topic Re: Creating new user with specified permission in Operating System - OpenVMS

Creating new user with specified permission

smsc_1 — Mon, 19 Nov 2007 09:12:14 GMT

Hello,
I need to create a new user on OpenVMS 7.3.1 using MC AUTHORIZE.

That user can be ONLY get file via FTP and must be locked to home directory...

Witch is the correct permission to add to that user??

Please help!
Thanks ;)

Re: Creating new user with specified permission

Robert Gezelter — Mon, 19 Nov 2007 09:55:22 GMT

smsc,

There are many ways to do this. In many cases, I use the ADDUSER procedure in SYS$EXAMPLES and then customize the account with that as a starting point.

As a starting point, I would set /NOINTERACTIVE and /NOINTERACTIVE, /NOBATCH, and /NOREMOTE. I would likely also make their account captive, with no ability to spawn subprocesses. I would put their login file in a different directory, protected from modification, and I would check SYS$MANAGER:SYLOGIN.COM to ensure that it is not using any files in the user's default directory for processing.

Of course, there may be additional or different requirements depending upon your individual installation.

- Bob Gezelter, http://www.rlgsc.com

Re: Creating new user with specified permission

smsc_1 — Mon, 19 Nov 2007 10:03:59 GMT

Thanks for reply, but I think my question is a little bit simple than your solution... :)
I already added an user with following commands:

UAF> add FTPDAT /UIC=[202,202]
%UAF-I-ADDMSG, user record successfully added
%UAF-I-RDBADDMSGU, identifier FTPDAT value [000202,000202] added to rights database

UAF> MOD FTPDAT /Owner="FTPDAT" /Account=FTPDAT /Device=SMSC_SYS /Directory=[SMSC.TMP] /Password=FTPDAT /Nopwdexpired /Flags=Nodisus

Now that user has following privileges:

Authorized Privileges:
NETMBX TMPMBX
Default Privileges:
NETMBX TMPMBX

But if I try to FTP using FTPDAT user I got:

FTP> get trans.x
200 TYPE set to IMAGE.
200 PORT command successful.
550 insufficient privilege or file protection violation

So, I think I need to add some provileges to FTPDAT user... But Witch one???

Thanks!

Re: Creating new user with specified permission

Ken Robinson — Mon, 19 Nov 2007 10:16:25 GMT

Did you create the directory?

$ cre/dir SMSC_SYS:[SMSC.TMP]/own=ftpdat

Ken

Re: Creating new user with specified permission

smsc_1 — Mon, 19 Nov 2007 10:30:09 GMT

Oh Yes! Directory already created...
More Info:

I used a list of privileges of other (super) user and now FTP works. Privileges are:

CMKRNL,GRPNAM,IMPERSONATE,LOG_IO,NETMBX,OPER,PHY_IO,PRMGBL,PSWAPM,READALL,SYSGBL,SYSLCK,SYSNAM,SYSPR
V,TMPMBX,WORLD

So I think one of these give FTP transfer privilege... But what??

Re: Creating new user with specified permission

Robert Gezelter — Mon, 19 Nov 2007 10:44:12 GMT

smsc,

Please turn off all of those extra privileges.

The most likely problem that the account is that some file is protected. Turning ON all of those privileges has created an account that can compromise the integrity of your system.

All that an account needs, in the technical sense, to do an FTP connection is NETMBX and TMPMBX. The rest is governed by the files used in the process.

Take a look at the OpenVMS Guide to System Security, and read the information about enabling auditing on file accesses. Most likely, a predecessor or colleague has protected some files, possibly more than should have been done.

The Audit alarms can be used to identify precisely which file(s) are at issue, and the protection can be examined.

- Bob Gezelter, http://www.rlgsc.com

Re: Creating new user with specified permission

smsc_1 — Mon, 19 Nov 2007 10:50:32 GMT

Ops! :(
Owner of directory was other user... So...

Adding NETMBX and TMPMBX as privilegs is enought for FTP transfer...

Above privileges permits to "ftpdat user" to override directory owner, but what's the privileges for that??

Re: Creating new user with specified permission

smsc_1 — Mon, 19 Nov 2007 11:06:26 GMT

First of all thanks @ all... :)

Tried one by one, and the correct privileges was: SYSPRV

No I need to LOCK that user in HOME DIRECTORY... How I can perform that?

Re: Creating new user with specified permission

Robert Gezelter — Mon, 19 Nov 2007 12:13:24 GMT

smsc,

SYSPRV should be removed also. It effectively allows a user to go around ALL security restrictions.

If the directory is named :[XYZ], then the command to reset the ownership of the directory is:

SET FILE/OWNER= :[000000]XYZ.DIR

Then do a DIRECTORY/SECURITY on the file. The protections should probably be:
SYSTEM: RWED
OWNER: RWED
GROUP: 0
WORLD: 0

- Bob Gezelter, http://www.rlgsc.com

Re: Creating new user with specified permission

Robert Gezelter — Mon, 19 Nov 2007 12:22:43 GMT

smsc,

There is no direct way to prevent them from changing directory with the CD command.

What must be ensured is that they are not able to read anything on the system. This generally means ensuring that all files have no WORLD access (presuming that the restricted user is in a separate Group).

- Bob Gezelter, http://www.rlgsc.com

Re: Creating new user with specified permission

Karl Rohwedder — Mon, 19 Nov 2007 13:13:28 GMT

You may use the alternate FTP server HGFTP (found on the freeware CD's available via OpenVMS homepage). This server mays run in parallel to the standard FTP server (using a different port).
It allows to specify exactly the directories any given FTP user may set default into. You may also limit the available commands for a user.

regards Kalle

Re: Creating new user with specified permission

smsc_1 — Tue, 20 Nov 2007 08:35:01 GMT

Thanks Robert (and thanks to all!!)...

Just change file's owner and file's security and now new user can only get specified file.

You guys save my life! :D

Thread can be closed, thanks again to all....

Re: Creating new user with specified permission

Robert Gezelter — Tue, 20 Nov 2007 11:40:41 GMT

smsc,

My pleasure!

The thread has to be closed by the user who opened it.

The thread originator is also responsible for awarding points for useful answers.

- Bob Gezelter, http://www.rlgsc.com

Re: Creating new user with specified permission

DECxchange — Tue, 20 Nov 2007 20:45:27 GMT

Hello,
For your FTPDAT account, you can add an Identifier in AUTHORIZE and then set the file ownerships to that identifier, FTPDAT. You would do this to the login directory and files contained therein.

E.g.,
$ mcr authorize

or

$ set def sys$system
$ run authorize

UAF> add/ident/value=uic:[x,y] ftpdat
UAF> show ftpdat
The uaf record will now show that your particular UIC [x,y] is equated to identifier FTPDAT (or whatever you want your identifier to be called).
UAF> mod ftpdat /flags=(captive,restricted)

Then,

$ set file/own=FTPDAT ftpdat.dir
$ set file/own=FTPDAT [ftpdat]*.*;*

$ set prot=(w:r) ftpdat.dir
$ set prot=(w:r) [ftpdir]*.*;*
$ dir/prot/own ftpdir.dir
$ dir/prot/own[ftpdir]

Be sure you use the correct disc drive specification.

If you do this, you will have the utmost protection on this account. If you do all this, you will have FREAKY security on THIS ACCOUNT!