How to secure the application pages in SharePoint 2013 with Claims authentication - sharepoint

I want to secure the application pages in SharePoint 2013 with Claims authentication, it does not seem to be working.
<configuration>
<location path="_layouts/15/settings">
<system.web>
<authorization>
<allow users="demo\user1"/>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
however it works on Windows based authentication.
Update: 21-May-15:
I have fixed this
<configuration>
<location path="_layouts/15/settings">
<system.web>
<authorization>
<allow users="0#.w|demo\user1"/>
<deny users="*" />
</authorization>
</system.web>
</location>
however It is not authorizing the AD group, have tried as mentioned below.
<allow users="c:0+.w|demo\group1"/>
<allow roles="c:0+.w|demo\group1"/>
<allow users="0+.w|demo\group1"/>
<allow roles="0+.w|demo\group1"/>
<allow users="demo\group1"/>
<allow roles="demo\group1"/>
<allow users="c:0+.w|sid"/>
<allow roles="c:0+.w|sid"/>
<allow users="0+.w|sid"/>
<allow roles="0+.w|sid"/>
<allow users="sid"/>
<allow roles="sid"/>
How do I authorize both the individual user and AD groups?
update : 22-May-2015
<location path="_layouts/15/viewlsts.aspx">
<system.web>
<authorization>
<allow users="Group1" />
<allow users="Domain\Group1" />
<allow users="0#.w|Domain\Group1" />
<allow users="c:0+.w|Domain\Group1" />
<allow users="s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow users="0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow users="c:0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow roles="Group1" />
<allow roles="Domain\Group1" />
<allow roles="0#.w|Domain\Group1" />
<allow roles="c:0+.w|Domain\Group1" />
<allow roles="s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow roles="0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<allow roles="c:0+.w|s-1-5-21-1971354296-1767978563-xxxxxxx-yyyyyy" />
<deny users="*" />
</authorization>
</system.web>
</location>
Still it is not working.

The prefix is different for groups.
Have you tried ?
<allow users="c:0+.w|demo\group1"/>
If it works, you can then authorize groups and users like this
<allow users="c:0+.w|demo\group1,0#.w|demo\user1"/>

Related

DBUS ofono can not communicate with pulseaudio

I am trying to set up bluez-5.50 with ofono-1.18 and pulseaudio-12.0 in order to handle phone calls over Bluetooth. However, I'm getting the following problem over dbus-monitor.
error time=1539324786.794398 sender=org.freedesktop.DBus -> destination=:1.28 error_name=org.freedesktop.DBus.Error.AccessDenied reply_serial=23
string "Rejected send message, 1 matched rules; type="method_return", sender=":1.28" (uid=0 pid=22288 comm="pulseaudio --realtime ") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.25" (uid=0 pid=22285 comm="/usr/sbin/ofonod -d -n ")"
My /etc/dbus-1/system.conf is as follows:
<policy user="root">
<allow own="org.pulseaudio"/>
<allow own="org.pulseaudio.Server"/>
<allow own="org.ofono"/>
<allow send_destination="org.ofono"/>
<allow send_interface="org.ofono.SimToolkitAgent"/>
<allow send_interface="org.ofono.PushNotificationAgent"/>
<allow send_interface="org.ofono.SmartMessagingAgent"/>
<allow send_interface="org.ofono.PositioningRequestAgent"/>
<allow send_interface="org.ofono.HandsfreeAudioAgent"/>
<allow own="org.bluez"/>
<allow send_destination="org.bluez"/>
<allow send_interface="org.bluez.Agent1"/>
<allow send_interface="org.bluez.MediaEndpoint1"/>
<allow send_interface="org.bluez.MediaPlayer1"/>
<allow send_interface="org.bluez.ThermometerWatcher1"/>
<allow send_interface="org.bluez.AlertAgent1"/>
<allow send_interface="org.bluez.Profile1"/>
<allow send_interface="org.bluez.HeartRateWatcher1"/>
<allow send_interface="org.bluez.CyclingSpeedWatcher1"/>
<allow send_interface="org.bluez.GattCharacteristic1"/>
<allow send_interface="org.bluez.GattDescriptor1"/>
<allow send_interface="org.freedesktop.DBus.ObjectManager"/>
<allow send_interface="org.freedesktop.DBus.Properties"/>
</policy>
To my understanding, pulseaudio and ofono can not communicate, although I get sound output from ofono to pulseaudio. Another reason might be that pulseaudio is started with pulseaudio --start, but other daemons are started with systemd services.
After a while, ofono disconnects, even Bluetooth disconnects. I suspect this dbus error might be the cause of that. Any guidance is appreciated.
Make sure ofono is installed
sudo apt-get install ofono
Make sure pulse users is created and it is part of bluetooth group
Grant the permission add this to /etc/dbus-1/system.d/ofono.conf (inside <busconfig></busconfig>):
<policy user="pulse">
<allow send_destination="org.ofono"/>
</policy>

