- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: user priviledges
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-02-2005 04:12 AM
тАО09-02-2005 04:12 AM
Re: user priviledges
Did you protect the account against NETWORK logins, too? For example, I can FTP into a captive username and modify LOGIN.COM unless I do:
UAF> modify USER1 /nonetwork
$ ftp localhost
220 athena.&&&&&.de FTP Server (Version 5.4) Ready.
Connected to LOCALHOST.
Name (LOCALHOST:zessin): nopriv
331 Username nopriv requires a Password
Password:
230 User logged in.
FTP> get login.com l.txt
200 TYPE set to IMAGE.
200 PORT command successful.
150 Opening data connection for USER_&&&:[NOPRIV]login.com; (127.0.0.1,51364) (10 bytes)
226 Transfer complete.
local: &&&l.txt;1 remote: login.com
10 bytes received in 00:00:00.01 seconds (0.75 Kbytes/s)
FTP> put l.txt login.com
200 PORT command successful.
150 Opening data connection for USER_&&&:[NOPRIV]login.com; (127.0.0.1,51365)
226 Transfer complete.
local: &&&l.txt;1 remote: login.com
10 bytes sent in 00:00:00.02 seconds (0.35 Kbytes/s)
FTP>
(I've replaced some security-related information with &&&)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-03-2005 07:06 AM
тАО09-03-2005 07:06 AM
Re: user priviledges
I followed the instructions in your post and the account is such that I cannot "get" a file from the server using ftp in the 'nopriviledge' account.
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-03-2005 11:30 AM
тАО09-03-2005 11:30 AM
Re: user priviledges
Reading the dialogue, it is not clear to me that what your "unprivileged" account is configured as. An attachment of the SHOW
Also helpful would be a log of the terminal session that show the FTP problem.
To do many tasks, an unprivileged user will need to have the innocuous NETMBX and TMPMBX privileges. Beyond that, no normal user should need to have any additional privileges for a routine application. In almost every case (and I can count the exceptions on one hand in over twenty five years), there is no need for additional privileges for users. ACLs of various forms allow access to files and devices.
In each case where I have been called to deal with a situation such as you describe, the problem has been incorrect protections and ACLs on files. This is emminently correctable. In fact, I have presented a session (at HP World 2004) that demonstrated how you can manage huge environments without granting users privileges (see http://www.rlgsc.com/hpworld/2004/N227.html).
In short, giving out READALL and BYPASS is a very bad idea.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-06-2005 02:53 AM
тАО09-06-2005 02:53 AM
Re: user priviledges
I apologize for being slow about getting back to your question. Below are the priviledges of the 'nonpriviledge' account, the security on the login.com file, and ftp log. I think it's the security on the login.com file that disallows 'get' priviledge.
What I am trying to accomplish is minimalize the priviledges of 'regular' users while allowing them to execute my applications which read, write, and update rms files, print to printers, and run batch jobs.
Eric
User priviledges:
Username: TEST Owner: TEST A. USER
Account: UIC: [11,1] ([11,1])
CLI: DCL Tables: DCLTABLES
Default: DISK$USERS:[TEST]
LGICMD:
Flags:
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
No access restrictions
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: 90 00:00 Pwdchange: 29-AUG-2005 16:03
Last Login: 3-SEP-2005 13:01 (interactive), 3-SEP-2005 13:01 (non-interactive)
Maxjobs: 0 Fillm: 100 Bytlm: 64000
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 150 JTquota: 4096
Prclm: 8 DIOlm: 150 WSdef: 8000
Prio: 4 ASTlm: 250 WSquo: 8000
Queprio: 4 TQElm: 10 WSextent: 16384
CPU: (none) Enqlm: 2000 Pgflquo: 50000
Authorized Privileges:
LOG_IO MOUNT NETMBX OPER PHY_IO TMPMBX
Default Privileges:
LOG_IO MOUNT NETMBX OPER PHY_IO TMPMBX
login.com security:
[RX-DEV]dir/sec login.com
Directory TTM_USERS:[TEST]
LOGIN.COM;38 [1,1] (RWED,RWED,RE,E)
ftp log:
$ !
$ ! File name: TCPIP$FTP_SERVER.COM
$ ! Product: HP TCP/IP Services for OpenVMS
$ ! Version: V5.5-11
$ !
$ ! ├В┬й Copyright 1976, 2004 Hewlett-Packard Development Company, L.P.
$ !
$ ! Confidential computer software. Valid license from HP and/or its
$ ! subsidiaries required for possession, use, or copying.
$ !
$ ! Consistent with FAR 12.211 and 12.212, Commercial Computer Software,
$ ! Computer Software Documentation, and Technical Data for Commercial
$ ! Items are licensed to the U.S. Government under vendor's standard
$ ! commercial license.
$ !
$ ! Neither HP nor any of its subsidiaries shall be liable for technical
$ ! or editorial errors or omissions contained herein. The information
$ ! in this document is provided "as is" without warranty of any kind
$ ! and is subject to change without notice. The warranties for HP
$ ! products are set forth in the express limited warranty statements
$ ! accompanying such products. Nothing herein should be construed as
$ ! constituting an additional warranty.
$ !
$ set noon
$ set symbol /scope=(nolocal,global)
$ set symbol /scope=(nolocal,noglobal)/verb
$ !
$ ! start ftp child process
$ !
$ run:
$ run SYS$SYSTEM:TCPIP$FTP_CHILD.EXE
$ !
$ ! completed ftp child execution
$ !
$ exit:
$ exit $status .or. %x10000000
TEST job terminated at 6-SEP-2005 08:44:15.19
Buffered I/O count: 80 Peak working set size: 7920
Direct I/O count: 50 Peak virtual size: 182112
Page faults: 566 Mounted volumes: 0
Charged CPU time: 0 00:00:00.08 Elapsed time: 0 00:14:08.07
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-06-2005 02:59 AM
тАО09-06-2005 02:59 AM
Re: user priviledges
That looks like you are aware of the feature of the system parameter MAXSYSGROUP, aren't you? ;-)
- « Previous
- Next »