1748027 Members
4891 Online
108757 Solutions
New Discussion юеВ

Re: user priviledges

 
SOLVED
Go to solution
Uwe Zessin
Honored Contributor

Re: user priviledges

Ah, thanks for the Captive reminder - you're right for interactive use.

Did you protect the account against NETWORK logins, too? For example, I can FTP into a captive username and modify LOGIN.COM unless I do:
UAF> modify USER1 /nonetwork

$ ftp localhost
220 athena.&&&&&.de FTP Server (Version 5.4) Ready.
Connected to LOCALHOST.
Name (LOCALHOST:zessin): nopriv
331 Username nopriv requires a Password
Password:
230 User logged in.
FTP> get login.com l.txt
200 TYPE set to IMAGE.
200 PORT command successful.
150 Opening data connection for USER_&&&:[NOPRIV]login.com; (127.0.0.1,51364) (10 bytes)
226 Transfer complete.
local: &&&l.txt;1 remote: login.com
10 bytes received in 00:00:00.01 seconds (0.75 Kbytes/s)
FTP> put l.txt login.com
200 PORT command successful.
150 Opening data connection for USER_&&&:[NOPRIV]login.com; (127.0.0.1,51365)
226 Transfer complete.
local: &&&l.txt;1 remote: login.com
10 bytes sent in 00:00:00.02 seconds (0.35 Kbytes/s)
FTP>

(I've replaced some security-related information with &&&)
.
Eric_369
Advisor

Re: user priviledges

Uwe,
I followed the instructions in your post and the account is such that I cannot "get" a file from the server using ftp in the 'nopriviledge' account.
Eric
Robert Gezelter
Honored Contributor

Re: user priviledges

Eric,

Reading the dialogue, it is not clear to me that what your "unprivileged" account is configured as. An attachment of the SHOW /FULL from within AUTHORIZE would be helpful.

Also helpful would be a log of the terminal session that show the FTP problem.

To do many tasks, an unprivileged user will need to have the innocuous NETMBX and TMPMBX privileges. Beyond that, no normal user should need to have any additional privileges for a routine application. In almost every case (and I can count the exceptions on one hand in over twenty five years), there is no need for additional privileges for users. ACLs of various forms allow access to files and devices.

In each case where I have been called to deal with a situation such as you describe, the problem has been incorrect protections and ACLs on files. This is emminently correctable. In fact, I have presented a session (at HP World 2004) that demonstrated how you can manage huge environments without granting users privileges (see http://www.rlgsc.com/hpworld/2004/N227.html).

In short, giving out READALL and BYPASS is a very bad idea.

- Bob Gezelter, http://www.rlgsc.com
Eric_369
Advisor

Re: user priviledges

Robert,
I apologize for being slow about getting back to your question. Below are the priviledges of the 'nonpriviledge' account, the security on the login.com file, and ftp log. I think it's the security on the login.com file that disallows 'get' priviledge.

What I am trying to accomplish is minimalize the priviledges of 'regular' users while allowing them to execute my applications which read, write, and update rms files, print to printers, and run batch jobs.

Eric

User priviledges:

Username: TEST Owner: TEST A. USER
Account: UIC: [11,1] ([11,1])
CLI: DCL Tables: DCLTABLES
Default: DISK$USERS:[TEST]
LGICMD:
Flags:
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
No access restrictions
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: 90 00:00 Pwdchange: 29-AUG-2005 16:03
Last Login: 3-SEP-2005 13:01 (interactive), 3-SEP-2005 13:01 (non-interactive)
Maxjobs: 0 Fillm: 100 Bytlm: 64000
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 150 JTquota: 4096
Prclm: 8 DIOlm: 150 WSdef: 8000
Prio: 4 ASTlm: 250 WSquo: 8000
Queprio: 4 TQElm: 10 WSextent: 16384
CPU: (none) Enqlm: 2000 Pgflquo: 50000
Authorized Privileges:
LOG_IO MOUNT NETMBX OPER PHY_IO TMPMBX
Default Privileges:
LOG_IO MOUNT NETMBX OPER PHY_IO TMPMBX



login.com security:

[RX-DEV]dir/sec login.com

Directory TTM_USERS:[TEST]

LOGIN.COM;38 [1,1] (RWED,RWED,RE,E)












ftp log:

$ !
$ ! File name: TCPIP$FTP_SERVER.COM
$ ! Product: HP TCP/IP Services for OpenVMS
$ ! Version: V5.5-11
$ !
$ ! ├В┬й Copyright 1976, 2004 Hewlett-Packard Development Company, L.P.
$ !
$ ! Confidential computer software. Valid license from HP and/or its
$ ! subsidiaries required for possession, use, or copying.
$ !
$ ! Consistent with FAR 12.211 and 12.212, Commercial Computer Software,
$ ! Computer Software Documentation, and Technical Data for Commercial
$ ! Items are licensed to the U.S. Government under vendor's standard
$ ! commercial license.
$ !
$ ! Neither HP nor any of its subsidiaries shall be liable for technical
$ ! or editorial errors or omissions contained herein. The information
$ ! in this document is provided "as is" without warranty of any kind
$ ! and is subject to change without notice. The warranties for HP
$ ! products are set forth in the express limited warranty statements
$ ! accompanying such products. Nothing herein should be construed as
$ ! constituting an additional warranty.
$ !
$ set noon
$ set symbol /scope=(nolocal,global)
$ set symbol /scope=(nolocal,noglobal)/verb
$ !
$ ! start ftp child process
$ !
$ run:
$ run SYS$SYSTEM:TCPIP$FTP_CHILD.EXE
$ !
$ ! completed ftp child execution
$ !
$ exit:
$ exit $status .or. %x10000000
TEST job terminated at 6-SEP-2005 08:44:15.19
Accounting information:
Buffered I/O count: 80 Peak working set size: 7920
Direct I/O count: 50 Peak virtual size: 182112
Page faults: 566 Mounted volumes: 0
Charged CPU time: 0 00:00:00.08 Elapsed time: 0 00:14:08.07
Uwe Zessin
Honored Contributor

Re: user priviledges

> UIC: [11,1]

That looks like you are aware of the feature of the system parameter MAXSYSGROUP, aren't you? ;-)
.