HPE Community
Operating System - OpenVMS
1753863 Members
7309 Online
108809 Solutions
New Discussion юеВ

Re: OpenVMS Captive FTP account directory

 
SOLVED
Go to solution
Kyle Snavely_1
Advisor

тАО02-25-2004 06:39 AM

тАО02-25-2004 06:39 AM

OpenVMS Captive FTP account directory

Has anyone ever created a captive FTP account in such a way that when a user ftps in, it keeps them restricted to their home directory? Not allowing them to cd/set def up a level or to another disk? Similar to the way the anonymous ftp account works. I'm running tcp/ip services 5.3.

Thanks
0 Kudos
Reply
13 REPLIES 13
John Gillings
Honored Contributor

тАО02-25-2004 01:22 PM

тАО02-25-2004 01:22 PM

Solution

Re: OpenVMS Captive FTP account directory

Kyle,

"not allowing" CD is tricky, but denying access to any files once they're there is easier.

You could create an identifier (say) "FTP_RESTRICTED" which can be GRANTED to any users you want to limit. Access to anything you don't want accessed can be restricted via an ACE:

(IDENTIFIER=FTP_RESTRICTED,ACCESS=NONE)

This can be placed high up in directory trees to prevent access to any files below. (but make sure they have read access to the system disk or else nothing will work).

You can even restrict access when connected via FTP, but not when logged in. For example
(IDENTIFIER=FTP_RESTRICTED+NETWORK,ACCESS=NONE)

There is a logical name TCPIP$FTP_ANONYMOUS_ALIAS which allows you to define multiple anonymous usernames, but I doubt this does what you want.
A crucible of informative mistakes
Reply
Karl Rohwedder
Honored Contributor

тАО02-25-2004 05:02 PM

тАО02-25-2004 05:02 PM

Re: OpenVMS Captive FTP account directory

We use Hunter Goatlys HGFTP for this, you can set up many different anonymous accounts, for each of them you specify the allowed directories and the allowed commands, e.g. you can disable CD completely. You can run HGFTP in parallel to UCX, just use a different port.

One source e.g. is :
ftp://ftp.tmk.com/vms-freeware/fileserv/
Reply
Robert Atkinson
Respected Contributor

тАО02-25-2004 08:58 PM

тАО02-25-2004 08:58 PM

Re: OpenVMS Captive FTP account directory

Kyle, we also use HGFTP. The directories are controlled by defining a logical (in LOGIN.COM for us) like this :-

$ DEFINE /PROC MADGOAT_FTP_DIRS FTP$USER_ROOT:[PENGSING...]
$ SET DEF FTP$USER_ROOT:[PENGSING]

HGFTP is far superior the HP's in-built anyway.

Rob.
Reply
Kyle Snavely_1
Advisor

тАО02-26-2004 01:02 AM

тАО02-26-2004 01:02 AM

Re: OpenVMS Captive FTP account directory

Thanks for the replies. I'll evaluate both ideas and see which one works better for us.

Thanks!
0 Kudos
Reply
Kyle Snavely_1
Advisor

тАО03-02-2004 05:06 AM

тАО03-02-2004 05:06 AM

Re: OpenVMS Captive FTP account directory

Ran into a little trouble with HGFTP. Does anyone have any trouble with HGFTP bypassing object security? HGFTP, in my case, gives users access to objects that they normally wouldn't have access to under HP TCP/IP services FTP server (ver 5.3).

Swapped back and forth between both ftp servers and get the same result each time.
0 Kudos
Reply
Martin P.J. Zinser
Honored Contributor

тАО03-02-2004 01:59 PM

тАО03-02-2004 01:59 PM

Re: OpenVMS Captive FTP account directory

Hello Kyle,

which version of HGFTP do you have installed?
3.1-1 I think is the current one. If you are at the current one I think some more detailed information on the protection problem you are seeing would be nice. I could get in contact with Hunter to discuss this with him.

Greetings, Martin
Reply
Kyle Snavely_1
Advisor

тАО03-03-2004 12:39 AM

тАО03-03-2004 12:39 AM

Re: OpenVMS Captive FTP account directory

I've been emailing back and forth with Hunter. I was just wondering if anyone else had experienced the same problem.

I'm on the latest version of HGFTP. The account I'm using is a copy of the default account and it's able to view/grab files that it doesn't have permission to while under HGFTP. While FTPing to the same system with the same account when the TCP/IP services FTP server is running instead of HGFTP, the file permissions work as advertised. A sho proc/all on the ftp process ID while I'm logged in with ftp shows no elevated privileges. I don't understand how the user can bypass security when the process doesn't have access to do so.
0 Kudos
Reply
Martin P.J. Zinser
Honored Contributor

тАО03-03-2004 10:20 AM

тАО03-03-2004 10:20 AM

Re: OpenVMS Captive FTP account directory

Hello Kyle,

as I understand it not the "user" is actually accessing the files, but the FTP server process ,and this does have appropriate rights to do so. It is a function of the FTP server to check that the user would have appropriate rights. Since you were already in contact with Hunter, what was his response?

Greetings, Martin

Reply
Kyle Snavely_1
Advisor

тАО03-04-2004 04:44 AM

тАО03-04-2004 04:44 AM

Re: OpenVMS Captive FTP account directory

He's checking code. What version of VMS are you running HGFTP on?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.