topic Re: FTP restriction in Operating System - OpenVMS

FTP restriction

Nicolau Roca — Thu, 01 Feb 2007 07:16:36 GMT

Hi, I have defined a captive account with restrictions on a OpenVMS system

Here is the exact sintaxis

UAF> add MYUSER /uic=[311,2] /owner="my user name" /account=MYUSER /dev=disk$ftp /dir=[myuser] -
_UAF> /flags=(nodisuser,captive,diswelcome,disnewmail,dismail,defcli) -
_UAF> /passw=myuserpassw /remote/dialup/local/network/nobatch
/lgicmd=DISK$FTP:[000000]FTP$CHANGEPW.COM

My user access via FTP, but in addition to all OpenVMS security for captive and restricted accounts, I would like him not to be able to change to another directory from the FTP prompt (although of course he lacks any privilege for doing anything outside his sys$login directory)

I would say it's just a aesthetic matter :)

Thanks in advance

Nicolau

Re: FTP restriction

Karl Rohwedder — Thu, 01 Feb 2007 08:25:51 GMT

We use Hunter Goatley's HGFTP software for exactly that purpose, may be installed in parallel to standard FTP and bound on a different port. Should be on the freeware disks.
You can define (via logical names), to what directories a user may switch.

regards Kalle

Re: FTP restriction

Hoff — Thu, 01 Feb 2007 10:03:32 GMT

I am assuming you are looking for assistance with the FTP client, and not the FTP server.

If this is OpenVMS V6.2 or later and a TCP/IP stack with V6.2 capabilities is installed, then the DCL command COPY/FTP will allow you to implement exactly what you want within your captive command procedure. This rather than letting the user loose at FTP or building scripts of commands to pass into FTP utility...

With COPY/FTP, you have access to symbol substitution, and you can assemble the exact FTP command required, and then execute it not based on user input -- always a bad idea when security is involved -- but based on the CAPTIVE command procedure and its processing of user input.

COPY/FTP follows DCL norms for the COPY command, including the need to quote the remote specifications if these do not follow OpenVMS DCL file specification naming rules. At its simplest:

$ COPY/FTP x.y.z"user pass"::remspec localspec

FTP for what appears to be a password change operation (based on the filenames) would be an unusual approach. There could be other approaches available, depending on what the particular application requirements might be.

Re: FTP restriction

Nicolau Roca — Mon, 19 Feb 2007 08:18:48 GMT

My user accesses via FTP with a graphical FTP client called FileZilla, so I guess I can't use HGFTP, isn't it? Anyway I'll take a look at it when I got time

And for the same reason I think a COPY/FTP is not suitable in my case

Yes, the DISK$FTP:[000000]FTP$CHANGEPW.COM is a simple DCL script for changing the password. My intention is that all that my user can do with a TELNET connection is changing his password, and that's why I put it on the LGICMD. Maybe not the best approach (?)

Re: FTP restriction

Wim Van den Wyngaert — Mon, 19 Feb 2007 11:02:20 GMT

Note that you can specify directories in get/put commands. So, protecting against using cd will not help you.

Wim