HPE Community
Operating System - OpenVMS
1752679 Members
5642 Online
108789 Solutions
New Discussion юеВ

FTP

 
Gary_167
Advisor

тАО07-27-2004 06:27 AM

тАО07-27-2004 06:27 AM

FTP

Hello, does anyone know of a way to confine FTP users to the directory that is predefined for them, keeping them from moving around in TCP/IP 5.4? In Multinet this is done with a define/sys MULTINET_userdir_FTP_DIRECTORY username:[userdir]. Is there similar functionality in TCP/IP?
0 Kudos
Reply
5 REPLIES 5
Ian Miller.
Honored Contributor

тАО07-27-2004 08:34 AM

тАО07-27-2004 08:34 AM

Re: FTP

you could use the NETWORK identifier which is granted to network processes to deny access using an ACL.

(ID=NETWORL, ACCESS=NONE) so of thing
____________________
Purely Personal Opinion
0 Kudos
Reply
Gary_167
Advisor

тАО07-27-2004 08:41 AM

тАО07-27-2004 08:41 AM

Re: FTP

in UAF? Will the user still be able to put files in their default dir?
0 Kudos
Reply
John Gillings
Honored Contributor

тАО07-27-2004 12:51 PM

тАО07-27-2004 12:51 PM

Re: FTP

Gary,

For ANONYMOUS FTP, you can limit which directories are accessible by defining the /SYSTEM/EXEC logical name TCPIP$FTP_ANONYMOUS_DIRECTORY. It's a search list containing the names of directories which may be accessed. Indeed, you MUST to this logical name to grant anonymous access to directories other than the default.

For FTP connections which use a valid username/password, those users should have access to any file(s) they would "normally" have access to if logged in interactively. For most purposes it doesn't make sense to limit access just for FTP connections. Consider, I could just log in, copy whatever file I wanted to my home directory and then FTP to copy it from there (or, just make an *outbound* FTP connection and push the file without having to make a local copy).

However, if you really want to, you can protect any object with an ACL that prevents FTP connections from access, but grants access from non-network connections. As Ian suggested, all FTP (and other "network" class processes) hold the NETWORK identifier, which can be used to block access:

$ SET SECURITY/ACL=(IDENTIFIER=NETWORK,ACCESS=NONE) somefile.dat

If you want to be able to limit only some users, then create a general identifier (say FTP_RESTRICT) and grant that to users you want to restrict. Then use

$ SET SECURITY/ACL=(IDENTIFIER=NETWORK+FTP_RESTRICT,ACCESS=NONE) somefile.dat

Note that this will affect ALL network accesses (for example, including DECnet accesses). If you want to limit ONLY FTP connections, you can do that too, but it's a bit more complex. Write a program which grants an identifier (hardcoded) to the process which runs it and INSTALL it with privilege. RUN the program in SYLOGIN.COM for any process with a name starting with "TCPIP$FTPC", then protect objects from access by processes holding that identifier.

The possibilities are endless. All you need to do is precisely define your access requirements. There will always be a way to implement them using some combination of identifiers, ACLs and login processing.
A crucible of informative mistakes
0 Kudos
Reply
Martin P.J. Zinser
Honored Contributor

тАО07-27-2004 01:33 PM

тАО07-27-2004 01:33 PM

Re: FTP

Hi,

one possibility is to rip out the FTP service that comes with hp's TCP/IP and replace it with
Hunter Goatleys excellent HGFTP, which does allow to restrict access using logicals.

For more information and a pointer to the manual check

http://zinser.no-ip.info/vms/sw/hgftp.htmlx

Greetings, Martin
0 Kudos
Reply
Antoniov.
Honored Contributor

тАО07-28-2004 02:35 AM

тАО07-28-2004 02:35 AM

Re: FTP

Adding some info to John's post, remember you can modify SYLOGIN.COM and/or LOGIN.COM selecting access using f$mode funcion; example:
$ IF F$MODE.EQS."NETWORK"
$ THEN
$ .. here only access by FTP and DecNet
$ ENDIF

Antonio Vigliotti
Antonio Maria Vigliotti
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.