My question is:
I created a file (in C) and then I tried to modify the permissions with chmod using octal integers: 00647.
I don't understand why I would still be allowed to execute this file as I set the permission 6 for the user who created the file (that's me!) knowing that 6 means I am only allowed to read and write on this file, but not execute it.
One of my thoughts was that maybe as I set the permission 7 for every users, I can execute it even if I set the permission 6 for myself which is kind of weird, I think, because that would mean that as long as I set the permission 7 for every users, other permissions do not matter. So I am not sure that is the solution.
The purpose of file permissions is to provide security.
Imagine that you maintain a system that provides access to a functionality for each user by default. If a user does something nasty you denies access for him. He then creates simply new account to gain acces for the functionality again... Oops your model is wrong!
Better way is to maintain a default deny policy and then grant permissions for particular users to particular resouces.
The OS asks itself - This person wants to access this file for execution.
If this person "anybody" - Bingo - Yes you are so on you go.
Related
I'm a newbie to Snowflake. I'm assigned task to make python script that gets data from Snowflake View and copies it to SFTP server. I have barely any permissions on that account (can only view the shared Views).
Now my 2 questions:
Can admin grant me permission to creating internal stages without granting me any more permissions? (I want to ask the admin to give me that permission, but he won't be willing to share anything more with me.)
Can I use COPY INTO command on Views? All examples I read on the internet were about Tables and not Views and I'd like to be sure I can copy Views before asking for any permissions.
I apologize if those questions sound silly, but I have no way of testing those myself as I have no permissions on that account and I need to be sure before negotiating anything with admins.
Yes, that can be done. Also, you can look at the following documentation which details about Unload operation : docs.snowflake.com/en/user-guide/data-unload-overview.html
If somebody want to manage permissions in a program first idea would be RBAC implementation. but another idea is a service like NTFS which allow to any user to create and manage his/her directories and sub directories. moreover can add more users with defined access
I have written a code that almost works.
the only part that doesn't work is when it needs to copy from the Z: drive to the C:\Program Files\software
That step requires to run the batch as an admin, however i would like to run it withouth admin rights.
I want to make it executable for every user in the domain, withouth having to give them admin rights.
Is this possible to do (also withouth having to copy the map for every single computer)
TL;DR
To copy a file to the C: drive the user would need to be an admin or run it as admin. However i don't want to make everyone admin so they can execute it.
Is there a way to evade this? Or some code i can put it to make non-admin users be able to copy to that folder.
Thanks in advance.
Why don't you simply change the security options for the target folder? Just give any user a write permission for it.
It makes no sense - if a user can't write to a location it's because of the security policy. If there was a way to allow a user to write to a location even if he isn't allowed to you would simply evade the windows security policy - which is not possible or at least not intended.
TL;DR: Ither grant the users the permission to write to the desired location by changing the security settings for the target dir OR by elevating the users' rights.
What PAM call do I have to make to reset a user's password? I cannot figure it out.
Background:
I'm working on an embedded linux device. Customers install this device, and create user accounts. If one of those secondary user accounts gets locked out, or if a user forgets their password, we need a way where user #1 can reset the password for user #2. Our conversion to PAM is new, I'm in the middle of switching over to it now. Here are the calls I make to authenticate users:
pam_start();
pam_authenticate();
pam_acct_mgmt();
pam_end();
I see pam_chauthtok() for changing my own password, what I don't understand is if -- or how? -- I can use it or another similar call to assign a new password to another user account.
The whole point of having separate users is that they cannot do things like change each other's password. In order to change a user's password with PAM, you need to become that user. The easiest way to do this is to have a setuid-root binary, or a daemon that runs as root, which calls setuid, etc. to become the desired user then performs the operations to change password.
Of course this exposes your entire system to a great deal of risk, especially if you're not already skilled in these matters (which is clear from your question), so I'd think twice about whether this feature is necessary, and if so, whether you should hire an expert to handle it.
We have several Windows network shares, in a common location (\\server-name\share) that hosts a common set of files. These shares are replicated across roughly 300 hundred servers. We have the actual replication down, but we're running into an unanticipated problem: server admins half the world away changing file permissions on our share, and breaking replication in creative ways.
To detect this early on, we'd like to write a script to check each server's network share and ensure that a few permissions exist for the share folder & its contents:
Everyone needs read access
User X needs change/modify
User Y needs full control
Now, so far I've got a nice script that checks that at least each share exists. The complication stems from the fact that (due to a nice Active Directory tree), the usernames are consistent across servers (always of the form "DOMAIN/user"), but their guid numbers vary.
So far I've been looking at cacls.exe and the newer version Icacls.exe, but the options are confusing and seem to be centered around changing the Access Control Lists, which I don't want to do. Any tool that's Windows built-in is preferable, I'm just unsure how to approach this.
So it comes down to is: on some arbitrary server, if I only know the NAME of a user, is there a way to figure out what file permissions they have on a given folder?
icacls does allow the use of the "friendly name" form for specifying the user. Which means you should be able to use the human style names. So 'bob' should point to the same person in all of your domains.
You can grant a user a permission without changing anything else using /grant:r which means "if it's already there do nothing, otherwise add it". So,
Everyone needs read access
icacls \a\directory\somewhere /t /grant:r Everybody:(rd)
I assume you want them to be able to list the contents of the directory as well as read.
User X needs change/modify
icacls \a\directory\somewhere /t /grant:r bobX:m
And so on. I assume that 'm' is sufficient to convey the 'modify' permission.
ACLs are just another name for "permissions". So, if you want to change permissions then you want to change the ACLs.