Solved

Netware 6 user rights?!

Posted on 2003-11-14
30
1,492 Views
Last Modified: 2007-12-19
What should the default rights to a users home dir be??
The guy I work with said back way back when the user was only to get "CFREWM"
The default on netware6 is full rights to the user dir. Is this right or is novell smoking something? or am I smoking something 'cause I don't ever remember hearing that. I'm sure in NW3.X and 4 there might have been an issue but is it still there?? I've looked on the web and have found nothing on this.

TIA
0
Comment
Question by:jscart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
  • 8
30 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 9749240
That's what it should be. RWECMF. Those are all needed by a user in their home directory.
0
 
LVL 1

Author Comment

by:jscart
ID: 9749267
But the default new user gets FULL SUPER rights "SRWECMFA" to their home dir only.
is this right or do I have to go through and change everybody :( (200+ users)
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9749296
Let's review those rights and you'll see why they are needed.

R = Read
Read the contents of existing files.
W = Write
Write over existing file (but NOT create new files!)
E = Erase
Erase a file (but NOT a directory)
C = Create
Create a new file in the directory
M = Modify
Modify the directory structure (basically, add or delete sub-directories)
F = Filescan
List the contents of the directory

A user with Read but not Filescan can read files, but only if they know the filename, as they won't be able to get a directory listing. A user with Create but not Write can only create new files in the directory, not write to existing ones. A user without Modify cannot add or remove subdirectories.

For me as a NetWare admin, the only question for me when assigning a user his/her rights to his/her Home directory is whether or not to give them the A (Access Control) right. With that right, they can grant other users access to their own Home directory without having to get me to do it.

The only filesystem right that, in my mind, should never be handed out to users is S (Supervisor).
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 34

Expert Comment

by:PsiCop
ID: 9749317
I'm not sure why your users are getting those rights. That isn't default NetWare behaviour to the best of my knowledge.

S makes the others redundant. If users get S, then they have no need of the others.

How are these users being created? A template? A program? I'm 99% sure that neither NWADMIN nor ConsoleOne grants all thbose rights when creating a user Home Dir.
0
 
LVL 1

Author Comment

by:jscart
ID: 9749402
All users were created with ConsoleOne and a template created with consoleone. in the template you can't set the rights so rights are granted BY NOVELL not me. This leads me to believe that these are defaults, right. Iknow my Novell rights and this did seem a bit odd but if it is default, is it right?
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9749479
I'm not sure where those rights are getting set, but it is NOT a Novell-default to hand out Supervisor. What version of ConsoleOne are you using?
0
 
LVL 34

Accepted Solution

by:
PsiCop earned 125 total points
ID: 9749522
Well, hush my mouth and feed me chitlins....

I just went into our test tree using ConsoleOne v1.3.3. I selected a context and created a new Template.

Under the New Object FS Rights tab, plain as day, the default rights for the user Home Directory are set to SRWECMFA.

That's insane. That's a stupdity I'd expect from M$, not the guys in Provo.

jscart, go into your Template, to that tab, and deselect the Supervisor and Access Control right, then save the Template. From that point on, new users created with that Template will not get those additional rights.

As for the 200 or so you already have, you can write a batch file to use the FLAG command to remove the extra rights. This can be done from the command-line, no need to use ConsoleOne.
0
 
LVL 1

Author Comment

by:jscart
ID: 9749589
OK will do, do you have a sample batch file?? it's been awhile since I've written any.
I wonder if novell knows they have done this??
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9749673
The default for a home directory always includes the "a" right.

Everything BUT supervisor.

It has been this way for many versions.  The intent is to allow the user to grant access to the user's home directory to other users.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9749684
RWCEMFA.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9749689
Supervisor should never be granted as a default.  Something is wrong.   Do what PsiCop said, but leave the A.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9749701
Actually, using the RIGHTS command is probably preferable to FLAG.

Start by getting a file that lists just the user directories, one per line.
0
 
LVL 1

Author Comment

by:jscart
ID: 9749721
Well what's the worst that could happen if the S was left. Is there a hole somewhere?? could they get root super??

for now I'm hand removing S&A.

