- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Creating new user with specified permission
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2007 01:12 AM
тАО11-19-2007 01:12 AM
Creating new user with specified permission
Hello,
I need to create a new user on OpenVMS 7.3.1 using MC AUTHORIZE.
That user can be ONLY get file via FTP and must be locked to home directory...
Witch is the correct permission to add to that user??
Please help!
Thanks ;)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2007 01:55 AM
тАО11-19-2007 01:55 AM
Re: Creating new user with specified permission
There are many ways to do this. In many cases, I use the ADDUSER procedure in SYS$EXAMPLES and then customize the account with that as a starting point.
As a starting point, I would set /NOINTERACTIVE and /NOINTERACTIVE, /NOBATCH, and /NOREMOTE. I would likely also make their account captive, with no ability to spawn subprocesses. I would put their login file in a different directory, protected from modification, and I would check SYS$MANAGER:SYLOGIN.COM to ensure that it is not using any files in the user's default directory for processing.
Of course, there may be additional or different requirements depending upon your individual installation.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2007 02:03 AM
тАО11-19-2007 02:03 AM
Re: Creating new user with specified permission
Thanks for reply, but I think my question is a little bit simple than your solution... :)
I already added an user with following commands:
UAF> add FTPDAT /UIC=[202,202]
%UAF-I-ADDMSG, user record successfully added
%UAF-I-RDBADDMSGU, identifier FTPDAT value [000202,000202] added to rights database
UAF> MOD FTPDAT /Owner="FTPDAT" /Account=FTPDAT /Device=SMSC_SYS /Directory=[SMSC.TMP] /Password=FTPDAT /Nopwdexpired /Flags=Nodisus
Now that user has following privileges:
Authorized Privileges:
NETMBX TMPMBX
Default Privileges:
NETMBX TMPMBX
But if I try to FTP using FTPDAT user I got:
FTP> get trans.x
200 TYPE set to IMAGE.
200 PORT command successful.
550 insufficient privilege or file protection violation
So, I think I need to add some provileges to FTPDAT user... But Witch one???
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2007 02:16 AM
тАО11-19-2007 02:16 AM
Re: Creating new user with specified permission
$ cre/dir SMSC_SYS:[SMSC.TMP]/own=ftpdat
Ken
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2007 02:30 AM
тАО11-19-2007 02:30 AM
Re: Creating new user with specified permission
Oh Yes! Directory already created...
More Info:
I used a list of privileges of other (super) user and now FTP works. Privileges are:
CMKRNL,GRPNAM,IMPERSONATE,LOG_IO,NETMBX,OPER,PHY_IO,PRMGBL,PSWAPM,READALL,SYSGBL,SYSLCK,SYSNAM,SYSPR
V,TMPMBX,WORLD
So I think one of these give FTP transfer privilege... But what??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2007 02:44 AM
тАО11-19-2007 02:44 AM
Re: Creating new user with specified permission
Please turn off all of those extra privileges.
The most likely problem that the account is that some file is protected. Turning ON all of those privileges has created an account that can compromise the integrity of your system.
All that an account needs, in the technical sense, to do an FTP connection is NETMBX and TMPMBX. The rest is governed by the files used in the process.
Take a look at the OpenVMS Guide to System Security, and read the information about enabling auditing on file accesses. Most likely, a predecessor or colleague has protected some files, possibly more than should have been done.
The Audit alarms can be used to identify precisely which file(s) are at issue, and the protection can be examined.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2007 02:50 AM
тАО11-19-2007 02:50 AM
Re: Creating new user with specified permission
Ops! :(
Owner of directory was other user... So...
Adding NETMBX and TMPMBX as privilegs is enought for FTP transfer...
Above privileges permits to "ftpdat user" to override directory owner, but what's the privileges for that??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2007 03:06 AM
тАО11-19-2007 03:06 AM
Re: Creating new user with specified permission
First of all thanks @ all... :)
Tried one by one, and the correct privileges was: SYSPRV
No I need to LOCK that user in HOME DIRECTORY... How I can perform that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2007 04:13 AM
тАО11-19-2007 04:13 AM
Re: Creating new user with specified permission
SYSPRV should be removed also. It effectively allows a user to go around ALL security restrictions.
If the directory is named
SET FILE/OWNER=
Then do a DIRECTORY/SECURITY on the file. The protections should probably be:
SYSTEM: RWED
OWNER: RWED
GROUP: 0
WORLD: 0
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-19-2007 04:22 AM
тАО11-19-2007 04:22 AM
Re: Creating new user with specified permission
There is no direct way to prevent them from changing directory with the CD command.
What must be ensured is that they are not able to read anything on the system. This generally means ensuring that all files have no WORLD access (presuming that the restricted user is in a separate Group).
- Bob Gezelter, http://www.rlgsc.com