HPE Community
Operating System - OpenVMS
1827857 Members
1539 Online
109969 Solutions
New Discussion

FTP Account, no privileges

 
SOLVED
Go to solution
Dario Karlen
Frequent Advisor

‎10-18-2005 07:00 PM

‎10-18-2005 07:00 PM

FTP Account, no privileges

i want to create a vms account without any privileges. it should be possible to connect and get/put files only in the default dir. which privileges do i have to give to this account, default are only netmbx and tmpmbx? i have an old vms system manager manual and i've nothing found in the online UAF help also.
0 Kudos
20 REPLIES 20
Vladimir Fabecic
Honored Contributor

‎10-18-2005 07:15 PM

‎10-18-2005 07:15 PM

Re: FTP Account, no privileges

What is your OS version and TCPIP (or UCX) version?
Did you try to create anonymous ftp account?
Run TCPIP$CONFIG (or UCX$CONFIG) and choose Optional components and Set up Anonymous FTP Account and Directories.
You can copy and modify this account.
In vino veritas, in VMS cluster
0 Kudos
John Abbott_2
Esteemed Contributor

‎10-18-2005 07:26 PM

‎10-18-2005 07:26 PM

Re: FTP Account, no privileges

You need NETMBX priv. You also only need to enable NETWORK access (not batch, local, dialup or remote). Also review what's in your LGICMD and ensure it's protected (ie. can't be replaced/updated by the ftp account).

You should ensure you set-up the appropriate file protections/acls to prevent unwanted access into other disk/directory areas.
Don't do what Donny Dont does
0 Kudos
Joseph Huber_1
Honored Contributor

‎10-18-2005 07:41 PM

‎10-18-2005 07:41 PM

Solution

Re: FTP Account, no privileges

Consider also the use of Hunters HGFTP server
(see freeware at http://www.process.com/openvms )
which gives full control over the directories accessible, and the operations allowed.
Through logicals in the HGFTP startup one can define a list of directories anywhere.
http://www.mpp.mpg.de/~huber
0 Kudos
Dario Karlen
Frequent Advisor

‎10-18-2005 07:43 PM

‎10-18-2005 07:43 PM

Re: FTP Account, no privileges

DIGITAL TCP/IP Services for OpenVMS Alpha Version V5.0A
on a COMPAQ AlphaServer DS10 466 MHz running OpenVMS V7.2-1
on network i gave full access.
i copied the anonymous account. i can login on the system, but when i try to gave the DIR command, this is displayed: %DIRECT-E-OPENIN, error opening DSA2:[WAL.XFER]*.*;* as input
-RMS-E-PRV, insufficient privilege or file protection violation
0 Kudos
Vladimir Fabecic
Honored Contributor

‎10-18-2005 07:56 PM

‎10-18-2005 07:56 PM

Re: FTP Account, no privileges

Maybe you will modify some settings of copied account. First, change default directory (DSA2:[WAL.XFER]) owner and permitions.
In vino veritas, in VMS cluster
0 Kudos
Arch_Muthiah
Honored Contributor

‎10-18-2005 08:00 PM

‎10-18-2005 08:00 PM

Re: FTP Account, no privileges

Hi,

Go to this link below where you can download all types of latest VMS related manauls including "OpenVMS System Managers" manual Vol-I and Vol-II andTCPIP configuration manual.

http://h71000.www7.hp.com/doc/os82_index.html

Also the TCPIP version 5.0A is very old, you can download TCPIP docs for Version 5.4 from the above link.

Archunan
Regards
Archie
0 Kudos
John Abbott_2
Esteemed Contributor

‎10-18-2005 08:02 PM

‎10-18-2005 08:02 PM

Re: FTP Account, no privileges

This might help.

If you're "playing" away from Production try $ set security/acl=(id=[ftp_account_acl],access=read+execute+write) required_directory.dir (perhaps DSA2:[WAL]XFER.dir;)

Joseph makes a good point by recommending Hunters HGFTP server, I know of several people who enjoy this.
Don't do what Donny Dont does
0 Kudos
Ian Miller.
Honored Contributor

‎10-18-2005 08:03 PM

‎10-18-2005 08:03 PM

Re: FTP Account, no privileges

what the protection on DSA2:[WAL.XFER]
____________________
Purely Personal Opinion
0 Kudos
John Abbott_2
Esteemed Contributor

‎10-18-2005 08:04 PM

‎10-18-2005 08:04 PM

Re: FTP Account, no privileges

Sorry, ftp_account_acl = ftp_account_uic - doah!
Don't do what Donny Dont does
0 Kudos
Dario Karlen
Frequent Advisor

‎10-18-2005 08:06 PM

‎10-18-2005 08:06 PM

Re: FTP Account, no privileges

KARLEND > sh def
DSA2:[WAL.XFER]
KARLEND > show prot
SYSTEM=RWED, OWNER=RWED, GROUP=RE, WORLD=NO ACCESS
0 Kudos
Dario Karlen
Frequent Advisor