This server is a fresh install even a new tree. Wonder if the distro is broken I only added patches and no third party stuff yet.
0
 
LVL 1

Author Comment

by:jscart
ID: 9749749
I have the dir list now what??
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9749794
Leave the A.  S is Supervisor file system rights, which cannot be blocked by IRF.  Default rights for home dir always should include A, so a user can share files with another user.

If you choose to remove A, then you should establish a common, shared directory where users can share files.

The goal of this is to remove altogether the desire or perceived need to set up any peer-to-peer networking at all.  Part and parcel of this concept is making sure that the Windows PCs do not have NetBEUI, and cannot establish Windows File and Print Sharing.
0
 
LVL 1

Author Comment

by:jscart
ID: 9749868
we do have common folders for all depts. But is it really an eveil thing to leave. Is it a security hole? If so how many others haven't noticed this?
Scarry huh?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9749898
One of the nightmare scenarios I have worked through a couple of times is admins intentionally granting supervisor rights when troubleshooting a file access issue, and leaving those rights in place.  Supervisor is not a good thing to grant anyone but the admin.  The same concept works in the eDirectory area, where some admins decide to grant users supervisor rights to Root just because it's a quick-and-dirty way to get something to work, rather than taking the time and effort to make it work in a secure fashion.

Every user that has inappropriate rights to any piece of the network, whether it's the directory or a particular server's file system, is another security hole waiting to be exploited.
0
 
LVL 1

Author Comment

by:jscart
ID: 9750025
Allrighty then, I totaly agree lazy people shouldn't be admins (nor stupid people) Any more info on this batch file for changing the lot of folders??
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9750061
Common folders for all depts are not security holes, unless you grant any of the users supervisor rights.
0
 
LVL 1

Author Comment

by:jscart
ID: 9750080
No not the common folder they are great when used right. It's the half @$$ed admining I can't stand.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9750109
It is frustrating.  To quote Clinton - I feel your pain.  The difference is, I really do, I'm not just saying it for political advantage.

Are you working through cleanup of a half-assed admin'ed site?  My highly tuned senses detect a touch of bitterness in your last statement... ;)
0
 
LVL 1

Author Comment

by:jscart
ID: 9750153
I was but it's much better after four years. Finally getting things the way they should be. Then this pops up on a fresh NW6 install. What a way to end the week!
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9750657
Sorry I haven't had a chance to sit down and work out the exact syntax for the batch. It should look something like:

@ECHO OFF
REM Batch file to reset user privs
RIGHTS SERVER/VOLUME:USERS\USER1 -S /NAME=USER1
RIGHTS SERVER/VOLUME:USERS\USER2 -S /NAME=USER2
.
.
.

Kinda tedious to do. There's no really slick way to handle this with the built-in tools.

Its a pain taking over an environment constructed by people who had no business at the server console. I had to do that and it took two solid years, with a lot of help, to clean it up.
0
 
LVL 1

Author Comment

by:jscart
ID: 9751356
PsiCop gets points for the script, he saw the flaw on his system, and he eats chitlins. eeww!! although I've never tried them and never will.

Good show to all and thanks for the help!!
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9751367
That's short for chitterlings.  Isn't that something disgusting like pig intestines?
0
 
LVL 1

Author Comment

by:jscart
ID: 9754240
Something like that. It's on the same line as PORK RINDS!! Now I have tried them and they are NASTY!!!!!!!!!!!!!!!
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9754388
Pork rinds isn't bad - they taste kinda like bacon...

The only way I want to eat any kind of animal intestine is when used as a sausage casing.
0
 
LVL 1

Author Comment

by:jscart
ID: 9754408
They don't taste like any kinda bacon I make, or anyone I know makes. There's something else goning on with those things. I think it's just the pig skin, which gets rolled around in you know what. I'm sure that adds to the flavor. Bacon comes from the belly meat under the skin, tastes much better.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9765202
Actually, I don't eat chitlins, its just a quaint local turn of phrase. And you're right - NASTY stuff. Nothing like having a plate of food designated as an EPA Superfund site.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9765252
LOL
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Novell Drivers for HP Ultrium Tape Drives 11 772
Error Upgrading Zenworks 11.2 1 859
log in log 7 560
netware 5.1 license keys 15 1,555
This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decadeā€¦
Suggested Courses

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question