HPE Community
Operating System - OpenVMS
1752778 Members
6200 Online
108789 Solutions
New Discussion юеВ

Re: Creating new user with specified permission

 
smsc_1
Regular Advisor

тАО11-19-2007 01:12 AM

тАО11-19-2007 01:12 AM

Creating new user with specified permission


Hello,
I need to create a new user on OpenVMS 7.3.1 using MC AUTHORIZE.

That user can be ONLY get file via FTP and must be locked to home directory...

Witch is the correct permission to add to that user??

Please help!
Thanks ;)
./ Lucas
0 Kudos
Reply
13 REPLIES 13
Robert Gezelter
Honored Contributor

тАО11-19-2007 01:55 AM

тАО11-19-2007 01:55 AM

Re: Creating new user with specified permission

smsc,

There are many ways to do this. In many cases, I use the ADDUSER procedure in SYS$EXAMPLES and then customize the account with that as a starting point.

As a starting point, I would set /NOINTERACTIVE and /NOINTERACTIVE, /NOBATCH, and /NOREMOTE. I would likely also make their account captive, with no ability to spawn subprocesses. I would put their login file in a different directory, protected from modification, and I would check SYS$MANAGER:SYLOGIN.COM to ensure that it is not using any files in the user's default directory for processing.

Of course, there may be additional or different requirements depending upon your individual installation.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
smsc_1
Regular Advisor

тАО11-19-2007 02:03 AM

тАО11-19-2007 02:03 AM

Re: Creating new user with specified permission


Thanks for reply, but I think my question is a little bit simple than your solution... :)
I already added an user with following commands:

UAF> add FTPDAT /UIC=[202,202]
%UAF-I-ADDMSG, user record successfully added
%UAF-I-RDBADDMSGU, identifier FTPDAT value [000202,000202] added to rights database

UAF> MOD FTPDAT /Owner="FTPDAT" /Account=FTPDAT /Device=SMSC_SYS /Directory=[SMSC.TMP] /Password=FTPDAT /Nopwdexpired /Flags=Nodisus

Now that user has following privileges:

Authorized Privileges:
NETMBX TMPMBX
Default Privileges:
NETMBX TMPMBX

But if I try to FTP using FTPDAT user I got:

FTP> get trans.x
200 TYPE set to IMAGE.
200 PORT command successful.
550 insufficient privilege or file protection violation


So, I think I need to add some provileges to FTPDAT user... But Witch one???

Thanks!
./ Lucas
0 Kudos
Reply
Ken Robinson
Valued Contributor

тАО11-19-2007 02:16 AM

тАО11-19-2007 02:16 AM

Re: Creating new user with specified permission

Did you create the directory?

$ cre/dir SMSC_SYS:[SMSC.TMP]/own=ftpdat

Ken
0 Kudos
Reply
smsc_1
Regular Advisor

тАО11-19-2007 02:30 AM

тАО11-19-2007 02:30 AM

Re: Creating new user with specified permission


Oh Yes! Directory already created...
More Info:

I used a list of privileges of other (super) user and now FTP works. Privileges are:

CMKRNL,GRPNAM,IMPERSONATE,LOG_IO,NETMBX,OPER,PHY_IO,PRMGBL,PSWAPM,READALL,SYSGBL,SYSLCK,SYSNAM,SYSPR
V,TMPMBX,WORLD

So I think one of these give FTP transfer privilege... But what??
./ Lucas
0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО11-19-2007 02:44 AM

тАО11-19-2007 02:44 AM

Re: Creating new user with specified permission

smsc,

Please turn off all of those extra privileges.

The most likely problem that the account is that some file is protected. Turning ON all of those privileges has created an account that can compromise the integrity of your system.

All that an account needs, in the technical sense, to do an FTP connection is NETMBX and TMPMBX. The rest is governed by the files used in the process.

Take a look at the OpenVMS Guide to System Security, and read the information about enabling auditing on file accesses. Most likely, a predecessor or colleague has protected some files, possibly more than should have been done.

The Audit alarms can be used to identify precisely which file(s) are at issue, and the protection can be examined.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
smsc_1
Regular Advisor

тАО11-19-2007 02:50 AM

тАО11-19-2007 02:50 AM

Re: Creating new user with specified permission


Ops! :(
Owner of directory was other user... So...

Adding NETMBX and TMPMBX as privilegs is enought for FTP transfer...

Above privileges permits to "ftpdat user" to override directory owner, but what's the privileges for that??
./ Lucas
0 Kudos
Reply
smsc_1
Regular Advisor

тАО11-19-2007 03:06 AM

тАО11-19-2007 03:06 AM

Re: Creating new user with specified permission


First of all thanks @ all... :)

Tried one by one, and the correct privileges was: SYSPRV

No I need to LOCK that user in HOME DIRECTORY... How I can perform that?
./ Lucas
0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО11-19-2007 04:13 AM

тАО11-19-2007 04:13 AM

Re: Creating new user with specified permission

smsc,

SYSPRV should be removed also. It effectively allows a user to go around ALL security restrictions.

If the directory is named :[XYZ], then the command to reset the ownership of the directory is:

SET FILE/OWNER= :[000000]XYZ.DIR

Then do a DIRECTORY/SECURITY on the file. The protections should probably be:
SYSTEM: RWED
OWNER: RWED
GROUP: 0
WORLD: 0

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО11-19-2007 04:22 AM

тАО11-19-2007 04:22 AM

Re: Creating new user with specified permission

smsc,

There is no direct way to prevent them from changing directory with the CD command.

What must be ensured is that they are not able to read anything on the system. This generally means ensuring that all files have no WORLD access (presuming that the restricted user is in a separate Group).

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.