Chroot-ing a User?

Similar Messages

• Scponly with chroot setup but user can STILL forward ports... [SOLVED]

  I'm using scponly and have chrooted a user to his home directory.  I noticed however that I can ssh into the box enabling port forwarding which is a dangerous security breach in my opinion.  I'd like to have the ability keep port forwarding for other users, but for the scponly user, I'd like to disallow ssh port forwarding.  Anyone know how?
  $ ssh nightshade -P 8081
  username@nightshade's password:
  Welcome to nightshade
  Last edited by graysky (2009-09-25 19:08:26)

  Turns out this can be accomplished by the addition of two new lines to the sshd_config:
  Match user USERNAME
  AllowTcpForwarding no

• Run Yaourt as user inside 32bit chroot?

  I have a 64bit system and have a 32chroot setup as per the wiki instructions. Everything works brilliantly except that Yaourt runs as root and I want to build firefox-spookyet. Does anybody know how I would go about doing this?
  Come to think of it, Is it safe to run Firefox from a chroot? Htop says firefox is runing as biatchi but also that root executed
  /bin/su -p biatchi -c firefox
  Is that safe?
  Last edited by biatchi (2008-08-22 02:13:24)

  I use the dchroot command to run things from chroot, so yaourt, for example, can be run like this:
  dchroot -d 'yaourt -Syu --aur'
  I actually have this aliased to something more convenient.
  The problem is, I just noticed that the dchroot package was removed from the repos and schroot (the package that's supposed to be its replacement) doesn't seem to be in any of the repos, so I'm not sure what's going on there...
  EDIT: uhm, I don't think I've read your post carefully enough.  You should be able to do "su [username]" when within chroot, which would then allow you to use makepkg as regular user.  I'm not sure is you need to have your /home --bind mounted withing the chroot for this to work or not.
  I actually log into chroot as regular user, I have this alias in my .bashrc:
  alias arch32="sudo chroot /opt/arch32/ /bin/su - filip"
  You'd need to replace "filip" with your username, of course.
  Last edited by fwojciec (2008-08-22 02:30:28)

• How do I chroot() named

  I am hosting my network DNS using multiple views on Mac Mini server with Time capsule.  The Server GUI functions well for my external view only.  Does any one have  any experience chroot()'ing named on the mac platform.  Other than the Liu and Albitz examples in 'DNS and Bind', I have not found any mac specific guides.

  You would have to modify the org.isc.named launch agent. Logging won't be affected. I see no reason why RNDC would be affected either. But you'll have to do your own research if any problems come up.

• How do I restrict an sFTP user to just their home folder?

  Today I setup a user for on my Mac specifically for someone to sFTP files to my computer.
  I tested the connection on another computer on the network, it worked OK but I quickly realised that after logging in via an FTP client, I could got to the root dir and start to navigate around other folders, getting to other home directories, download photos etc.. all of which I dont want the user to do.
  I would like the FTP user to login, and only see their home directory, nothing else.
  the root shouldnt show any files for example.
  I have tried to lock things down and its a bit better, ensuring that a lot of the folders have owner only permissions, and group write only.
  However there are some folders that cannot be locked down by default.
  /Applications
  For example, any user can read any file in that folder, even if the user is only intended to FTP files.
  i have tried changing the group the user belongs to (changing it from 'Staff' to 'Nobody') but it doesnt seem to make a difference.
  Hope someone can help me with this please, perhaps there is a better way. I have not used any terminal commands in what I have done, everything has been  via the GUI (which I guess should be sufficient).

