Solved

File System Permissions

Posted on 2010-11-29
8
543 Views
Last Modified: 2013-12-27
I am looking to perform a review of file system permissions on a Solaris Server for the first time. I have done this a fair bit on Windows 2003 Server by reviewing the necessary file shares and directory (NTFS) permissions, but never so on Solaris (bare this in mind on your responses please).

The Solaris Server is a domain server as part of an AD domain which is predominantly made up of 99% windows servers and workstations, with a mere 3 solaris servers for specific applications. What is the most practical way to essentially say:

\\solarisdatabaseserver\backup - who has access /access control list
\\solarisdatabaseserver\database - who has access /access control list

Does Solaris also have the concept of “shares”, i.e. \\host\e$, and also any admin types shares, that are typically only accessible by local administrators?

I also sometimes like to run a directory listing for a server to see where key files are. On Windows I used to do something like

C:>DIR \\solarisdatabaseserver\share$ /s > listing.txt

So basically I could do with:

How to list all shares on the solaris server
How to list all people and users who can access these files on the server
How to get a directory listing per share on the server

And also if all IT admins only have windows machines, what are they likely to use to gain remote access to the server from their windows machine, say for example if someone asks for a log file so they have to logon and get it. What types of client and protocols are used in such examples?

Would prefer some EE input as opposed to just links.

Thanks
0
Comment
Question by:pma111
  • 4
  • 3
8 Comments
 
LVL 6

Accepted Solution

by:
Tomunique earned 250 total points
ID: 34238584
wow... too much for 1 post... to answer this properly and completely, it's a small book.

to answer the easier parts of your question:
you need to log into the server (you can't do all your checking remotely)

besides protocols like http, or other applications that may be listening on ports..
putty (or some other ssh client) / telnet/ ftp / sftp/ are the primary access methods.
(check (via nfs -an|grep LISTEN) to see which ports the server is listening on.
While it's not 100% (ie you can move telnet to another port other than 23), it will be a decent start.
knowing what the server is monitoring, helps eliminate roads you need to research.

NFS and SMB are twp methods of exporting directories as "shares".  (SMB is most likely where you're getting your windows access from).
NFS: /etc/exports is where the server will list what directories are available.
I believe there's a file like /etc/smbexports  but, I'm not SMB literate.,

questions you'll need answered, if you don't know they yourself..
Do you have a user directory database besides /etc/passwd?  (LDAP?) (can of worms)
do you permit "annonymous" access from remote boxes? (nobody account)
check things like ssh keys for root or other admin accounts

Tom
0
 
LVL 13

Assisted Solution

by:Rowley
Rowley earned 250 total points
ID: 34246422
Assuming command line access to the host:
To view active shares and access:   dfshares
To view all potential shares and access:    cat /etc/dfs/dfstab

Check for the existence of SMB on the host: ps -ef | grep smb
If running, check the config file. If not apparent as arguments to the smb process, try: pargs -l [pid]

To list all files/dirs and their corresponding permissions, from the root of the dir you want to traverse:
find . -ls

To list directories within a share and their acl, cd to the root of the dir you want to traverse and run:
find . -type d -ls

To remotely retrieve files from hosts, I commonly use scp, or if in a pinch ftp. I use WinSCP when connecting from Windows hosts.
0
 
LVL 3

Author Comment

by:pma111
ID: 34246536
Thanks so much. I guess what I am also wondering is in a windows network if a share is open to say the "everyone" group on a windows server, internal people can just mount it in explorer and dont have to enter a password or anything, if they are on the ACL they can just mount it as if it was a local drive and view all the data. ...

I just wonder if in Solaris if theres a similar ACL to the "everyone" group or "domain users" then would people be able to use to tools and protocols to access the data WITHOUT needing to enter a password to retreive data from a windows machine? Or in a nutshell if you are going to acces a solaris box from windows you are always going to have to enter a password to get at data
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 13

Expert Comment

by:Rowley
ID: 34246620
The SaMBa application uses the smb protocol to make local files available to windows clients - not Solaris. There is no native support for smb (aka windows) clients in any current production release of solaris.

That said, SaMBa can be configured to behave in any number of ways including the way in which you have mentioned. It is well documented and is a mature, feature rich and stable product.
0
 
LVL 3

Author Comment

by:pma111
ID: 34246669
Does SAMBA come by default in newer versions of Solaris? Or is it more of an addon?
0
 
LVL 13

Expert Comment

by:Rowley
ID: 34246891
I retract - /usr/sfw/sbin contains the binaries for smb. svcs samba will show you the status and svcprop samba will show you the service params on Solaris 10. Admittedly, its been a while since I used it...(solaris 8)

:S
0
 
LVL 13

Expert Comment

by:Rowley
ID: 34246896
...and thats /usr/sfw/bin, not sbin.
0
 
LVL 3

Author Comment

by:pma111
ID: 34256477
Thanks I've got a solaris box to practice all this on so I will get to work - I assume the best way to learn this is hands on experience. and putting your comments into practice
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
LINUX ZIP - UNCOMPRESS WINDOWS PATH 3 109
Thin secure Windows 10 5 108
Obtaining a computer ssl certificate from AD PKI using the command line 2 72
awk sed variable in file 3 98
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question