Solved

File System Permissions

Posted on 2010-11-29
8
539 Views
Last Modified: 2013-12-27
I am looking to perform a review of file system permissions on a Solaris Server for the first time. I have done this a fair bit on Windows 2003 Server by reviewing the necessary file shares and directory (NTFS) permissions, but never so on Solaris (bare this in mind on your responses please).

The Solaris Server is a domain server as part of an AD domain which is predominantly made up of 99% windows servers and workstations, with a mere 3 solaris servers for specific applications. What is the most practical way to essentially say:

\\solarisdatabaseserver\backup - who has access /access control list
\\solarisdatabaseserver\database - who has access /access control list

Does Solaris also have the concept of “shares”, i.e. \\host\e$, and also any admin types shares, that are typically only accessible by local administrators?

I also sometimes like to run a directory listing for a server to see where key files are. On Windows I used to do something like

C:>DIR \\solarisdatabaseserver\share$ /s > listing.txt

So basically I could do with:

How to list all shares on the solaris server
How to list all people and users who can access these files on the server
How to get a directory listing per share on the server

And also if all IT admins only have windows machines, what are they likely to use to gain remote access to the server from their windows machine, say for example if someone asks for a log file so they have to logon and get it. What types of client and protocols are used in such examples?

Would prefer some EE input as opposed to just links.

Thanks
0
Comment
Question by:pma111
  • 4
  • 3
8 Comments
 
LVL 6

Accepted Solution

by:
Tomunique earned 250 total points
Comment Utility
wow... too much for 1 post... to answer this properly and completely, it's a small book.

to answer the easier parts of your question:
you need to log into the server (you can't do all your checking remotely)

besides protocols like http, or other applications that may be listening on ports..
putty (or some other ssh client) / telnet/ ftp / sftp/ are the primary access methods.
(check (via nfs -an|grep LISTEN) to see which ports the server is listening on.
While it's not 100% (ie you can move telnet to another port other than 23), it will be a decent start.
knowing what the server is monitoring, helps eliminate roads you need to research.

NFS and SMB are twp methods of exporting directories as "shares".  (SMB is most likely where you're getting your windows access from).
NFS: /etc/exports is where the server will list what directories are available.
I believe there's a file like /etc/smbexports  but, I'm not SMB literate.,

questions you'll need answered, if you don't know they yourself..
Do you have a user directory database besides /etc/passwd?  (LDAP?) (can of worms)
do you permit "annonymous" access from remote boxes? (nobody account)
check things like ssh keys for root or other admin accounts

Tom
0
 
LVL 13

Assisted Solution

by:Rowley
Rowley earned 250 total points
Comment Utility
Assuming command line access to the host:
To view active shares and access:   dfshares
To view all potential shares and access:    cat /etc/dfs/dfstab

Check for the existence of SMB on the host: ps -ef | grep smb
If running, check the config file. If not apparent as arguments to the smb process, try: pargs -l [pid]

To list all files/dirs and their corresponding permissions, from the root of the dir you want to traverse:
find . -ls

To list directories within a share and their acl, cd to the root of the dir you want to traverse and run:
find . -type d -ls

To remotely retrieve files from hosts, I commonly use scp, or if in a pinch ftp. I use WinSCP when connecting from Windows hosts.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thanks so much. I guess what I am also wondering is in a windows network if a share is open to say the "everyone" group on a windows server, internal people can just mount it in explorer and dont have to enter a password or anything, if they are on the ACL they can just mount it as if it was a local drive and view all the data. ...

I just wonder if in Solaris if theres a similar ACL to the "everyone" group or "domain users" then would people be able to use to tools and protocols to access the data WITHOUT needing to enter a password to retreive data from a windows machine? Or in a nutshell if you are going to acces a solaris box from windows you are always going to have to enter a password to get at data
0
 
LVL 13

Expert Comment

by:Rowley
Comment Utility
The SaMBa application uses the smb protocol to make local files available to windows clients - not Solaris. There is no native support for smb (aka windows) clients in any current production release of solaris.

That said, SaMBa can be configured to behave in any number of ways including the way in which you have mentioned. It is well documented and is a mature, feature rich and stable product.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Author Comment

by:pma111
Comment Utility
Does SAMBA come by default in newer versions of Solaris? Or is it more of an addon?
0
 
LVL 13

Expert Comment

by:Rowley
Comment Utility
I retract - /usr/sfw/sbin contains the binaries for smb. svcs samba will show you the status and svcprop samba will show you the service params on Solaris 10. Admittedly, its been a while since I used it...(solaris 8)

:S
0
 
LVL 13

Expert Comment

by:Rowley
Comment Utility
...and thats /usr/sfw/bin, not sbin.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thanks I've got a solaris box to practice all this on so I will get to work - I assume the best way to learn this is hands on experience. and putting your comments into practice
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now