SCP for OSX = http://www.macorchard.com/ftp.html download Rbrowser 
SCP for Mac = http://www.macorchard.com/ftp.html download NiftyTelnet (the open option 
has an SCP radio button) 

The Mac one is NASTY! - the OSX and Windoz ones are just like
standard FTP clients (your computer on the left, remove server one the right).

If anyone hears of a good gui SCP client for non-OSX mac's I'd
really like to know (I've got users on my machine that need it!).

Cheers

Leo

Re: Matt's Scripts

[Roger Burton West]

On or about Wed, Mar 14, 2001 at 04:00:22PM +, Greg McCarroll typed:
>* Dave Cross ([EMAIL PROTECTED]) wrote:
>> They won't if you stop running the ftp daemon on the server :)
>Rule one of security:
>   Ensure availability for authorised users

Rule zero of security:
   A system with no users is a system with no unauthorised users. For
extra points, turn it off.

Roger

Re: Matt's Scripts

[Mark Fowler]

On Wed, 14 Mar 2001, Greg McCarroll wrote:
> * Dave Cross ([EMAIL PROTECTED]) wrote:
> > At Wed, 14 Mar 2001 14:34:32 + (GMT), Jon Eyre <[EMAIL PROTECTED]> wrote:
> > > 
> > > > My several users use scp.
> > > 
> > > is there an idiot-proof graphical front-end for scp? windows 
> > > clients? my several users require them, or they'll just continue 
> > > using ftp, because it's *easier*... 
> > 
> > They won't if you stop running the ftp daemon on the server :)
> > 
> 
> Rule one of security:
>   Ensure availability for authorised users
> 
> this breaks it ;-)
> 

Do what we do.  Keep everything running, but shove a whopping great
ipchains (or firewall of choice) in the way.  If you want to access it,
ssh tunnel it first.
 

-- 
print "\n",map{my$a="\n"if(length$_>6);' 'x(36-length($_)/2)."$_\n$a"} (
   Name  => 'Mark Fowler',Title => 'Technology Developer'  ,
   Firm  => 'Profero Ltd',Web   => 'http://www.profero.com/'   ,
   Email => '[EMAIL PROTECTED]',   Phone => '+44 (0) 20 7700 9960'  )

Re: Matt's Scripts

[Dominic Mitchell]

On Wed, Mar 14, 2001 at 02:55:28PM +, Michael Stevens wrote:
> On Wed, Mar 14, 2001 at 02:34:32PM +, Jon Eyre wrote:
> > > My several users use scp.
> > is there an idiot-proof graphical front-end for scp? windows 
> > clients? my several users require them, or they'll just continue 
> > using ftp, because it's *easier*... People are lazy, and security 
> > measures which are a pain in the arse will fail to work because the 
> > users will bypass them (summarizing from Schneier's Secrets and Lies). 
> 
> I've been thinking that, while not ideal, webDAV is probably the best
> option here. I'm told it's a) secure-ish, and b) integrates nicely
> with Dreamweaver and whatever microsoft's thing is.

WebDAV is ok, but you'd need to run it over HTTPS to be secure.

-Dom

Re: Matt's Scripts

[Greg McCarroll]

* Dave Cross ([EMAIL PROTECTED]) wrote:
> At Wed, 14 Mar 2001 14:34:32 + (GMT), Jon Eyre <[EMAIL PROTECTED]> wrote:
> > 
> > > My several users use scp.
> > 
> > is there an idiot-proof graphical front-end for scp? windows 
> > clients? my several users require them, or they'll just continue 
> > using ftp, because it's *easier*... 
> 
> They won't if you stop running the ftp daemon on the server :)
> 

Rule one of security:
Ensure availability for authorised users

this breaks it ;-)

-- 
Greg McCarroll  http://www.mccarroll.uklinux.net

Re: Matt's Scripts

[Mark Fowler]

> > is there an idiot-proof graphical front-end for scp? windows?
> 
> On Windows I use pscp which comes from the same people as putty. It
> works well, but it doesn't have a pretty graphical front-end.

Yes there is.  http://www.i-tree.org/ixplorer.htm. 