  Thanks Linc,
  that has helped a lot.
  Here is what I have done for the record:
  1) opened the sshd_config file in /etc
       sudo vi sshd_config
  2) added the following lines to the very bottom of the file:
  Match User MYUSER
  # The following two directivces force klm to become chrooted
  # and only have sftp available. No other chroot setup is required
  ChrootDirectory /Users/MYUSER/
  ForceCommand internal-sftp
  # For additional paranoia, siallow all types of port forwardings
  AllowTcpForwarding no
  GatewayPorts no
  X11Forwarding no
  3) Saved the file and tried to reconnect
  4) My FTP Software (on another computer on the network) wouldnt connect! I kept getting an error message:
       Error: Server unexpectedly closed network conection
       Error: Could not connect to server
  5) I opened up the "Console" program and looked at the secure.log under /var/log and saw the following entry:
  Aug  2 10:28:57 rmlloyd-imac sshd[6590]: fatal: bad ownership or modes for chroot directory component "/Users/MYUSER"
  This made me realise that it was someting to do with permissions on the home folder, but I still dont quite appreciate why the user logging in doesnt have permissions to its own folder as a root.
  6) Some searching on the internet yielded something like the perfect answer, that a home directory cannot be set as a chroot directory.
  So I changed the ChrootDirectory to:
  ChrootDirectory /Users
  7) Attempt to login with sFTP again works! What I see is the root appears to be the contents of /Users
  Conclusion
  This is much much better than the situation I was in originally, I can set access permissions to the home directories, but the ftp user still sees them. Its not perfect but it nearly is.
  I really wish I didnt have to mess around in the terminal though, as fun as it is, a check box added by apple to the user UI would do the job much easier. e.g.
  "Restrict user to home folder only" - makes the home folder the root
  "Restrict user to the following activities" - then have check boxes for sFTP etc...
  Then the apple UI can write to the sshd_config for me .
  All in all, I am very pleased and have learnt a fair bit from setting this up, so thanks to those that replied and I hope this information helps someone else one day.

• FTP Server chroot

  May be it is easy. In 10.6.8 Server there was a possibility such capability:
  When customer logging in to server with his user name and password (customer was created on Server) he is getting root as /Users/<CustomerLogin>.
  Today I tried to find it, But I see that I can set up only special shares but not simple users directory chroot.
  Can anybody help me with making simple FTP login to server with chrooting to users home directory?

  I ended up just setting the share of the site to a user purely associated/setup for the use of the site. But I am still curious how to setup the SSH chroot jail for "user" group, while allowing the "admin" group full reign on the server. Also still curious on how to configure SFTP to work identical to how FTP is currently functioning.

• User customization in WCI

  I am trying to figure out a few things in my implementation of WCI and OBPM.
  The biggest issue is the OBPM application provides an option to assign the workflow to another user, but the users are displayed by user ID instead of user name. This made its hard for users to knwo who they are assigning objects to.
  Second, when users log in to the portal, the upper right says "Welcome, <user id>" and I woudl likethat to default to the users first name for everyone.
  Any tips?
  Thanks

  are you sync'ing your users in from an external source such as AD? You need to map the Name property in the ad or profile sync operations to users so they can be named appropriately.
  i know that may not be clear yet...try reading up in the online help for your authentication web service / profile web service
  http://edocs.bea.com/alui/ali/docs61/admin/users.html#wp1051399

• [SOLVED] arch-chroot: Command not found

  Hey,
  I installed Windows 8 alongside Archlinux, so I need to restore my bootloader. I've downloaded the recent image of Arch, made it onto a bootable usb pen drive and booted it without any problems. However, I can't seem to find the arch-chroot binaries (and manually chroot-ing into /mnt after mounting everything fails because bash is not found).
  Am I doing something wrong or is the wiki out of date?
  Last edited by GreenTime (2012-11-01 10:16:56)

  You're doing something wrong.
  Download latest iso and use dd to write it to usb and verify md5 on iso and usb.
  Edit: Normally I roll my own iso with archiso, but to be absolutelly sure on my answer to you, then i've just downloaded latest official iso and tested in a vm, and as expected, arch-chroot is present and working fine.
  Last edited by mhertz (2012-11-01 01:49:59)

• Vsftpd "530 Login incorrect"

