Solved

Netware 6 user rights?!

Posted on 2003-11-14
30
1,440 Views
Last Modified: 2007-12-19
What should the default rights to a users home dir be??
The guy I work with said back way back when the user was only to get "CFREWM"
The default on netware6 is full rights to the user dir. Is this right or is novell smoking something? or am I smoking something 'cause I don't ever remember hearing that. I'm sure in NW3.X and 4 there might have been an issue but is it still there?? I've looked on the web and have found nothing on this.

TIA
0
Comment
Question by:jscart
  • 12
  • 10
  • 8
30 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 9749240
That's what it should be. RWECMF. Those are all needed by a user in their home directory.
0
 
LVL 1

Author Comment

by:jscart
ID: 9749267
But the default new user gets FULL SUPER rights "SRWECMFA" to their home dir only.
is this right or do I have to go through and change everybody :( (200+ users)
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9749296
Let's review those rights and you'll see why they are needed.

R = Read
Read the contents of existing files.
W = Write
Write over existing file (but NOT create new files!)
E = Erase
Erase a file (but NOT a directory)
C = Create
Create a new file in the directory
M = Modify
Modify the directory structure (basically, add or delete sub-directories)
F = Filescan
List the contents of the directory

A user with Read but not Filescan can read files, but only if they know the filename, as they won't be able to get a directory listing. A user with Create but not Write can only create new files in the directory, not write to existing ones. A user without Modify cannot add or remove subdirectories.

For me as a NetWare admin, the only question for me when assigning a user his/her rights to his/her Home directory is whether or not to give them the A (Access Control) right. With that right, they can grant other users access to their own Home directory without having to get me to do it.

The only filesystem right that, in my mind, should never be handed out to users is S (Supervisor).
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9749317
I'm not sure why your users are getting those rights. That isn't default NetWare behaviour to the best of my knowledge.

S makes the others redundant. If users get S, then they have no need of the others.

How are these users being created? A template? A program? I'm 99% sure that neither NWADMIN nor ConsoleOne grants all thbose rights when creating a user Home Dir.
0
 
LVL 1

Author Comment

by:jscart
ID: 9749402
All users were created with ConsoleOne and a template created with consoleone. in the template you can't set the rights so rights are granted BY NOVELL not me. This leads me to believe that these are defaults, right. Iknow my Novell rights and this did seem a bit odd but if it is default, is it right?
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9749479
I'm not sure where those rights are getting set, but it is NOT a Novell-default to hand out Supervisor. What version of ConsoleOne are you using?
0
 
LVL 34

Accepted Solution

by:
PsiCop earned 125 total points
ID: 9749522
Well, hush my mouth and feed me chitlins....

I just went into our test tree using ConsoleOne v1.3.3. I selected a context and created a new Template.

Under the New Object FS Rights tab, plain as day, the default rights for the user Home Directory are set to SRWECMFA.

That's insane. That's a stupdity I'd expect from M$, not the guys in Provo.

jscart, go into your Template, to that tab, and deselect the Supervisor and Access Control right, then save the Template. From that point on, new users created with that Template will not get those additional rights.

As for the 200 or so you already have, you can write a batch file to use the FLAG command to remove the extra rights. This can be done from the command-line, no need to use ConsoleOne.
0
 
LVL 1

Author Comment

by:jscart
ID: 9749589
OK will do, do you have a sample batch file?? it's been awhile since I've written any.
I wonder if novell knows they have done this??
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9749673
The default for a home directory always includes the "a" right.

Everything BUT supervisor.

It has been this way for many versions.  The intent is to allow the user to grant access to the user's home directory to other users.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9749684
RWCEMFA.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9749689
Supervisor should never be granted as a default.  Something is wrong.   Do what PsiCop said, but leave the A.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9749701
Actually, using the RIGHTS command is probably preferable to FLAG.

Start by getting a file that lists just the user directories, one per line.
0
 
LVL 1

Author Comment

by:jscart
ID: 9749721
Well what's the worst that could happen if the S was left. Is there a hole somewhere?? could they get root super??

for now I'm hand removing S&A.