Linux BLE Gatt server program is unable to retrieve dbus org.bluez object when run as a service

Linux BLE Gatt server program is unable to retrieve dbus org.bluez object when run as a service. The programs works fine when I run the program using the terminal as root but it fails when I try to have the program run as a service.
Here is my systemd testproj.service file
[Unit]
Description=Start BLE Gatt Server
[Service]
Type=dbus
BusName=com.testproj
WorkingDirectory=/home/root/ble_gatt_server
ExecStart=/home/root/ble_gatt_server/standalone
User=root
[Install]
WantedBy=multi-user.target
Also here are my permission files for dbus
testproj.conf content is below
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="com.testproj"/>
<allow send_destination="com.testproj"/>
<allow send_destination="org.bluez"/>
</policy>
<policy at_console="true">
<allow own="com.testproj"/>
<allow send_destination="com.testproj"/>
<allow send_destination="org.bluez"/>
</policy>
<policy group="lp">
<allow own="com.testproj"/>
<allow send_destination="com.testproj"/>
<allow send_destination="org.bluez"/>
</policy>
<policy context="default">
<allow own="com.testproj"/>
<allow send_destination="com.testproj"/>
<allow send_destination="org.bluez"/>
</policy>
</busconfig>
Also here are my permission files for dbus
bluetooth.conf content is below
<!-- This configuration file specifies the required security policies
for Bluetooth core daemon to work. -->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- ../system.conf have denied everything, so we just punch some holes -->
<policy user="root">
<allow own="org.bluez"/>
<allow send_destination="org.bluez"/>
<allow send_interface="org.bluez.Agent1"/>
<allow send_interface="org.bluez.MediaEndpoint1"/>
<allow send_interface="org.bluez.MediaPlayer1"/>
<allow send_interface="org.bluez.ThermometerWatcher1"/>
<allow send_interface="org.bluez.AlertAgent1"/>
<allow send_interface="org.bluez.Profile1"/>
<allow send_interface="org.bluez.HeartRateWatcher1"/>
<allow send_interface="org.bluez.CyclingSpeedWatcher1"/>
<allow send_interface="org.bluez.GattCharacteristic1"/>
<allow send_interface="org.bluez.GattDescriptor1"/>
<allow send_interface="org.freedesktop.DBus.ObjectManager"/>
<allow send_interface="org.freedesktop.DBus.Properties"/>
</policy>
<policy at_console="true">
<allow send_destination="org.bluez"/>
</policy>
<!-- allow users of lp group (printing subsystem) to
communicate with bluetoothd -->
<policy group="lp">
<allow send_destination="org.bluez"/>
</policy>
<policy context="default">
<deny send_destination="org.bluez"/>
</policy>
</busconfig>

Which settings or priveleges user needs for using NetworkManager.Settings.Connection