  Hi,
  I got problem connecting to my ftp server as "alie" or as anonymous user.
  Here is my config vsftpd.conf
  # Example config file /etc/vsftpd.conf
  # The default compiled in settings are fairly paranoid. This sample file
  # loosens things up a bit, to make the ftp daemon more usable.
  # Please see vsftpd.conf.5 for all compiled in defaults.
  # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
  # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
  # capabilities.
  # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
  anonymous_enable=YES
  # Uncomment this to allow local users to log in.
  local_enable=YES
  # Uncomment this to enable any form of FTP write command.
  write_enable=YES
  # Default umask for local users is 077. You may wish to change this to 022,
  # if your users expect that (022 is used by most other ftpd's)
  #local_umask=022
  # Uncomment this to allow the anonymous FTP user to upload files. This only
  # has an effect if the above global write enable is activated. Also, you will
  # obviously need to create a directory writable by the FTP user.
  anon_upload_enable=YES
  no_anon_password=YES
  anon_max_rate=30000
  # Uncomment this if you want the anonymous FTP user to be able to create
  # new directories.
  #anon_mkdir_write_enable=YES
  # Activate directory messages - messages given to remote users when they
  # go into a certain directory.
  dirmessage_enable=YES
  # Activate logging of uploads/downloads.
  xferlog_enable=YES
  # Make sure PORT transfer connections originate from port 20 (ftp-data).
  connect_from_port_20=YES
  # If you want, you can arrange for uploaded anonymous files to be owned by
  # a different user. Note! Using "root" for uploaded files is not
  # recommended!
  chown_uploads=YES
  #chown_username=whoever
  # You may override where the log file goes if you like. The default is shown
  # below.
  #xferlog_file=/var/log/vsftpd.log
  # If you want, you can have your log file in standard ftpd xferlog format.
  # Note that the default log file location is /var/log/xferlog in this case.
  #xferlog_std_format=YES
  # You may change the default value for timing out an idle session.
  #idle_session_timeout=600
  # You may change the default value for timing out a data connection.
  #data_connection_timeout=120
  # It is recommended that you define on your system a unique user which the
  # ftp server can use as a totally isolated and unprivileged user.
  #nopriv_user=ftpsecure
  # Enable this and the server will recognise asynchronous ABOR requests. Not
  # recommended for security (the code is non-trivial). Not enabling it,
  # however, may confuse older FTP clients.
  #async_abor_enable=YES
  # By default the server will pretend to allow ASCII mode but in fact ignore
  # the request. Turn on the below options to have the server actually do ASCII
  # mangling on files when in ASCII mode.
  # Beware that on some FTP servers, ASCII support allows a denial of service
  # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
  # predicted this attack and has always been safe, reporting the size of the
  # raw file.
  # ASCII mangling is a horrible feature of the protocol.
  #ascii_upload_enable=YES
  #ascii_download_enable=YES
  # You may fully customise the login banner string:
  #ftpd_banner=Welcome to blah FTP service.
  # You may specify a file of disallowed anonymous e-mail addresses. Apparently
  # useful for combatting certain DoS attacks.
  #deny_email_enable=YES
  # (default follows)
  #banned_email_file=/etc/vsftpd.banned_emails
  # You may specify an explicit list of local users to chroot() to their home
  # directory. If chroot_local_user is YES, then this list becomes a list of
  # users to NOT chroot().
  # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
  # the user does not have write access to the top level directory within the
  # chroot)
  chroot_local_user=YES
  #chroot_list_enable=YES
  # (default follows)
  #chroot_list_file=/etc/vsftpd.chroot_list
  # You may activate the "-R" option to the builtin ls. This is disabled by
  # default to avoid remote users being able to cause excessive I/O on large
  # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
  # the presence of the "-R" option, so there is a strong case for enabling it.
  #ls_recurse_enable=YES
  # When "listen" directive is enabled, vsftpd runs in standalone mode and
  # listens on IPv4 sockets. This directive cannot be used in conjunction
  # with the listen_ipv6 directive.
  listen=YES
  # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
  # sockets, you must run two copies of vsftpd with two configuration files.
  # Make sure, that one of the listen options is commented !!
  #listen_ipv6=YES
  allow_writeable_chroot=YES
  and here is the error:
  [root@cubox ~]# ftp localhost
  ftp: connect to address ::1: Connection refused
  ftp: Trying 127.0.0.1 ...
  Connected to localhost.localdomain.
  220 (vsFTPd 3.0.0)
  Name (localhost.localdomain:root): alie
  331 Please specify the password.
  Password:
  530 Login incorrect.
  ftp: Login failed.
  ftp>
  and ls -la
  [root@cubox ~]# ls -la /srv/
  total 16
  drwxr-xr-x 4 root root 4096 Jul 30 09:55 .
  drwxr-xr-x 21 root root 4096 Jul 29 11:06 ..
  dr-xr-xr-x 2 alie ftp 4096 Jul 30 09:55 ftp
  drwxr-xr-x 2 root root 4096 Jul 28 20:07 http
  and id alie:
  [root@cubox ~]# id alie
  uid=1000(alie) gid=10(wheel) groups=10(wheel),11(ftp)