I suggest you peeps read http://www.openssh.org/windows.html which lists
alternatives

-- 
print "\n",map{my$a="\n"if(length$_>6);' 'x(36-length($_)/2)."$_\n$a"} (
   Name  => 'Mark Fowler',Title => 'Technology Developer'  ,
   Firm  => 'Profero Ltd',Web   => 'http://www.profero.com/'   ,
   Email => '[EMAIL PROTECTED]',   Phone => '+44 (0) 20 7700 9960'  )

Re: Matt's Scripts

[Roger Burton West]

On or about Wed, Mar 14, 2001 at 02:34:32PM +, Jon Eyre typed:

>is there an idiot-proof graphical front-end for scp? windows 
>clients?

PuTTY.

>my several users require them, or they'll just continue 
>using ftp, because it's *easier*... People are lazy, and security 
>measures which are a pain in the arse will fail to work because the 
>users will bypass them (summarizing from Schneier's Secrets and Lies). 

Then you disable ftp and smb. (And telnet, of course.) "Sorry, we can't
use these because of the ban on plain-text passwords."

Roger

Re: Matt's Scripts

[Dave Cross]

At Wed, 14 Mar 2001 14:34:32 + (GMT), Jon Eyre <[EMAIL PROTECTED]> wrote:
> 
> > My several users use scp.
> 
> is there an idiot-proof graphical front-end for scp? windows 
> clients? my several users require them, or they'll just continue 
> using ftp, because it's *easier*... 

They won't if you stop running the ftp daemon on the server :)

On Windows I use pscp which comes from the same people as putty. It
works well, but it doesn't have a pretty graphical front-end.

Dave...

Re: Matt's Scripts

[Jon Eyre]

> My several users use scp.

is there an idiot-proof graphical front-end for scp? windows 
clients? my several users require them, or they'll just continue 
using ftp, because it's *easier*... People are lazy, and security 
measures which are a pain in the arse will fail to work because the 
users will bypass them (summarizing from Schneier's Secrets and Lies). 

>  All of them can put anything they want on there.
> If you're doing hosting and letting people upload code, you have no choice
> but to trust your users.  *BUT* by avoiding grotesqities like ftp, and by
> setting permissions sanely, third-parties are hard-pressed to compromise
> the server.

dealing with clients who can't remember or don't know
usernames/passwords, and the subsequent calls to isp 
helpdesks:

"Hello, I am from web agency X, we need ftp details for customer Y
so we can upload their site."

And they just give 'em out. No checks, no confirming with the
customers, nothing. There's little hope of 
securing stuff if people can be socially 
engineered so easily.

Re: Matt's Scripts

[David Cantrell]

On Wed, Mar 14, 2001 at 12:46:45PM +, Jon Eyre wrote:
 
> oops...

Heh.  Just remember, Evil Dave is the paranoid nutcase, Dave Cross is the
one with the gold-plated cat.

> > At Wed, 14 Mar 2001 13:05:05 +, David Cantrell <[EMAIL PROTECTED]> wrote:
> > 
> > > Evil Dave's server does *not* use seperate cgi-bin directories - but 
> > > then, there's no ftp file upload, and the ftp root is in a different 
> > > place from the web root anyway, and HTTP file upload is also not 
> > > permitted.
> 
> Evil Dave's server is therefore a different beast to a hosting company's 
> server, which isn't really much use if their customers can't get anything
> on to it.

My several users use scp.  All of them can put anything they want on there.
If you're doing hosting and letting people upload code, you have no choice
but to trust your users.  *BUT* by avoiding grotesqities like ftp, and by
setting permissions sanely, third-parties are hard-pressed to compromise
the server.

-- 
David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david/

This is a signature.  There are many like it but this one is mine.

** I read encrypted mail first, so encrypt if your message is important **

 PGP signature

Re: Mailing list details

[Elaine -HFB- Ashton]

Dave Cross [[EMAIL PROTECTED]] quoth:
*>
*>Exclusivity! Take a good look round next time you're at a meeting and 
*>tell me how exclusive you think we are :)
*>
*>But, yes, I have _lots_ of ideas for a revamp of the web site. I might
*>even have time to do it some time this year.

