We are using XWiki in Version 4.5 and I want to set edit-rights by default for every user. But setting edit-rights on XWikiAllGroup globaly via the administration-panel doesn't take effect. I still need to add edit-rights explicitly on every space. Is this a bug or am I misunderstanding anything in XWikis rights-management?
Thx!
Hein
When ever you create any space in xwiki you need to set write permission for different groups.
Here are a few things about permissions in xwiki I would like to tell you..
1> whenever a user login for first time he moves into XWikiAllGroup because this group has by default privilege of registering a user which you can remove and give to other group.
2> you can create a group of your own and give permissions to user as per your req. which is the best part of it. You need to go to space and set the group permissions.
Always keep a user in a single group to avoid any complication.
Related
I'm playing with C9's SDK a little, trying to write a simple plugin. according to Settings and Preferences as well as settings, one can store settings in the user context using something like
settings.set("user/my-plugin/#someKey", 100);
no problem with that. the problem is that apparently there's no obvious way to remove a setting. In a desperate try, I tried to find the path for the file in which user settings are stored and remove the settings manually, according to the code in settings.js, they should be in ~/.c9/user.settings, but no such file exists. I also never defined userConfigPath in package.json. so can I remove a user setting? how?
set it to undefined to remove settings.set("user/my-plugin/#someKey", undefined);
Or use cloud9>open your user settings menu item.
~/.c9/user.settings is used only in standalone version, on c9.io user settings are stored in a database outside of user vm.
We use chef to provision our boxes but most of our deployments are onto windows, as such infrastructure for our linux boxes isn't all there; because of this I can't log on using my own user/password.
The mechanisms for allowing login only work on windows (it's just not a priority for doing it on linux at the moment) and we only have root passwords and I don't have access to that (rightfully so).
However I could create a user during the chef run, I've looked but to be honest they're all kinda confusing, so I thought I'd ask and hope someone with experience might have a better solution.
How do I create a user with admin access so I can ssh in and do what needs to be done on the box via chef?
Best guidance I can give:
Use the user resource to create the user and then the sudo cookbook to add this user to the sudoers list.
User resource documentation
A stackoverflow question on the password attribute
Sudo cookbook
So you should end up with a cookbook containing the following:
metadata.rb
[...] # stripped usual lines for cookbook name version
depends 'sudo' # add the dependency to use only one cookbook
attributes/default.rb:
default['user_to_create'] = "user3536548" # took you SO account here
default['authorization']['sudo']['users'] << node['user_to_create'] # Add the defined user in the array (using attribute to avoid duplication of user name), this avoid overwriting entries from other recipes and as the attribute is initialized as an empty array it will be ok anyway.
recipes/default.rb
user node['user_to_create'] # create the user, see the doc for details
include_recipe 'sudo' # include the sudo recipe to take advantages of the atrtibutes above.
Windows 7, 32 bit. I have added the "Group Policy Object" to the MMC with group selected as "non-administrators" (from [browse]-->Users). I have locked down the capabilities of the local machine so that non-administrators can do very little, and now I want to be able to apply this policy setting to clones of this machine. Further, I want to be able to put these settings into source control so that policy modifications can be tracked. I want the administrators to have full capabilities.
Once configured on my target machine, I have created a WIM with the Microsoft Deployment Toolkit (MDT) which solves the first half of my needs but this makes it hard to compare any changes to the policy.
I have installed the Security Compliance Manager (SCM) but this wants a baseline to start with and I do not see how to apply policies to groups with this tool. I have installed the LocalGPO.wsf tool as well and have created a backup of the local policy with the /Export switch, but when I use the MMC to change the non-administrator policies, this is not reflected with the LocalGPO.wsf when I run the /Compare against my previously exported GPO. We cracked open the LocalGPO.wsf file and at first glance it looks like it calls SECEDIT.exe which does not seem to take any switches for group policies.
Am I missing a switch on the LocalGPO.wsf that will export the non-administrator group policy settings so that I can put this into source control?
Is there another way to apply my changes to the non-administrators in the SCM? I could not find that menu item.
Are my aspirations too high to be able to update these policies in a controlled fashion?
Thanks - Steve
%windir%\System32\GroupPolicyUsers
Unhide files
or
MMC add Group Policy Object Editor -> Users Tab -> Non-Administrators Policy
Expand User Configuration > Windows Settings > Scripts > Logon; Click Add; Click Browse; It will open up the folder containing scripts. If you go up two folders you will find the folder to copy to other machines (for me it was called S-1-5-32-545).