  > "An FTO error occurred - cannot make
  > connection to host. 530 Login incorrect."
  an FTP error occurred.
  it means the username or password entered in the remote
  server section of
  this site definition is incorrect.
  note- passwords are usually case sEnsitive.
  tip- if the hosting sent you an email confirming the
  connection details,
  copy/paste the username and password into the site definition
  dialog box.
  Alan
  Adobe Community Expert, dreamweaver
  http://www.adobe.com/communities/experts/

• How to compile zfs for an upgraded kernel, root fs is zfs[newbie]

  Hey all, I am new to Arch, but was a gentoo user before. I have a question  about how to recompile third party module for a new kernel. I can not find any threads about it.
  I have a system with root fs zfs by following the howto Installing_Arch_Linux_on_ZFS, everything works fine.
  Recently I did a pacman -Syu and the kernel is updated, errors occured. But I do not know how to fix the problem.
  [2012-11-01 01:26] ==> Building image from preset: 'default'
  [2012-11-01 01:26]   -> -k /boot/vmlinuz-linux-lts -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-lts.img
  [2012-11-01 01:26] ==> Starting build: 3.0.49-1-lts
  [2012-11-01 01:26]   -> Running build hook: [base]
  [2012-11-01 01:26]   -> Running build hook: [udev]
  [2012-11-01 01:26]   -> Running build hook: [autodetect]
  [2012-11-01 01:26]   -> Running build hook: [pata]
  [2012-11-01 01:26]   -> Running build hook: [scsi]
  [2012-11-01 01:26]   -> Running build hook: [sata]
  [2012-11-01 01:26]   -> Running build hook: [zfs]
  [2012-11-01 01:26] ==> ERROR: module not found: `zfs'
  [2012-11-01 01:26] ==> ERROR: module not found: `zcommon'
  [2012-11-01 01:26] ==> ERROR: module not found: `znvpair'
  [2012-11-01 01:26] ==> ERROR: module not found: `zavl'
  [2012-11-01 01:26] ==> ERROR: module not found: `zunicode'
  [2012-11-01 01:26] ==> ERROR: module not found: `spl'
  [2012-11-01 01:26]   -> Running build hook: [filesystems]
  [2012-11-01 01:26]   -> Running build hook: [usbinput]
  [2012-11-01 01:26] ==> Generating module dependencies
  [2012-11-01 01:26] ==> Creating gzip initcpio image: /boot/initramfs-linux-lts.img
  [2012-11-01 01:26] ==> WARNING: errors were encountered during the build. The image may not be complete.
  The errors are from third party spl/zfs modules. pacman -U spl/zfs only installs modules for currently running modules, not the new kernel. I can not boot into the new kernel and recompile the third party modules since the root fs is zfs. What should I do to recompile those modules for the newly updated kernel, before using the newly updated kernel?
  Last edited by blackwhite (2012-11-02 03:35:13)

  falconindy wrote:
  blackwhite wrote:Thank all. I have fixed the problem. It seems I have to use livecd with zfs to chroot the broken system, and just reinstall the newest linux kernel (pacman -Ulinux-lts-3.0.49-1-x86_64.pkg.tar.xz ), it will find the spl/zfs module and  mkinitcpio -p correctly.
  BTW, in the chroot environment, the spl/zfs AUR still failed to figure it which kernel the system use, always use the current running kernel version on livecd to compile.
  Right. chroot'ing doesn't change your kernel. There's assuredly build options to let you compile against a different kernel.
  Would you step further, give me the right options to build a aur package against a different kernel. Thanks.

