• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 558
  • Last Modified:

File System Permissions

I am looking to perform a review of file system permissions on a Solaris Server for the first time. I have done this a fair bit on Windows 2003 Server by reviewing the necessary file shares and directory (NTFS) permissions, but never so on Solaris (bare this in mind on your responses please).

The Solaris Server is a domain server as part of an AD domain which is predominantly made up of 99% windows servers and workstations, with a mere 3 solaris servers for specific applications. What is the most practical way to essentially say:

\\solarisdatabaseserver\backup - who has access /access control list
\\solarisdatabaseserver\database - who has access /access control list

Does Solaris also have the concept of “shares”, i.e. \\host\e$, and also any admin types shares, that are typically only accessible by local administrators?

I also sometimes like to run a directory listing for a server to see where key files are. On Windows I used to do something like

C:>DIR \\solarisdatabaseserver\share$ /s > listing.txt

So basically I could do with:

How to list all shares on the solaris server
How to list all people and users who can access these files on the server
How to get a directory listing per share on the server

And also if all IT admins only have windows machines, what are they likely to use to gain remote access to the server from their windows machine, say for example if someone asks for a log file so they have to logon and get it. What types of client and protocols are used in such examples?

Would prefer some EE input as opposed to just links.

Thanks
0
pma111
Asked:
pma111
  • 4
  • 3
2 Solutions
 
TomuniqueCommented:
wow... too much for 1 post... to answer this properly and completely, it's a small book.

to answer the easier parts of your question:
you need to log into the server (you can't do all your checking remotely)

besides protocols like http, or other applications that may be listening on ports..
putty (or some other ssh client) / telnet/ ftp / sftp/ are the primary access methods.
(check (via nfs -an|grep LISTEN) to see which ports the server is listening on.
While it's not 100% (ie you can move telnet to another port other than 23), it will be a decent start.
knowing what the server is monitoring, helps eliminate roads you need to research.

NFS and SMB are twp methods of exporting directories as "shares".  (SMB is most likely where you're getting your windows access from).
NFS: /etc/exports is where the server will list what directories are available.
I believe there's a file like /etc/smbexports  but, I'm not SMB literate.,

questions you'll need answered, if you don't know they yourself..
Do you have a user directory database besides /etc/passwd?  (LDAP?) (can of worms)
do you permit "annonymous" access from remote boxes? (nobody account)
check things like ssh keys for root or other admin accounts

Tom
0
 
RowleyCommented:
Assuming command line access to the host:
To view active shares and access:   dfshares
To view all potential shares and access:    cat /etc/dfs/dfstab

Check for the existence of SMB on the host: ps -ef | grep smb
If running, check the config file. If not apparent as arguments to the smb process, try: pargs -l [pid]

To list all files/dirs and their corresponding permissions, from the root of the dir you want to traverse:
find . -ls

To list directories within a share and their acl, cd to the root of the dir you want to traverse and run:
find . -type d -ls

To remotely retrieve files from hosts, I commonly use scp, or if in a pinch ftp. I use WinSCP when connecting from Windows hosts.
0
 
pma111Author Commented:
Thanks so much. I guess what I am also wondering is in a windows network if a share is open to say the "everyone" group on a windows server, internal people can just mount it in explorer and dont have to enter a password or anything, if they are on the ACL they can just mount it as if it was a local drive and view all the data. ...

I just wonder if in Solaris if theres a similar ACL to the "everyone" group or "domain users" then would people be able to use to tools and protocols to access the data WITHOUT needing to enter a password to retreive data from a windows machine? Or in a nutshell if you are going to acces a solaris box from windows you are always going to have to enter a password to get at data
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
RowleyCommented:
The SaMBa application uses the smb protocol to make local files available to windows clients - not Solaris. There is no native support for smb (aka windows) clients in any current production release of solaris.

That said, SaMBa can be configured to behave in any number of ways including the way in which you have mentioned. It is well documented and is a mature, feature rich and stable product.
0
 
pma111Author Commented:
Does SAMBA come by default in newer versions of Solaris? Or is it more of an addon?
0
 
RowleyCommented:
I retract - /usr/sfw/sbin contains the binaries for smb. svcs samba will show you the status and svcprop samba will show you the service params on Solaris 10. Admittedly, its been a while since I used it...(solaris 8)

:S
0
 
RowleyCommented:
...and thats /usr/sfw/bin, not sbin.
0
 
pma111Author Commented:
Thanks I've got a solaris box to practice all this on so I will get to work - I assume the best way to learn this is hands on experience. and putting your comments into practice
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now