Hi all,

we have a number of BaaN users on our system that need access to the unix shell (mainly for ftp) and we're looking at ways to restrict their unix access.
I've tried using the restricted shell but I can't login to BaaN when I use this.
What other methods are there? Can anyone explain why BaaN doesn't like rsh?

Thanks in advance


Gary.

If it is and they're using a windows client - it would be better to setup an ftp shortcut on their desktop with the URL : ftp://username@baan host IP address/

e.g. ftp://dmcgrath@192.18.100.25/

DM,

thanks for the response but no, they don't only use ftp.
Amongst other things, they (occasionally) tidy up their home directories so I don't want to completely take away their shell access.


Gary.

Gary,

The users should be able to delete files from their home directories using the ftp connection.

DM

Hi Gary,

Another approach to handle this issue is to make a small FTP tool in the BaaN sessions and remove the shell/ftp access from the users. Its easy to handle security of the users do not have the shell access. If they have shell access we need to spend a lot of time to determine the file access permissions on the various directories on the Unix file system.

Refer to the functions -

Syntax

long client2server( string source, string dest, long text.mode [, long rm.file] [, long progress.window] )

Description

This copies a specified file from the client to the server. The function supports long file names.

Syntax

long server2client( string source, string dest, long text.mode, [long progress.window] )

Description

This copies a specified file from the server to the client. The function supports long file names.

Hi Gary,

I would try to avoid giving them shell access in the first place.
If the reason is cleaning up the home directory, then there are two better and user friendly solutions:

a) Use Samba for file access. In this way each user can map his home directory as network share in windows and each users can clean up his home with the ordinary explorer.

b) Do not allow them to mess up their home in the first place!
How do you do that? Normally the only way a user messes up with his home, is by printing into a file.
So instead of printing into a file, setup a baan printer, which takes the output and emails it to the user. In this way no permanent files are created and the user needs no password whatsoever!

regards

Markus

Markus,


thanks, I'll look into the Samba approach.


Regards,


Gary.

NPRao,

thanks for the response. My problem is that the users have had shell access for a long time now and it'll take a lot for me to persuade them to give it up. There are a number of things, other than ftp, that they are using it for (e.g. killing off looping processes and stuck print jobs).
I guess I'll have to look at each function individually and provide an alternative way for them to do it.


Regards,


Gary.

Hi Gary,

Shell access is always a security concern for BaaN and Unix adminstrators.

If you are on the BaaN-5 version, you have the "Process" session, from the right hand side down on the task bar in the current connection, with which you can kill off the sessions.

For the ftp access, you can make the ftp tool.

To view files, you can create a small tool, which does a file browse zoom option, and shows it on a display browser.

Yes you have investigate each of the options and what purposes they use and try to provide alternatives to them.

Good Luck... :p