• Mac Samba, Ftp and SFTP

  Hello!
  I have a question
  I have a Lab (classroom) running Tiger 10.4.11, all machines has the same configurations and the same Users (an Admin User and "Limited User")they are configured to use ftp, but when the users connect via ftp they can get accesses a total local Volume.
  and i need to know how can i restring the "Limited User" that only can get accesses their home?
  Ok why ?
  Because sometime they use "Transmit" and with transmit they can get accesses a total local Volume, of corse they don't has permission to delete or write on local volume, only in Home directory.
  Is possible to restring the "Limited User" a their Home only?
  Thanks!

  BDAqua wrote:
  Hi, not 100% certain, but possibly restricting with Sharepoints...
  http://www.hornware.com/sharepoints/
  thank for your answer!
  But it´s not exactly that i want to do.
  follow this link
  http://www.sveinbjorn.org/macosxftpserverhowto
  under the title "Configuring the FTP server" paragraph:
  chroot
  +Although this is adequately documented in the ftpd man page, it is worth discussing shortly: chroot-ing is a very important thing to do when providing a publicly accessible FTP server. If FTP users are chrooted, they will be unable to navigate the entire directory structure of the server. This is essential for security reasons.+

• Setcap issues with nginx

  Hello,
  I've been trying to set up an nginx server and followed the tutorial on chroot-ing (https://wiki.archlinux.org/index.php/Nginx) and all. I have been running into an issue when starting the server and I think that my problem lies with the fact that I haven't been able to run setcap on my nginx file. I had found this thread (https://bbs.archlinux.org/viewtopic.php?id=159333) but am still getting an error when the solution to that thread is offered...
  This is the output of when I run systemctl start nginx:
  nginx.service - A high performance web server and a reverse proxy server
  Loaded: loaded (/etc/systemd/system/nginx.service; enabled)
  Active: failed (Result: exit-code) since Wed 2013-04-24 20:12:11 CDT; 7min ago
  Process: 10519 ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g pid /run/nginx.pid; daemon on; master_process on; (code=exited, status=1/FAILURE)
  Apr 24 20:12:10 alarm systemd[1]: Starting A high performance web server and a reverse proxy server...
  Apr 24 20:12:11 alarm chroot[10519]: nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
  Apr 24 20:12:11 alarm chroot[10519]: nginx: configuration file /etc/nginx/nginx.conf test failed
  Apr 24 20:12:11 alarm systemd[1]: nginx.service: control process exited, code=exited status=1
  Apr 24 20:12:11 alarm systemd[1]: Failed to start A high performance web server and a reverse proxy server.
  Apr 24 20:12:11 alarm systemd[1]: MESSAGE=Unit nginx.service entered failed state.
  When I attempt to use setcap using the following:
  setcap cap_net_bind_service=+ep /srv/http/usr/sbin/nginx
  I get this is an error:
  Failed to set capabilities on file '/srv/http/usr/sbin/nginx' (Operation not supported)
  usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]
  Note <filename> must be a regular (non-symlink) file.
  I've been trying to figure out what to do, but am kind of hitting a wall. I would appreciate any help on this topic if possible, and I'm hoping its something simple that I'm missing/forgetting.
  Thanks for the help in advance

  After re-trying the whole process a few times (process being the nginx arch tutorial), I was unsuccessful at getting the SETCAP error to resolve. I tried a reboot and did a 'pacman -Syu' just this morning. I'm still unable to get this to work for me in the JAIL setup.
  In case anyone has any more ideas, aside from votacom's solution, I'd be more than happy to try. If it helps, my kernel is 3.11.3-1-ARCH. I have been successful (and have been using) nginx in it's normal environment instead of in a chroot. For my purposes, it's not a big deal to have it outside the jail; however, it has frustrated me that I couldn't get this to work.
  The output from when I run
  # setcap 'cap_net_bind_service=+ep' $JAIL/usr/bin/nginx
  spits out this error:
  Failed to set capabilities on file `/srv/http/usr/bin/nginx' (Operation not supported)
  usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]
  Note <filename> must be a regular (non-symlink) file.
  And this is what happens when I run stat:
  File: ‘/srv/http/usr/bin/nginx’
  Size: 1071060 Blocks: 2104 IO Block: 4096 regular file
  Device: 811h/2065d Inode: 97995 Links: 1
  Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
  Access: 2013-10-03 06:38:54.000000000 -0500
  Modify: 2013-07-17 13:44:10.000000000 -0500
  Change: 2013-07-17 14:31:41.000000000 -0500
  Birth: -
  **It should be noted that when I was working on setting up the jail, I was working as root.