This server is a fresh install even a new tree. Wonder if the distro is broken I only added patches and no third party stuff yet.
0
 
LVL 1

Author Comment

by:jscart
ID: 9749749
I have the dir list now what??
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9749794
Leave the A.  S is Supervisor file system rights, which cannot be blocked by IRF.  Default rights for home dir always should include A, so a user can share files with another user.

If you choose to remove A, then you should establish a common, shared directory where users can share files.

The goal of this is to remove altogether the desire or perceived need to set up any peer-to-peer networking at all.  Part and parcel of this concept is making sure that the Windows PCs do not have NetBEUI, and cannot establish Windows File and Print Sharing.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Author Comment

by:jscart
ID: 9749868
we do have common folders for all depts. But is it really an eveil thing to leave. Is it a security hole? If so how many others haven't noticed this?
Scarry huh?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9749898
One of the nightmare scenarios I have worked through a couple of times is admins intentionally granting supervisor rights when troubleshooting a file access issue, and leaving those rights in place.  Supervisor is not a good thing to grant anyone but the admin.  The same concept works in the eDirectory area, where some admins decide to grant users supervisor rights to Root just because it's a quick-and-dirty way to get something to work, rather than taking the time and effort to make it work in a secure fashion.

Every user that has inappropriate rights to any piece of the network, whether it's the directory or a particular server's file system, is another security hole waiting to be exploited.
0
 
LVL 1

Author Comment

by:jscart
ID: 9750025
Allrighty then, I totaly agree lazy people shouldn't be admins (nor stupid people) Any more info on this batch file for changing the lot of folders??
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9750061
Common folders for all depts are not security holes, unless you grant any of the users supervisor rights.
0
 
LVL 1

Author Comment

by:jscart
ID: 9750080
No not the common folder they are great when used right. It's the half @$$ed admining I can't stand.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9750109
It is frustrating.  To quote Clinton - I feel your pain.  The difference is, I really do, I'm not just saying it for political advantage.

Are you working through cleanup of a half-assed admin'ed site?  My highly tuned senses detect a touch of bitterness in your last statement... ;)
0
 
LVL 1

Author Comment

by:jscart
ID: 9750153
I was but it's much better after four years. Finally getting things the way they should be. Then this pops up on a fresh NW6 install. What a way to end the week!
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9750657
Sorry I haven't had a chance to sit down and work out the exact syntax for the batch. It should look something like:

@ECHO OFF
REM Batch file to reset user privs
RIGHTS SERVER/VOLUME:USERS\USER1 -S /NAME=USER1
RIGHTS SERVER/VOLUME:USERS\USER2 -S /NAME=USER2
.
.
.

Kinda tedious to do. There's no really slick way to handle this with the built-in tools.

Its a pain taking over an environment constructed by people who had no business at the server console. I had to do that and it took two solid years, with a lot of help, to clean it up.
0
 
LVL 1

Author Comment

by:jscart
ID: 9751356
PsiCop gets points for the script, he saw the flaw on his system, and he eats chitlins. eeww!! although I've never tried them and never will.

Good show to all and thanks for the help!!
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9751367
That's short for chitterlings.  Isn't that something disgusting like pig intestines?
0
 
LVL 1

Author Comment

by:jscart
ID: 9754240
Something like that. It's on the same line as PORK RINDS!! Now I have tried them and they are NASTY!!!!!!!!!!!!!!!
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9754388
Pork rinds isn't bad - they taste kinda like bacon...

The only way I want to eat any kind of animal intestine is when used as a sausage casing.
0
 
LVL 1

Author Comment

by:jscart
ID: 9754408
They don't taste like any kinda bacon I make, or anyone I know makes. There's something else goning on with those things. I think it's just the pig skin, which gets rolled around in you know what. I'm sure that adds to the flavor. Bacon comes from the belly meat under the skin, tastes much better.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 9765202
Actually, I don't eat chitlins, its just a quaint local turn of phrase. And you're right - NASTY stuff. Nothing like having a plate of food designated as an EPA Superfund site.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9765252
LOL
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Performance in games development is paramount: every microsecond counts to be able to do everything in less than 33ms (aiming at 16ms). C# foreach statement is one of the worst performance killers, and here I explain why.
Owning a franchise can be the dream of a lifetime. It provides a chance for economic growth. You can be as successful as you want.  To make your franchise successful, you need to market it successfully. Here are six of the best marketing strategies …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now