There is also a mongers category on the lists.cpan.org page should you
care to list it. 

e.

Re: Mailing list details

[Dave Cross]

At Wed, 14 Mar 2001 12:52:33 -, "Robert Shiels" <[EMAIL PROTECTED]> wrote:
> I was looking for the mailing list subscription details on our 
> london.pm.org website, and thought they were a bit hidden down on 
> the "what we've done" page. I think they should probably be more 
> prominent, probably on the home page. Or are we trying to maintain 
> our exclusivity :-)

Exclusivity! Take a good look round next time you're at a meeting and 
tell me how exclusive you think we are :)

But, yes, I have _lots_ of ideas for a revamp of the web site. I might
even have time to do it some time this year.

Dave...

Re: Matt's Scripts

[Jon Eyre]

oops...

On Wed, 14 Mar 2001, Dave Cross wrote:
> At Wed, 14 Mar 2001 13:05:05 +, David Cantrell <[EMAIL PROTECTED]> wrote:
> > On Wed, Mar 14, 2001 at 11:50:04AM +, Jon Eyre wrote:
> > > In my experience, virtually *all* isps/hosting providers use the
> > > 'separate cgi-bin directory' configuration. either for the 
> > > security reasons outlined by evil dave ...

> > Evil Dave's server does *not* use seperate cgi-bin directories - but 
> > then, there's no ftp file upload, and the ftp root is in a different 
> > place from the web root anyway, and HTTP file upload is also not 
> > permitted.

Evil Dave's server is therefore a different beast to a hosting company's 
server, which isn't really much use if their customers can't get anything
on to it.
 
> And besides, it wasn't Evil Dave that pointed out the security issues.

oops... apologies, confused by a surfeit of Daves...

Returning to subject, what would be really useful for me, and probably 
many other aspirant mongers, is to see Matt's scripts subjected to 
a similar sort of process to that in the perl.com
'program-repair-red-flags' articles. It's all very well to say 'these 
scripts are bad and insecure, here are some well-written and secure
versions', but a lot more can be learnt from showing *why* they're 
bad, even if it's just done by marking the originals up with
constructively critical comments...

just my .02

j

---
jon eyre ([EMAIL PROTECTED]) (http://simpson.dyndns.org/~jon/)
the slack which can be described is not the true slack

Mailing list details

[Robert Shiels]

I was looking for the mailing list subscription details on our london.pm.org
website, and thought they were a bit hidden down on the "what we've done"
page. I think they should probably be more prominent, probably on the home
page. Or are we trying to maintain our exclusivity :-)

--
Robert
--
 desmondbagley.com
 "Congratulations: desmondbagley.com is available for you.
  Please fill the form below."

Re: Matt's Scripts

[Dave Cross]

At Wed, 14 Mar 2001 13:05:05 +, David Cantrell <[EMAIL PROTECTED]> wrote:

> On Wed, Mar 14, 2001 at 11:50:04AM +, Jon Eyre wrote:
> 
> > In my experience, virtually *all* isps/hosting providers use the
> > 'separate cgi-bin directory' configuration. either for the 
> > security reasons outlined by evil dave ...
> 
> Eh-hem.
> 
> Evil Dave's server does *not* use seperate cgi-bin directories - but 
> then, there's no ftp file upload, and the ftp root is in a different 
> place from the web root anyway, and HTTP file upload is also not 
> permitted.

And besides, it wasn't Evil Dave that pointed out the security issues.

(Nice) Dave...

Re: Matt's Scripts

[David Cantrell]

On Wed, Mar 14, 2001 at 11:50:04AM +, Jon Eyre wrote:

> In my experience, virtually *all* isps/hosting providers use the 
> 'separate cgi-bin directory' configuration. either for the security 
> reasons outlined by evil dave ...

Eh-hem.

Evil Dave's server does *not* use seperate cgi-bin directories - but then,
there's no ftp file upload, and the ftp root is in a different place from
the web root anyway, and HTTP file upload is also not permitted.