• Why you do not have adobe flash players ? I will move for sumsung bc of this reason.

  Guys i prefer to move to sumsung bc i always face a problem bc apple do not support adobe flash player and realy this company is stuborn as **** and fir sure they have issues with abobe and they r fu....ing the users .   Aplle if you dont want to solve this problem with adobe tell us bc we fade up bc mane website we can not open it and also we have videos issues.

  Ok Great Allan,
  thanks for the articles they explain with details ok i agree with you in many points about the flash player
  but still inconvenient for me using iphone and my ipad and to get surprise many videos i can not watch them on the devices.
  really you guys should find solution and one more issue with apple it's really hard to install images or videos to the pc or opposite. i bought sumsung galaxy note and really i stoped using my iphone after that and i always love Aplle but i feel to much presure from your side by using itunes and stupied sync which many times could lose your apps and re-download.  as i m user i do not want to compicate my life where ever you guys make it easier for us we will be more happy from Apple.
  By the way many friends i know they switch from iphone to sumsung bc of this reason so please try to make it easy bc we love Apple hardware.
  Best regards
  Abdul Korek

• Logon failure with username/password authentication in WLE 5.1

  Hi,
  I have WLE 5.1 configured and running on a Win2K system. I am able to
  build and run the simpapp sample program. I am also able to build the
  interceptor_cxx sample and run with all interceptors other than the
  security interceptor. What I realised in this case was that the
  PersonQueryClient did not perform any login of a user from which the
  security interceptor could extract user ID information (have I missed
  something? I am a WLE and CORBA newbie) so I modified the ubb config
  file to define SECURITY as USER_AUTH and add the AUTHSVC, modified
  personqueryclientc.cpp to get access to the SecurityLevel2 principal
  authenticator, built the app, created a user with the tpussradd command,
  and ran the app (the AUTHSVC successfully starts).
  The Tobj::AuthType returned by the get_auth_type method of the
  PrincipalAuthenticator is Tobj::TOBJ_APPAUTH as I expect. I call the
  logon method with the parameters (user_name, argv[0], sys_password,
  password, 0) where user_name is the same as the user I created with the
  tpusradd command, argv[0] is personqueryclient (I've tried tpusradd'ing
  the user both with the "-c personqueryclient" argument and without),
  sys_password is the password I specified when tmloadcf was run against
  the modified ubb config file, password is the password I specified when
  I ran tpusradd. The logon always fails returning
  Security::SecAuthFailure. In the ULOGxxxx file the following message is
  displayed:
  181605.NUMBAT!TMSYSEVT.2180: LIBTUX_CAT:1484: WARN: .SysClientSecurity:
  User tbartley on SITE1 authentication failure
  I've tried running in the following manners all with the same result:
  1. With or without the security_cxx interceptor registered
  2. With the user in or not in a group
  3. With the the user created using the "-c personqueryclient" arg to
  tpusradd or not
  If I change the security level down to APP_PW then everything works and
  the security_cxx interceptor sees a client name of personqueryclient and
  a username of personqueryclient. The logon fails if I use a sys_password
  other than the one specified to tmloadcf and succeeds if I use the
  correct password.
  Can anyone tell me what I might be doing wrong in the username/password
  authentication case?
  Here's the code I inserted to personqueryc.cpp to perform the logon:
  // Get SecurityCurrent object
  CORBA::Object_var var_security_current_oref
  = bootstrap.resolve_initial_references("SecurityCurrent");
  SecurityLevel2::Current_var var_security_current_ref =
  SecurityLevel2::Current::_narrow(var_security_current_oref.in());
  // Get the principal authenticator
  SecurityLevel2::PrincipalAuthenticator_var
  var_principal_authenticator_oref =
  var_security_current_ref->principal_authenticator();
  char user_name[100] = "";
  char password[100] = "";
  char sys_password[100] = "";
  // Narrow to a BEA Principal Authenticator
  Tobj::PrincipalAuthenticator_var v_bea_pa =
  Tobj::PrincipalAuthenticator::_narrow(var_principal_authenticator_oref.in());
  // See what level of logon has been turned on
  Tobj::AuthType auth_type = v_bea_pa->get_auth_type();
  cout << "Auth type: ";
  switch (auth_type) {
  case Tobj::TOBJ_APPAUTH: cout << "TOBJ_APPAUTH"; break;
  case Tobj::TOBJ_SYSAUTH: cout << "TOBJ_SYSAUTH"; password[0] = '\0';
  break;
  case Tobj::TOBJ_NOAUTH: cout << "TOBJ_NOAUTH"; break;
  default: cout << "TOBJ_<unknown>"; break;
  cout << endl;
  cout << "Username: ";
  cin >> user_name;
  switch (auth_type) {
  case Tobj::TOBJ_APPAUTH: {
  cout << "User password: ";
  cin >> password;
  // fall through
  case Tobj::TOBJ_SYSAUTH: {
  cout << "App password: "; cin >> sys_password;
  break;
  default: {
  break;
  // now that we've got all the data necessary, logon
  Security::AuthenticationStatus status =
  v_bea_pa->logon(user_name,
  argv[0],
  sys_password,
  password,
  0); // user data
  cout << "Logon result: ";
  switch (status) {
  case Security::SecAuthSuccess: cout << "SecAuthSuccess"; break;
  case Security::SecAuthFailure: cout << "SecAuthFailure"; break;
  case Security::SecAuthContinue: cout << "SecAuthContinue"; break;
  case Security::SecAuthExpired: cout << "SecAuthExpired"; break;
  default: cout << "SecAuth<unknown>"; break;
  cout << endl;
  if (status != Security::SecAuthSuccess) {
  cerr << "Invalid password." << endl;
  exit(1);
  Here are the entries I added to the ubb config file:
  *RESOURCES
  SECURITY USER_AUTH
  AUTHSVC AUTHSVR
  *SERVERS
  AUTHSVR SRVGRP=SYS_GRP SRVID=6 RESTART=Y GRACE=600 MAXGEN=2 CLOPT="-A"
  I do not have the WLE Security Services installed (i.e. the package
  that provides SSL and crypto). Is this required? It's not clear to me
  from the documentation if this is required for username/password based
  authentication or not.
  Thanks for any help,
  Tim Bartley

