Netware 6 user rights?!

What should the default rights to a users home dir be??
The guy I work with said back way back when the user was only to get "CFREWM"
The default on netware6 is full rights to the user dir. Is this right or is novell smoking something? or am I smoking something 'cause I don't ever remember hearing that. I'm sure in NW3.X and 4 there might have been an issue but is it still there?? I've looked on the web and have found nothing on this.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

That's what it should be. RWECMF. Those are all needed by a user in their home directory.
jscartAuthor Commented:
But the default new user gets FULL SUPER rights "SRWECMFA" to their home dir only.
is this right or do I have to go through and change everybody :( (200+ users)
Let's review those rights and you'll see why they are needed.

R = Read
Read the contents of existing files.
W = Write
Write over existing file (but NOT create new files!)
E = Erase
Erase a file (but NOT a directory)
C = Create
Create a new file in the directory
M = Modify
Modify the directory structure (basically, add or delete sub-directories)
F = Filescan
List the contents of the directory

A user with Read but not Filescan can read files, but only if they know the filename, as they won't be able to get a directory listing. A user with Create but not Write can only create new files in the directory, not write to existing ones. A user without Modify cannot add or remove subdirectories.

For me as a NetWare admin, the only question for me when assigning a user his/her rights to his/her Home directory is whether or not to give them the A (Access Control) right. With that right, they can grant other users access to their own Home directory without having to get me to do it.

The only filesystem right that, in my mind, should never be handed out to users is S (Supervisor).
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

I'm not sure why your users are getting those rights. That isn't default NetWare behaviour to the best of my knowledge.

S makes the others redundant. If users get S, then they have no need of the others.

How are these users being created? A template? A program? I'm 99% sure that neither NWADMIN nor ConsoleOne grants all thbose rights when creating a user Home Dir.
jscartAuthor Commented:
All users were created with ConsoleOne and a template created with consoleone. in the template you can't set the rights so rights are granted BY NOVELL not me. This leads me to believe that these are defaults, right. Iknow my Novell rights and this did seem a bit odd but if it is default, is it right?
I'm not sure where those rights are getting set, but it is NOT a Novell-default to hand out Supervisor. What version of ConsoleOne are you using?
Well, hush my mouth and feed me chitlins....

I just went into our test tree using ConsoleOne v1.3.3. I selected a context and created a new Template.

Under the New Object FS Rights tab, plain as day, the default rights for the user Home Directory are set to SRWECMFA.

That's insane. That's a stupdity I'd expect from M$, not the guys in Provo.

jscart, go into your Template, to that tab, and deselect the Supervisor and Access Control right, then save the Template. From that point on, new users created with that Template will not get those additional rights.

As for the 200 or so you already have, you can write a batch file to use the FLAG command to remove the extra rights. This can be done from the command-line, no need to use ConsoleOne.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jscartAuthor Commented:
OK will do, do you have a sample batch file?? it's been awhile since I've written any.
I wonder if novell knows they have done this??
The default for a home directory always includes the "a" right.

Everything BUT supervisor.

It has been this way for many versions.  The intent is to allow the user to grant access to the user's home directory to other users.
Supervisor should never be granted as a default.  Something is wrong.   Do what PsiCop said, but leave the A.
Actually, using the RIGHTS command is probably preferable to FLAG.

Start by getting a file that lists just the user directories, one per line.
jscartAuthor Commented:
Well what's the worst that could happen if the S was left. Is there a hole somewhere?? could they get root super??

for now I'm hand removing S&A.

This server is a fresh install even a new tree. Wonder if the distro is broken I only added patches and no third party stuff yet.
jscartAuthor Commented:
I have the dir list now what??
Leave the A.  S is Supervisor file system rights, which cannot be blocked by IRF.  Default rights for home dir always should include A, so a user can share files with another user.

If you choose to remove A, then you should establish a common, shared directory where users can share files.

The goal of this is to remove altogether the desire or perceived need to set up any peer-to-peer networking at all.  Part and parcel of this concept is making sure that the Windows PCs do not have NetBEUI, and cannot establish Windows File and Print Sharing.
jscartAuthor Commented:
we do have common folders for all depts. But is it really an eveil thing to leave. Is it a security hole? If so how many others haven't noticed this?
Scarry huh?
One of the nightmare scenarios I have worked through a couple of times is admins intentionally granting supervisor rights when troubleshooting a file access issue, and leaving those rights in place.  Supervisor is not a good thing to grant anyone but the admin.  The same concept works in the eDirectory area, where some admins decide to grant users supervisor rights to Root just because it's a quick-and-dirty way to get something to work, rather than taking the time and effort to make it work in a secure fashion.

Every user that has inappropriate rights to any piece of the network, whether it's the directory or a particular server's file system, is another security hole waiting to be exploited.
jscartAuthor Commented:
Allrighty then, I totaly agree lazy people shouldn't be admins (nor stupid people) Any more info on this batch file for changing the lot of folders??
Common folders for all depts are not security holes, unless you grant any of the users supervisor rights.
jscartAuthor Commented:
No not the common folder they are great when used right. It's the half @$$ed admining I can't stand.
It is frustrating.  To quote Clinton - I feel your pain.  The difference is, I really do, I'm not just saying it for political advantage.

Are you working through cleanup of a half-assed admin'ed site?  My highly tuned senses detect a touch of bitterness in your last statement... ;)
jscartAuthor Commented:
I was but it's much better after four years. Finally getting things the way they should be. Then this pops up on a fresh NW6 install. What a way to end the week!
Sorry I haven't had a chance to sit down and work out the exact syntax for the batch. It should look something like:

REM Batch file to reset user privs

Kinda tedious to do. There's no really slick way to handle this with the built-in tools.

Its a pain taking over an environment constructed by people who had no business at the server console. I had to do that and it took two solid years, with a lot of help, to clean it up.
jscartAuthor Commented:
PsiCop gets points for the script, he saw the flaw on his system, and he eats chitlins. eeww!! although I've never tried them and never will.

Good show to all and thanks for the help!!
That's short for chitterlings.  Isn't that something disgusting like pig intestines?
jscartAuthor Commented:
Something like that. It's on the same line as PORK RINDS!! Now I have tried them and they are NASTY!!!!!!!!!!!!!!!
Pork rinds isn't bad - they taste kinda like bacon...

The only way I want to eat any kind of animal intestine is when used as a sausage casing.
jscartAuthor Commented:
They don't taste like any kinda bacon I make, or anyone I know makes. There's something else goning on with those things. I think it's just the pig skin, which gets rolled around in you know what. I'm sure that adds to the flavor. Bacon comes from the belly meat under the skin, tastes much better.
Actually, I don't eat chitlins, its just a quaint local turn of phrase. And you're right - NASTY stuff. Nothing like having a plate of food designated as an EPA Superfund site.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Novell Netware

From novice to tech pro — start learning today.