Strange Restrictions on FMS Export script

Bobbby · October 10, 2009

Hi,

In FMSA v.10, server scripts can now export records... That was good news I was waiting for.

But export file destinations in FMSA 10 are restricted to two specific destinations (and their subfolders): < Documents> and < Temporary files >.

So what if I want to export to a different folder, or even to a different server ?

I note that Exporting is not subject to these restrictions using FMPro.

Have the FM developpers explained why these restrictions exist on the server?

TIA

Bobbby

Steven H. Blackwell · October 10, 2009

Server runs in its own security bubble and does not have access to directories outside. You can export to the designated directories and then use a VBS script called by the Task Scheduler to move it elsewhere. Scheduler must use the Run as... capability to account for privileges at the target destination.

HTH

Steven

Bobbby · October 11, 2009

Thanks Steven,

"Server runs in its own security bubble and does not have access to directories outside."

Do you know why it doesn't have write access to folders ouside the bubble ?

Is write access a security problem ?

Bobbby

Fenton · October 11, 2009

I'm not a security expert, but I think this is just common sense really. You have access to the FileMaker files on the FileMaker Server machine, according to your access level. But this does not mean that you have access to other files on that server machine.

Perhaps the person who maintains the FileMaker Server machine is not you, and they don't really want you to write files anywhere you want; which you could do if FileMaker Server had access to do that, and you had scripting access to the FileMaker file.

If you are the person maintaining the FileMaker Server machine, then you should be able to give yourself file access privileges to move files from within the "bubble" to somewhere else. Yes, it would be easier to not have to do that, but FileMaker does not want to open a security hole to do so.

Steven H. Blackwell · October 11, 2009

100% correct, Fenton. Server administrator can write a VBS to move the file. Use the Task Scheduler and supply alternate credentials.

Steven

Bobbby · October 12, 2009

Hi,

Thanks for your input.

Your comments assume that write access to a folder outside the bubble is - in itself - a security hole.

Do you have any info to back that up?

I don't see it that way.

I'd say that the bubble is a good idea to protect FMS and any data in folders it wants to protect.

A DMZ to stop bad stuff getting in.

But I don't see why the ability to write data outside of the bubble should be considered a hole.

Of course we can call it a hole because stuff is getting out.

But nothing is coming into the bubble from outside. Basically, that's my point.

And as for the VBS...

of course it can be done and it can be scheduled,

but there's no way of knowing when each file has finished being written and so the process has to be manually synchronised through trial and error.

And monitored over time to see the impact of file growth.

I thought the whole idea of scripts was to avoid doing stuff manually. It's not just a question of "easier", it's a question of daily batch automation for dozens of files.

P.S.

If we're talking about server scripts, activated by an admin, with secured access, I don't really see the logic in what you're saying. It seems to me that what you're advising is just letting FMS pass the buck to VBS. If we can trust VBS to handle permissions correctly why can't we trust FMS?

Steven H. Blackwell · October 12, 2009

FileMaker Server runs under Local Service. It controls all its own elements. It does not control other elements of the server necessarily. Using the Script Scheduler allows for alternate credentials. The FileMaker Server Schedules feature in the Console allows for sequencing FileMaker scripts and OS scripts.

That's pretty much the way the system works.

Steven

Wim Decorte · October 16, 2009

And as for the VBS...
of course it can be done and it can be scheduled,

but there's no way of knowing when each file has finished being written and so the process has to be manually synchronised through trial and error.

And monitored over time to see the impact of file growth.

No manual stuff needed. FMS has the ability to run script sequences (OS script -> FM script -> OS script).

So you can have a batch file / VBscript scheduled like that after you FM script. It wouldn't run until your exports or done so there are no timing issues.

The normal FMS runs as "local system" so anything that account has access to will be writeable to.

Other ways of doing this: use a VBscript scheduled by the regular Windows Task Manager (using any account you need) and have the VBscript monitor the FMS export folder (check for files, check for file date/times,...)

So using any of the existing tools that an admin would do you can do whatever you need happening in an automated fashion.

HTH

Wim

Sign In

Strange Restrictions on FMS Export script

Recommended Posts

Bobbby

Link to comment

Share on other sites

Steven H. Blackwell

Link to comment

Share on other sites

Bobbby

Link to comment

Share on other sites

Fenton

Link to comment

Share on other sites

Steven H. Blackwell

Link to comment

Share on other sites

Bobbby

Link to comment

Share on other sites

Steven H. Blackwell

Link to comment

Share on other sites

Wim Decorte

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Browse

Site Support

Forums

Blogs

Marketplace

Activity

Important Information