I'd like to know the answer to this as well. I recently made a Windows 7 kiosk and I'd like to export the changes I made in non-administrators for future reference. It seems that gpresult only looks at what is applied from a domain level.
I have a web application that is run as www-data. I need to have cupsenable and cupsdisable accessible for that user. Its a server that isn't connected to the internet and is running a small internal application and i NEED to be able to give the users the ability to re-enable a printer.
I have already made the executables permissions world executable.
Testing with ...
sudo -u www-data /usr/sbin/cupsenable laser_01
cupsenable: Operation failed: client-error-forbidden
I just needed to add the user to the lpadmin group. I was over thinking this.
It seems like you don't have a problem with the execute-permissions. You must be permitted to administrate cups. So it isn't enough to modify your sudo-rules. In fact i rolled back my sudo-modifications after configuring cups correctly.
Try to edit your /etc/cups/cups-files.conf:
You can define a SystemGroup. All groups added here match the policy rules #SYSTEM in cupsd.conf.
Add the group(s) of your user(s) here and restart cups.
Find out the group of your user www-data.
Then add it, seperated by whitespace, to the SystemGroup in your cups.files.conf.
Restart cups.
That worked for me.
I am having a huge problem with the eventlog on my server. Right let me first of all explain the setup.
I have a domain setup with 2 computers
One computer is running IIS the other is a workstation. The IIS is running Win2k3 the workstation Win XP.
The IIS computer is hosting a website which uses Windows Impersonation and tries to log an entry to the eventlog for a custom log file called MyApp and a custom event source MySource
I have a domain user called MyUser who is just a member of Domain Users.
Single Sign On is working 100% because I can write out the logged in user to the page fine.
When I visit the IIS page from the workstation I get one of the following messages (sometimes I get the first sometimes the second)
1) The handle is invalid
2) Cannot open log for source 'MySource'. You may not have write access.
So to try and fix this I have tried all of the following:
Granted the Everyone user FullControl to C:\windows\system32\config\MyApp.evt file
Granted the everyone user FullControl to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
In the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\MyApp\CustomSD I appended the following string (A;;0x0002;;;AU), (the reason for this can be read here http://fgheysels.blogspot.com/2008/01/cannot-open-log-for-source-0-on-windows.html)
I am now totally out of ideas of how to fix this. Has anyone else come across this and have you tried anything else.
The error, as you seem to have found already, relates to writing to event sources or creating them. I would suggest you try the following.
You did not indicate if the event source exists in the registry or weather the .evt files ware created by the system or if you put them on the machine, so it is hard to determine at which point you are stuck.
You also did not mention if this works on some developer's machine, in which case you can compare the registries and even create the keys manually if you have to.
Have a look under ...\Eventlog if a key for your log has been created (MyApp?).
Have a look in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\MyApp.
There should be a key called Sources. Does your source appear in here?
If these entries do not exist the error is that your user does not have permissions to create the custom log and source.
In the error message it should indicate a ThreadIdentity parameter, which should indicate which user account it is attempting to use to do this. You can also open the permissions to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog and query the "Effective Permissions" for this particular user to ensure it effectively really has full control.
Try granting full control to the entire directory C:\windows\system32\config\ and not just the .evt file as the system needs to create some additional files here as well.
Lastly you can try and enable anonymous access to the website and run it as the machine/Domain administrator user once so all the keys get created before setting it back to the way you like it. You could also try enabling impersonation in the web.config file to ensure that it is not running without a windows identity. These ones you should all be able to undo once the correct keys and files have been created.
Let us know what you find after this and we can take it further.
Well after many hrs of trying to solve this I appear to have a solution which works.
First of all I had to allow the Authenticated Users group write access to the event log. I advice you backup your registry before continuing.
Run regedit
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Open the subkey which matches the EventLog you are writing to (so I will pick Application)
On the right you will see the registry strings, locate one called CustomSD
Right click and modify it.
Append to the end (A;;0x2;;;AU) (I will explain this later)
Save the changes (I don't know if you need to reboot or not)
So that will mean Authenticated Users can write to the Application event log. I needed to apply one more change.
Open the Domain GPO or local computer GPO
Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights > Assignments > Manage auditing and security log
Go to its Properties window
Select Define these policy settings
Add the Administrator group
Add the Authenticated Users group
Save and do a gpupdate /force for the affected computer.
That is the only way I could get it to allow my website users to write to the event log.
I mentioned in part 1 step 6 I would explain the string we added. Please see this page for more details http://support.microsoft.com/kb/323076