‎10-18-2005 08:09 PM

‎10-18-2005 08:09 PM

Re: FTP Account, no privileges

UAF> sh ftp

Username: FTP Owner: ANONYMOUS
Account: ANONY UIC: [400,20] ([FTP])
CLI: DCL Tables: DCLTABLES
Default: DSA2:[WAL.XFER]
LGICMD:
Flags: DisCtlY LockPwd DisWelcome DisNewMail DisMail DisReport DisReconnect
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
Primary 000000000011111111112222 Secondary 000000000011111111112222
Day Hours 012345678901234567890123 Day Hours 012345678901234567890123
Network: ##### Full access ###### ##### Full access ######
Batch: ----- No access ------ ----- No access ------
Local: ----- No access ------ ----- No access ------
Dialup: ----- No access ------ ----- No access ------
Remote: ##### Full access ###### ##### Full access ######
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: (none) Pwdchange: (pre-expired)
Last Login: 19-OCT-2005 08:39 (interactive), 19-OCT-2005 08:32 (non-interactive)
Maxjobs: 0 Fillm: 50 Bytlm: 52200
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 18 JTquota: 4096
Prclm: 8 DIOlm: 18 WSdef: 350
Prio: 8 ASTlm: 100 WSquo: 512
Queprio: 4 TQElm: 15 WSextent: 512
CPU: (none) Enqlm: 100 Pgflquo: 10240
Authorized Privileges:
NETMBX TMPMBX
Default Privileges:
NETMBX TMPMBX
0 Kudos
John Abbott_2
Esteemed Contributor

‎10-18-2005 08:11 PM

‎10-18-2005 08:11 PM

Re: FTP Account, no privileges

Dario, you post gives your current processes default protection for new files. Issue a $ dir/sec DSA2:[WAL]XFER.dir to get the details on the directory file.

Try my suggested $ set security/acl=(id=[ftp],access=read+execute+write) DSA2:[WAL]XFER.dir
Don't do what Donny Dont does
0 Kudos
Dario Karlen
Frequent Advisor

‎10-18-2005 08:23 PM

‎10-18-2005 08:23 PM

Re: FTP Account, no privileges

before
KARLEND > dir/sec DSA2:[WAL]XFER.dir

Directory DSA2:[WAL]

XFER.DIR;1 217 19-FEB-2001 14:14:13.07 [SYSTEM]
(RWE,RWE,RE,E)

Total of 1 file, 217 blocks.

and after your command:
KARLEND > set security/acl=(id=[ftp],access=read+execute+write) DSA2:[WAL]XFER.d
KARLEND > dir/sec DSA2:[WAL]XFER.dir

Directory DSA2:[WAL]

XFER.DIR;1 217 19-FEB-2001 14:14:13.07 [SYSTEM]
(RWE,RWE,RE,E)
(IDENTIFIER=[FTP],ACCESS=READ+WRITE+EXECUTE)

Total of 1 file, 217 blocks.

you re my man! good work, thanks a lot, it works fine
0 Kudos
John Abbott_2
Esteemed Contributor

‎10-18-2005 08:26 PM

‎10-18-2005 08:26 PM

Re: FTP Account, no privileges

:-) Good stuff ! The important thing here is that you try and find time to understand the commands used. There are lots more things you can do to protect your system further, all it takes is knowledge !

Best
John.
Don't do what Donny Dont does
0 Kudos
Dario Karlen
Frequent Advisor

‎10-18-2005 09:28 PM

‎10-18-2005 09:28 PM

Re: FTP Account, no privileges

thanks a lot, i'm a young programmer and have to manage the vms as a system manager by the way. so it takes a lot of time to get the knowledge :)
one last question: i set the security for the directory, but every hour a process creates a file and copies it to this dir. the new file has still the old security, so i cannot read it with the ftp account. what do i have to change?
0 Kudos
John Abbott_2
Esteemed Contributor

‎10-18-2005 09:55 PM

‎10-18-2005 09:55 PM

Re: FTP Account, no privileges

You need this command:
$ set security/acl=(id=[ftp],options=default,access=read+execute+write) DSA2:[WAL]XFER.dir

This will allow user ftp rwe access to files created by someone else (who has permission to write into this area).
Don't do what Donny Dont does
0 Kudos
John Abbott_2
Esteemed Contributor

‎10-18-2005 09:59 PM

‎10-18-2005 09:59 PM

Re: FTP Account, no privileges

not sure if you know this one... you need to apply this permission to existing files within the directory $ set file/acl/def/log DSA2:[WAL.XFER...]*.*;*

This assumes you're happy to allow r+w+e access for user ftp to all files in xerf and below. You might just want r(read). In that case you can edit the security acl by typing $ edit/acl xfer.dir;
Don't do what Donny Dont does
0 Kudos
Dario Karlen
Frequent Advisor

‎10-18-2005 10:06 PM

‎10-18-2005 10:06 PM

Re: FTP Account, no privileges

that's not necessary, but helps!

now i have 2 colons in the dir/secu
KARLEND > dir/secu [wal]xfer.dir

Directory DSA2:[WAL]

XFER.DIR;1 217 19-FEB-2001 14:14:13.07 [SYSTEM]
(RWE,RWE,RE,E)
(IDENTIFIER=[FTP],OPTIONS=DEFAULT,ACCESS=READ+WRITE+EXECUTE)
(IDENTIFIER=[FTP],ACCESS=READ+WRITE+EXECUTE)

Total of 1 file, 217 blocks.

can i remove the secend one? and how can remove it?
i'm very happy to get such a help from an old hand, THANK YOU!
0 Kudos
John Abbott_2
Esteemed Contributor

‎10-18-2005 10:36 PM

‎10-18-2005 10:36 PM

Re: FTP Account, no privileges

You need them both. The one with options=default propagates the ACL properties to files within and below this dorectory, the one without is specifically for the directory, so they address your initial problem and you subsequent one!
Don't do what Donny Dont does
0 Kudos
Dario Karlen
Frequent Advisor

‎10-18-2005 10:39 PM

‎10-18-2005 10:39 PM

Re: FTP Account, no privileges

i got it, thanks John!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.