HPE Community
Operating System - OpenVMS
1828479 Members
2834 Online
109978 Solutions
New Discussion

FTP restriction

 
SOLVED
Go to solution
Nicolau Roca
Advisor

‎01-31-2007 11:16 PM

‎01-31-2007 11:16 PM

FTP restriction

Hi, I have defined a captive account with restrictions on a OpenVMS system

Here is the exact sintaxis

UAF> add MYUSER /uic=[311,2] /owner="my user name" /account=MYUSER /dev=disk$ftp /dir=[myuser] -
_UAF> /flags=(nodisuser,captive,diswelcome,disnewmail,dismail,defcli) -
_UAF> /passw=myuserpassw /remote/dialup/local/network/nobatch
/lgicmd=DISK$FTP:[000000]FTP$CHANGEPW.COM

My user access via FTP, but in addition to all OpenVMS security for captive and restricted accounts, I would like him not to be able to change to another directory from the FTP prompt (although of course he lacks any privilege for doing anything outside his sys$login directory)

I would say it's just a aesthetic matter :)

Thanks in advance

Nicolau
0 Kudos
Reply
4 REPLIES 4
Karl Rohwedder
Honored Contributor

‎02-01-2007 12:25 AM

‎02-01-2007 12:25 AM

Solution

Re: FTP restriction

We use Hunter Goatley's HGFTP software for exactly that purpose, may be installed in parallel to standard FTP and bound on a different port. Should be on the freeware disks.
You can define (via logical names), to what directories a user may switch.

regards Kalle
Reply
Hoff
Honored Contributor

‎02-01-2007 02:03 AM

‎02-01-2007 02:03 AM

Re: FTP restriction

I am assuming you are looking for assistance with the FTP client, and not the FTP server.

If this is OpenVMS V6.2 or later and a TCP/IP stack with V6.2 capabilities is installed, then the DCL command COPY/FTP will allow you to implement exactly what you want within your captive command procedure. This rather than letting the user loose at FTP or building scripts of commands to pass into FTP utility...

With COPY/FTP, you have access to symbol substitution, and you can assemble the exact FTP command required, and then execute it not based on user input -- always a bad idea when security is involved -- but based on the CAPTIVE command procedure and its processing of user input.

COPY/FTP follows DCL norms for the COPY command, including the need to quote the remote specifications if these do not follow OpenVMS DCL file specification naming rules. At its simplest:

$ COPY/FTP x.y.z"user pass"::remspec localspec

FTP for what appears to be a password change operation (based on the filenames) would be an unusual approach. There could be other approaches available, depending on what the particular application requirements might be.
0 Kudos
Reply
Nicolau Roca
Advisor

‎02-19-2007 12:18 AM

‎02-19-2007 12:18 AM

Re: FTP restriction

My user accesses via FTP with a graphical FTP client called FileZilla, so I guess I can't use HGFTP, isn't it? Anyway I'll take a look at it when I got time

And for the same reason I think a COPY/FTP is not suitable in my case

Yes, the DISK$FTP:[000000]FTP$CHANGEPW.COM is a simple DCL script for changing the password. My intention is that all that my user can do with a TELNET connection is changing his password, and that's why I put it on the LGICMD. Maybe not the best approach (?)
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎02-19-2007 03:02 AM

‎02-19-2007 03:02 AM

Re: FTP restriction

Note that you can specify directories in get/put commands. So, protecting against using cd will not help you.

Wim
Wim
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.