Operating System - OpenVMS
Showing results for 
Search instead for 
Did you mean: 

FTP restriction

Go to solution
Nicolau Roca

FTP restriction

Hi, I have defined a captive account with restrictions on a OpenVMS system

Here is the exact sintaxis

UAF> add MYUSER /uic=[311,2] /owner="my user name" /account=MYUSER /dev=disk$ftp /dir=[myuser] -
_UAF> /flags=(nodisuser,captive,diswelcome,disnewmail,dismail,defcli) -
_UAF> /passw=myuserpassw /remote/dialup/local/network/nobatch

My user access via FTP, but in addition to all OpenVMS security for captive and restricted accounts, I would like him not to be able to change to another directory from the FTP prompt (although of course he lacks any privilege for doing anything outside his sys$login directory)

I would say it's just a aesthetic matter :)

Thanks in advance

Karl Rohwedder
Honored Contributor

Re: FTP restriction

We use Hunter Goatley's HGFTP software for exactly that purpose, may be installed in parallel to standard FTP and bound on a different port. Should be on the freeware disks.
You can define (via logical names), to what directories a user may switch.

regards Kalle
Honored Contributor

Re: FTP restriction

I am assuming you are looking for assistance with the FTP client, and not the FTP server.

If this is OpenVMS V6.2 or later and a TCP/IP stack with V6.2 capabilities is installed, then the DCL command COPY/FTP will allow you to implement exactly what you want within your captive command procedure. This rather than letting the user loose at FTP or building scripts of commands to pass into FTP utility...

With COPY/FTP, you have access to symbol substitution, and you can assemble the exact FTP command required, and then execute it not based on user input -- always a bad idea when security is involved -- but based on the CAPTIVE command procedure and its processing of user input.

COPY/FTP follows DCL norms for the COPY command, including the need to quote the remote specifications if these do not follow OpenVMS DCL file specification naming rules. At its simplest:

$ COPY/FTP x.y.z"user pass"::remspec localspec

FTP for what appears to be a password change operation (based on the filenames) would be an unusual approach. There could be other approaches available, depending on what the particular application requirements might be.
Nicolau Roca

Re: FTP restriction

My user accesses via FTP with a graphical FTP client called FileZilla, so I guess I can't use HGFTP, isn't it? Anyway I'll take a look at it when I got time

And for the same reason I think a COPY/FTP is not suitable in my case

Yes, the DISK$FTP:[000000]FTP$CHANGEPW.COM is a simple DCL script for changing the password. My intention is that all that my user can do with a TELNET connection is changing his password, and that's why I put it on the LGICMD. Maybe not the best approach (?)
Wim Van den Wyngaert
Honored Contributor

Re: FTP restriction

Note that you can specify directories in get/put commands. So, protecting against using cd will not help you.