  Hi Michael
  I am using SSL in my application. So that it asks for the certificate username
  and password while startup. But now i want to mention the username and password
  in weblogic.properties file itself. So that the client need not have to provide
  the username and password everytime. I am using weblogic server 5.1 version.
  How do i do this?
  Hope my question is clear. Please help.
  with regds
  siva
  Michael Young <[email protected]> wrote:
  Hi.
  It's not 100% clear to me what you are asking for. Do you want authentication
  turned off for
  your application? That will certainly turn off prompting for authentication
  information. You
  can set your ACL for your application (in your properties file) to allow
  everyone to execute
  it. Something like:
  weblogic.allow.execute.<myApplication>=everyone
  But maybe you want some kind of silent authentication so that not everyone
  can execute your
  app? I suppose you could pass authentication info in a cookie. I really
  don't know enough
  about your application, though.
  I suggest you post this question in weblogic.developer.interest.security
  - you have a better
  chance of getting an answer there for security related questions.
  Hope this helps.
  Michael
  siva wrote:
  Hi all,
  I have the following requirements. I have an application which asksfor the authentication
  information like username and password at first. The application isrunning in
  weblogic5.1 server. Is there a way where in weblogic.properties file,i mention
  the username and password so that the application will not ask forin the browser.
  please help. It's urgent.
  with regds
  siva--
  Developer Relations Engineer
  BEA Support

• Performance test tool for BPS?

  Dear BPS Gurus,
  I want to test BPS performance with about 25-50 users using the application at
  same time. This is important before we go-live.
  Could you please share your experience for similar situation. Can SAP Loadrunner be used for mimic-ing multiple users same time on BPS.
  I also could not find any SAP benchmark for BPS. Could you please suggest some place for checking the same.
  Thanks in advance,
  regards,
  Vithal

  You can use Mercury's Loadrunner for this purpose.