HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Creating new user with specified permission

 
smsc_1
Regular Advisor

Creating new user with specified permission


Hello,
I need to create a new user on OpenVMS 7.3.1 using MC AUTHORIZE.

That user can be ONLY get file via FTP and must be locked to home directory...

Witch is the correct permission to add to that user??

Please help!
Thanks ;)
./ Lucas
13 REPLIES
Robert Gezelter
Honored Contributor

Re: Creating new user with specified permission

smsc,

There are many ways to do this. In many cases, I use the ADDUSER procedure in SYS$EXAMPLES and then customize the account with that as a starting point.

As a starting point, I would set /NOINTERACTIVE and /NOINTERACTIVE, /NOBATCH, and /NOREMOTE. I would likely also make their account captive, with no ability to spawn subprocesses. I would put their login file in a different directory, protected from modification, and I would check SYS$MANAGER:SYLOGIN.COM to ensure that it is not using any files in the user's default directory for processing.

Of course, there may be additional or different requirements depending upon your individual installation.

- Bob Gezelter, http://www.rlgsc.com
smsc_1
Regular Advisor

Re: Creating new user with specified permission


Thanks for reply, but I think my question is a little bit simple than your solution... :)
I already added an user with following commands:

UAF> add FTPDAT /UIC=[202,202]
%UAF-I-ADDMSG, user record successfully added
%UAF-I-RDBADDMSGU, identifier FTPDAT value [000202,000202] added to rights database

UAF> MOD FTPDAT /Owner="FTPDAT" /Account=FTPDAT /Device=SMSC_SYS /Directory=[SMSC.TMP] /Password=FTPDAT /Nopwdexpired /Flags=Nodisus

Now that user has following privileges:

Authorized Privileges:
NETMBX TMPMBX
Default Privileges:
NETMBX TMPMBX

But if I try to FTP using FTPDAT user I got:

FTP> get trans.x
200 TYPE set to IMAGE.
200 PORT command successful.
550 insufficient privilege or file protection violation


So, I think I need to add some provileges to FTPDAT user... But Witch one???

Thanks!
./ Lucas
Ken Robinson
Valued Contributor

Re: Creating new user with specified permission

Did you create the directory?

$ cre/dir SMSC_SYS:[SMSC.TMP]/own=ftpdat

Ken
smsc_1
Regular Advisor

Re: Creating new user with specified permission


Oh Yes! Directory already created...
More Info:

I used a list of privileges of other (super) user and now FTP works. Privileges are:

CMKRNL,GRPNAM,IMPERSONATE,LOG_IO,NETMBX,OPER,PHY_IO,PRMGBL,PSWAPM,READALL,SYSGBL,SYSLCK,SYSNAM,SYSPR
V,TMPMBX,WORLD

So I think one of these give FTP transfer privilege... But what??
./ Lucas
Robert Gezelter
Honored Contributor

Re: Creating new user with specified permission

smsc,

Please turn off all of those extra privileges.

The most likely problem that the account is that some file is protected. Turning ON all of those privileges has created an account that can compromise the integrity of your system.

All that an account needs, in the technical sense, to do an FTP connection is NETMBX and TMPMBX. The rest is governed by the files used in the process.

Take a look at the OpenVMS Guide to System Security, and read the information about enabling auditing on file accesses. Most likely, a predecessor or colleague has protected some files, possibly more than should have been done.

The Audit alarms can be used to identify precisely which file(s) are at issue, and the protection can be examined.

- Bob Gezelter, http://www.rlgsc.com
smsc_1
Regular Advisor

Re: Creating new user with specified permission


Ops! :(
Owner of directory was other user... So...

Adding NETMBX and TMPMBX as privilegs is enought for FTP transfer...

Above privileges permits to "ftpdat user" to override directory owner, but what's the privileges for that??
./ Lucas
smsc_1
Regular Advisor

Re: Creating new user with specified permission


First of all thanks @ all... :)

Tried one by one, and the correct privileges was: SYSPRV

No I need to LOCK that user in HOME DIRECTORY... How I can perform that?
./ Lucas
Robert Gezelter
Honored Contributor

Re: Creating new user with specified permission

smsc,

SYSPRV should be removed also. It effectively allows a user to go around ALL security restrictions.

If the directory is named :[XYZ], then the command to reset the ownership of the directory is:

SET FILE/OWNER= :[000000]XYZ.DIR

Then do a DIRECTORY/SECURITY on the file. The protections should probably be:
SYSTEM: RWED
OWNER: RWED
GROUP: 0
WORLD: 0

- Bob Gezelter, http://www.rlgsc.com
Robert Gezelter
Honored Contributor

Re: Creating new user with specified permission

smsc,

There is no direct way to prevent them from changing directory with the CD command.

What must be ensured is that they are not able to read anything on the system. This generally means ensuring that all files have no WORLD access (presuming that the restricted user is in a separate Group).

- Bob Gezelter, http://www.rlgsc.com
Karl Rohwedder
Honored Contributor

Re: Creating new user with specified permission

You may use the alternate FTP server HGFTP (found on the freeware CD's available via OpenVMS homepage). This server mays run in parallel to the standard FTP server (using a different port).
It allows to specify exactly the directories any given FTP user may set default into. You may also limit the available commands for a user.

regards Kalle
smsc_1
Regular Advisor

Re: Creating new user with specified permission


Thanks Robert (and thanks to all!!)...

Just change file's owner and file's security and now new user can only get specified file.

You guys save my life! :D

Thread can be closed, thanks again to all....
./ Lucas
Robert Gezelter
Honored Contributor

Re: Creating new user with specified permission

smsc,

My pleasure!

The thread has to be closed by the user who opened it.

The thread originator is also responsible for awarding points for useful answers.

- Bob Gezelter, http://www.rlgsc.com
DECxchange
Regular Advisor

Re: Creating new user with specified permission

Hello,
For your FTPDAT account, you can add an Identifier in AUTHORIZE and then set the file ownerships to that identifier, FTPDAT. You would do this to the login directory and files contained therein.

E.g.,
$ mcr authorize

or

$ set def sys$system
$ run authorize

UAF> add/ident/value=uic:[x,y] ftpdat
UAF> show ftpdat
The uaf record will now show that your particular UIC [x,y] is equated to identifier FTPDAT (or whatever you want your identifier to be called).
UAF> mod ftpdat /flags=(captive,restricted)

Then,

$ set file/own=FTPDAT ftpdat.dir
$ set file/own=FTPDAT [ftpdat]*.*;*

$ set prot=(w:r) ftpdat.dir
$ set prot=(w:r) [ftpdir]*.*;*
$ dir/prot/own ftpdir.dir
$ dir/prot/own[ftpdir]

Be sure you use the correct disc drive specification.

If you do this, you will have the utmost protection on this account. If you do all this, you will have FREAKY security on THIS ACCOUNT!