-- 
David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david/

This is a signature.  There are many like it but this one is mine.

** I read encrypted mail first, so encrypt if your message is important **

 PGP signature

Re: Matt's Scripts

[Jon Eyre]

On Wed, 14 Mar 2001, Mark Fowler wrote:

> > (What do you mean with "not-inplace cgi"?)
> 
> Some servers (like my own) are configured to allow you to run perl scripts
> anywhere.

aka cgi-by-suffix, you add an apache handler which recognises all 
files with a certain extension (typically .cgi or .pl ) as cgi scripts, 
and executes them...

> Some servers (especially in the paranoid ISP land) are configured to have
> a /cgi-bin/ where you have to put files in that will be 'executed'. 

In my experience, virtually *all* isps/hosting providers use the 
'separate cgi-bin directory' configuration. either for the security 
reasons outlined by evil dave, or because they *don't know* about
cgi-by-suffix.

j


---
jon eyre ([EMAIL PROTECTED]) (http://simpson.dyndns.org/~jon/)
the slack which can be described is not the true slack

Re: Matt's Scripts

[Robin Szemeti]

On Wed, 14 Mar 2001, you wrote:
> > (What do you mean with "not-inplace cgi"?)
> 
> Some servers (like my own) are configured to allow you to run perl scripts
> anywhere.
> 
> Some servers (especially in the paranoid ISP land) are configured to have
> a /cgi-bin/ where you have to put files in that will be 'executed'.  
> Typically you cannot read from these dirs with a web server (you can only
> execute the program and read their output.)  This is so that if you have
> passwords in your scripts it's very hard for the bad guys to read these 
> files and get the script via the webserver no matter what mistakes you
> make (e.g. if you accidentlally leave backup files around.)  The main
> drawback of this is that you can't serve normal files (like images) from
> the same directory.

or if for some reason the ISP edits the httpd.conf and removes execution
from .pl file types // voila! .. your scripts are exposed to the world 
.. its not such a big deal on paranoid ISP sites as they are usually only
luser scripts doing somethig tedious .. the consequences on a commercial
site could be very real indeed ... I always have my cgi-bin directory
outside my document root .. makes sense to me.

-- 
Robin Szemeti

The box said "requires windows 95 or better"
So I installed Linux!

Re: Matt's Scripts

[Dave Cross]

At Wed, 14 Mar 2001 11:28:19 + (GMT), Mark Fowler <[EMAIL PROTECTED]> wrote:
> > (What do you mean with "not-inplace cgi"?)
> 
> Some servers (like my own) are configured to allow you to run perl 
> scripts anywhere.

We _like_ servers configured like this. Especially if they've got some
kind of file upload facility installed. We can run any code we like on
them :)

> Some servers (especially in the paranoid ISP land) are configured to 
> have a /cgi-bin/ where you have to put files in that will be
> 'executed'. Typically you cannot read from these dirs with a web 
> server (you can only execute the program and read their output.)  
> This is so that if you have passwords in your scripts it's very hard 
> for the bad guys to read these files and get the script via the 
> webserver no matter what mistakes you make (e.g. if you accidentlally 
> leave backup files around.)  The main drawback of this is that you 
> can't serve normal files (like images) from the same directory.

These servers, OTOH, are far less fun. Typically the web user has no
wrtie access to the cgi-bin directory so you can't upload your own 
scripts there using HTTP.

> I call the first 'in place cgi' and the latter 'cgi-bin'

I call the first 'a security nightmare' and the latter 'much safer'.

> Hope that's clear.

Very much :)

Dave...

Re: Matt's Scripts

[Mark Fowler]

> (What do you mean with "not-inplace cgi"?)

Some servers (like my own) are configured to allow you to run perl scripts
anywhere.

Some servers (especially in the paranoid ISP land) are configured to have
a /cgi-bin/ where you have to put files in that will be 'executed'.  
Typically you cannot read from these dirs with a web server (you can only
execute the program and read their output.)  This is so that if you have
passwords in your scripts it's very hard for the bad guys to read these 
files and get the script via the webserver no matter what mistakes you
make (e.g. if you accidentlally leave backup files around.)  The main
drawback of this is that you can't serve normal files (like images) from
the same directory.

