Solved

File System Permissions

Posted on 2010-11-29
8
544 Views
Last Modified: 2013-12-27
I am looking to perform a review of file system permissions on a Solaris Server for the first time. I have done this a fair bit on Windows 2003 Server by reviewing the necessary file shares and directory (NTFS) permissions, but never so on Solaris (bare this in mind on your responses please).

The Solaris Server is a domain server as part of an AD domain which is predominantly made up of 99% windows servers and workstations, with a mere 3 solaris servers for specific applications. What is the most practical way to essentially say:

\\solarisdatabaseserver\backup - who has access /access control list
\\solarisdatabaseserver\database - who has access /access control list

Does Solaris also have the concept of “shares”, i.e. \\host\e$, and also any admin types shares, that are typically only accessible by local administrators?

I also sometimes like to run a directory listing for a server to see where key files are. On Windows I used to do something like

C:>DIR \\solarisdatabaseserver\share$ /s > listing.txt

So basically I could do with:

How to list all shares on the solaris server
How to list all people and users who can access these files on the server
How to get a directory listing per share on the server

And also if all IT admins only have windows machines, what are they likely to use to gain remote access to the server from their windows machine, say for example if someone asks for a log file so they have to logon and get it. What types of client and protocols are used in such examples?

Would prefer some EE input as opposed to just links.

Thanks
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 6

Accepted Solution

by:
Tomunique earned 250 total points
ID: 34238584
wow... too much for 1 post... to answer this properly and completely, it's a small book.

to answer the easier parts of your question:
you need to log into the server (you can't do all your checking remotely)

besides protocols like http, or other applications that may be listening on ports..
putty (or some other ssh client) / telnet/ ftp / sftp/ are the primary access methods.
(check (via nfs -an|grep LISTEN) to see which ports the server is listening on.
While it's not 100% (ie you can move telnet to another port other than 23), it will be a decent start.
knowing what the server is monitoring, helps eliminate roads you need to research.

NFS and SMB are twp methods of exporting directories as "shares".  (SMB is most likely where you're getting your windows access from).
NFS: /etc/exports is where the server will list what directories are available.
I believe there's a file like /etc/smbexports  but, I'm not SMB literate.,

questions you'll need answered, if you don't know they yourself..
Do you have a user directory database besides /etc/passwd?  (LDAP?) (can of worms)
do you permit "annonymous" access from remote boxes? (nobody account)
check things like ssh keys for root or other admin accounts

Tom
0
 
LVL 13

Assisted Solution

by:Rowley
Rowley earned 250 total points
ID: 34246422
Assuming command line access to the host:
To view active shares and access:   dfshares
To view all potential shares and access:    cat /etc/dfs/dfstab

Check for the existence of SMB on the host: ps -ef | grep smb
If running, check the config file. If not apparent as arguments to the smb process, try: pargs -l [pid]

To list all files/dirs and their corresponding permissions, from the root of the dir you want to traverse:
find . -ls

To list directories within a share and their acl, cd to the root of the dir you want to traverse and run:
find . -type d -ls

To remotely retrieve files from hosts, I commonly use scp, or if in a pinch ftp. I use WinSCP when connecting from Windows hosts.
0
 
LVL 3

Author Comment

by:pma111
ID: 34246536
Thanks so much. I guess what I am also wondering is in a windows network if a share is open to say the "everyone" group on a windows server, internal people can just mount it in explorer and dont have to enter a password or anything, if they are on the ACL they can just mount it as if it was a local drive and view all the data. ...

I just wonder if in Solaris if theres a similar ACL to the "everyone" group or "domain users" then would people be able to use to tools and protocols to access the data WITHOUT needing to enter a password to retreive data from a windows machine? Or in a nutshell if you are going to acces a solaris box from windows you are always going to have to enter a password to get at data
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 13

Expert Comment

by:Rowley
ID: 34246620
The SaMBa application uses the smb protocol to make local files available to windows clients - not Solaris. There is no native support for smb (aka windows) clients in any current production release of solaris.

That said, SaMBa can be configured to behave in any number of ways including the way in which you have mentioned. It is well documented and is a mature, feature rich and stable product.
0
 
LVL 3

Author Comment

by:pma111
ID: 34246669
Does SAMBA come by default in newer versions of Solaris? Or is it more of an addon?
0
 
LVL 13

Expert Comment

by:Rowley
ID: 34246891
I retract - /usr/sfw/sbin contains the binaries for smb. svcs samba will show you the status and svcprop samba will show you the service params on Solaris 10. Admittedly, its been a while since I used it...(solaris 8)

:S
0
 
LVL 13

Expert Comment

by:Rowley
ID: 34246896
...and thats /usr/sfw/bin, not sbin.
0
 
LVL 3

Author Comment

by:pma111
ID: 34256477
Thanks I've got a solaris box to practice all this on so I will get to work - I assume the best way to learn this is hands on experience. and putting your comments into practice
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question