I've tried to call the method GetSettings of the D-Bus object org.freedesktop.NetworkManager.Settings.Connection by the path /org/freedesktop/NetworkManager/Settings/2 (the number of settings just for example) in the Qt application. So when I tried to run this application as user with
$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),27(sudo),30(dip),
46(plugdev),113(lpadmin),129(sambashare)
it worked fine without errors, but when I'd started the application as lightdm greeter (lightdm user starts process) it logged the error:
org.freedesktop.NetworkManager.Settings.PermissionDenied uid 108 has no permission
to perform this operation
I've tried to make it with org.freedesktop.NetworkManager.conf below:
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.PPP"/>
<allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
<!-- These are there because some broken policies do
<deny send_interface="..." /> (see dbus-daemon(8) for details).
This seems to override that for the known VPN plugins.
-->
<allow send_destination="org.freedesktop.NetworkManager.openconnect"/>
<allow send_destination="org.freedesktop.NetworkManager.openswan"/>
<allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
<allow send_destination="org.freedesktop.NetworkManager.pptp"/>
<allow send_destination="org.freedesktop.NetworkManager.vpnc"/>
<allow send_destination="org.freedesktop.NetworkManager.ssh"/>
<allow send_destination="org.freedesktop.NetworkManager.iodine"/>
<allow send_destination="org.freedesktop.NetworkManager.l2tp"/>
<allow send_destination="org.freedesktop.NetworkManager.libreswan"/>
<allow send_destination="org.freedesktop.NetworkManager.fortisslvpn"/>
<allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
<allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
<!-- Allow the custom name for the dnsmasq instance spawned by NM
from the dns dnsmasq plugin to own it's dbus name, and for
messages to be sent to it.
-->
<allow own="org.freedesktop.NetworkManager.dnsmasq"/>
<allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
</policy>
<policy user="whoopsie">
<allow send_destination="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.Properties"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device"/>
</policy>
<policy context="default">
<deny own="org.freedesktop.NetworkManager"/>
<deny send_destination="org.freedesktop.NetworkManager"/>
<!-- Basic D-Bus API stuff -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.Properties"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.ObjectManager"/>
<!-- Devices (read-only properties, no methods) -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Adsl"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Bond"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Bridge"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Wired"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Generic"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Gre"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Modem"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Team"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Tun"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Veth"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Vlan"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.AccessPoint"/>
<!-- Devices (read-only, no security required) -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.WiMax"/>
<!-- Devices (read/write, secured with PolicyKit) -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device.Wireless"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device"/>
<!-- Core stuff (read-only properties, no methods) -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.DHCP4Config"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.DHCP6Config"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.IP4Config"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.IP6Config"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.VPN.Connection"/>
<!-- Core stuff (read/write, secured with PolicyKit) -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Settings"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Settings.Connection"/>
<!-- Agents; secured with PolicyKit. Any process can talk to
the AgentManager API, but only NetworkManager can talk
to the agents themselves. -->
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.AgentManager"/>
<!-- Root-only functions -->
<deny send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager"
send_member="SetLogging"/>
<deny send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager"
send_member="Sleep"/>
<deny send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Settings"
send_member="LoadConnections"/>
<deny send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Settings"
send_member="ReloadConnections"/>
<deny own="org.freedesktop.NetworkManager.dnsmasq"/>
<deny send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
</policy>
<limit name="max_replies_per_connection">1024</limit>
<limit name="max_match_rules_per_connection">2048</limit>
</busconfig>
Could you help me make it work?
Thanks.

Anonymous Directory in Azure Pack

I've recently created an MVC application that leverages Windows Authentication. I have a subdirectory named "EventReceivers" that a want to allow anonymous access on. I've updated my web.config with the proper location element and all works fine on Windows Server 2012 w/ IIS8. However, when I deploy the same project to Azure pack, the files in the EventReceivers directory prompt users for credentials.
Below is my web.config snippet. Any suggestions?
<system.web>
<customErrors mode="Off"/>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Windows" />
<authorization>
<allow verbs="OPTIONS" users="*" />
<deny users="?" />
</authorization>
</system.web>
<location path="EventReceivers">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
You must also disable windows authentication within the location element like so:
<location path="EventReceivers">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>

asp.net C# - set roles in web.config for subdirectory

**After login i am not able to access page.After login again redirect to login page.
I am using two level of folder structure. CMS folder contain two folder.
1. User.
2. Admin.
---CMS
----User
----Admin
Means CMS/{USER}{Admin}.**
In main web.config
In main web.config i am set loginurl and allow all user.
<system.web>
<compilation debug="true" targetFramework="4.0">
</compilation>
<authentication mode="Forms">
<forms name="HESCMS1.0" loginUrl="~/CMS/User/Login.aspx" timeout="40" slidingExpiration="true" cookieless="UseCookies" protection="All" requireSSL="false" enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<customErrors mode="Off"></customErrors>
</system.web>
<system.web>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
In User folder web.config:
Set role for admin user
<system.web>
<authorization>
<allow roles="CMSUserAdmin" />
<deny users="*"/>
</authorization>
</system.web>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
In Admin folder web.config:
Set role for super admin.
<system.web>
<authorization>
<allow roles="CMSSuperAdmin"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
This is my first post in stack so have not so much experience.

Resources