I call the first 'in place cgi' and the latter 'cgi-bin'

Hope that's clear.

Later.

Mark.
 

-- 
print "\n",map{my$a="\n"if(length$_>6);' 'x(36-length($_)/2)."$_\n$a"} (
   Name  => 'Mark Fowler',Title => 'Technology Developer'  ,
   Firm  => 'Profero Ltd',Web   => 'http://www.profero.com/'   ,
   Email => '[EMAIL PROTECTED]',   Phone => '+44 (0) 20 7700 9960'  )

Re: Matt's Scripts

[Philip Newton]

Mark Fowler wrote:
> d) It links to an image in the same directory as itself and 
> explains that if the image isn't viewable then you do not
> have inplace cgi and the things you have to know about this

(What do you mean with "not-inplace cgi"?)

Another thing it maybe should print out is the current working directory.
Apparently in some places, '.' is not the directory where the script is in,
which messes you up if you want to read config files or write things to the
file system and your notion of "where you are" is incorrect. FindBin may be
able to help.

Cheers,
Philip
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: Matt's Scripts

[Matthew Robinson]

At 10:54 14/03/01 +, you wrote:
>Mark Fowler <[EMAIL PROTECTED]> writes:
>
>> >  

>Ooh, 'configure.cgi'.
>
>If only we could assume that they had a working perl on the box that
>they were installing from then we could write a cunning installer
>script which uploaded configure.cgi to the ISP and interrogated it via
>a LWP::... client to get a bunch of configuration stuff, which could
>then be used to generate a list of scripts that could run on the
>user's ISP, and which could then go on and upload the scripts.

Could we not produce something like configure.bat which is a hybrid shell
script/batch file that starts the configuration process by finding perl and
then launches perl to find out installed libraries.

Obviously it would produce lots of 'Command not found' messages etc but it
could quickly find perl (or not) and then move into a cleaner environment.

Matt

>
>Ooh... You don't even have to assume working perl on their box. You
>stick the interrogation stuff on the 'Not Matt's scripts' website. The
>punter then says "I want to run these scripts on such an ISP". NMS
>then checks to see if it has information about that ISP cached, and
>provides the appropriate scripts if so, or a copy of configure.cgi for
>the punter to upload. Once the punter has done the upload, he sets off
>an interrogation phase, which works out the capabilities of the
>particular user's environment and builds an appropriate script set.
>
>Hmm... it's just a simple matter of programming...
>
>-- 
>Piers
>
>
>

Re: Matt's Scripts

[Piers Cawley]

Mark Fowler <[EMAIL PROTECTED]> writes:

> >  
> 
> 
> Stop, stop, this script archive is not ready yet!  Where are the Hello
> world examples?  Where are the detailed instructions?  And why are you
> actually working on these scripts yet!
> 
> 
> You're all getting ahead of yourselves.  We need to write a set of
> helloWorld scripts that the script user can upload first to find out the
> basic facts about their server and check everything is working.
> 
> a) You have multiple copys of the script with different shebang lines on
> the top.  Only one of these will work and one of the things it'll do is
> print our is "The first line of programs you upload to this server should
> be #!/blah/perl"
> 
> b) It checks your perl version is reasonable.  Actually it probably should
> do this before a) in case there are several versions installed.
> 
> c) It tests if you've got a borken version of CGI.pm (or CGI.pm at all) by
> looking at version numbers, etc.  Same for other modules.
> 
> d) It links to an image in the same directory as itself and explains that
> if the image isn't viewable then you do not have inplace cgi and the
> things you have to know about this
> 
> e) It prints out the time, and GMT time thus highlighting to the user any
> problems they might have if this is wrong
> 
> f) It prints out a hunk of diagnostic information (e.g. perl version,
> module versions, url, etc, etc)

Ooh, 'configure.cgi'.

If only we could assume that they had a working perl on the box that
they were installing from then we could write a cunning installer
script which uploaded configure.cgi to the ISP and interrogated it via
a LWP::... client to get a bunch of configuration stuff, which could
then be used to generate a list of scripts that could run on the
user's ISP, and which could then go on and upload the scripts.

Ooh... You don't even have to assume working perl on their box. You
stick the interrogation stuff on the 'Not Matt's scripts' website. The
punter then says "I want to run these scripts on such an ISP". NMS
then checks to see if it has information about that ISP cached, and
provides the appropriate scripts if so, or a copy of configure.cgi for
the punter to upload. Once the punter has done the upload, he sets off
an interrogation phase, which works out the capabilities of the
particular user's environment and builds an appropriate script set.

Hmm... it's just a simple matter of programming...

-- 
Piers

RE: Matt's Scripts

[Lucy McWilliam]

On Wed, 14 Mar 2001, Mark Fowler wrote:

> >  
> 
> 
> Stop, stop, this script archive is not ready yet!  Where are the Hello
> world examples?  Where are the detailed instructions?  And why are you
> actually working on these scripts yet!
> 

*giggle*


L.

RE: Matt's Scripts

[Dave Cross]

At Wed, 14 Mar 2001 10:19:42 + (GMT), Mark Fowler <[EMAIL PROTECTED]> wrote:
> >  
> 
> 
> Stop, stop, this script archive is not ready yet!  Where are the Hello
> world examples?  Where are the detailed instructions?  And why are you
> actually working on these scripts yet!
> 
> 
> You're all getting ahead of yourselves.  We need to write a set of
> helloWorld scripts that the script user can upload first to find out 
> the basic facts about their server and check everything is working.
> 
> a) You have multiple copys of the script with different shebang lines 
> on the top.  Only one of these will work and one of the things it'll 
> do is print our is "The first line of programs you upload to this 
> server should be #!/blah/perl"
> 
> b) It checks your perl version is reasonable.  Actually it probably 
> should do this before a) in case there are several versions installed.
> 
> c) It tests if you've got a borken version of CGI.pm (or CGI.pm at 
> all) by looking at version numbers, etc.  Same for other modules.
> 
> d) It links to an image in the same directory as itself and explains 
> that if the image isn't viewable then you do not have inplace cgi and 
> the things you have to know about this
> 
> e) It prints out the time, and GMT time thus highlighting to the user 
> any problems they might have if this is wrong
> 
> f) It prints out a hunk of diagnostic information (e.g. perl version,
> module versions, url, etc, etc)

My ms-env script does a lot of this. 


Mind you, it _does_ rely on CGI.pm being available.

Dave...

RE: Matt's Scripts

[Mark Fowler]

>  


Stop, stop, this script archive is not ready yet!  Where are the Hello
world examples?  Where are the detailed instructions?  And why are you
actually working on these scripts yet!


You're all getting ahead of yourselves.  We need to write a set of
helloWorld scripts that the script user can upload first to find out the
basic facts about their server and check everything is working.

a) You have multiple copys of the script with different shebang lines on
the top.  Only one of these will work and one of the things it'll do is
print our is "The first line of programs you upload to this server should
be #!/blah/perl"

b) It checks your perl version is reasonable.  Actually it probably should
do this before a) in case there are several versions installed.

c) It tests if you've got a borken version of CGI.pm (or CGI.pm at all) by
looking at version numbers, etc.  Same for other modules.

d) It links to an image in the same directory as itself and explains that
if the image isn't viewable then you do not have inplace cgi and the
things you have to know about this

e) It prints out the time, and GMT time thus highlighting to the user any
problems they might have if this is wrong

f) It prints out a hunk of diagnostic information (e.g. perl version,
module versions, url, etc, etc)

Later.

Mark.

-- 
print "\n",map{my$a="\n"if(length$_>6);' 'x(36-length($_)/2)."$_\n$a"} (
   Name  => 'Mark Fowler',Title => 'Technology Developer'  ,
   Firm  => 'Profero Ltd',Web   => 'http://www.profero.com/'   ,
   Email => '[EMAIL PROTECTED]',   Phone => '+44 (0) 20 7700 9960'  )