User permissions in WMI - security

Does anyone know which WMI Class is to be used to getting information of which users or user groups have permission for a given folder?

Yes, it's possible to to get and set file permissions via WMI; here's a MS Scripting Guys article with explanation and examples.
...but there are so many better/easier ways to manage security, from CACLS/XCACLS to ADSecurity.dll and more.

Related

How to make a Role Based Access Control system like discord in node js

just as the topic says, i wanted to make a role based system in node-js. I got inspired by the system there is in discord. Can anyone please guide me
You can do that by using multiple tables helpers to make a graph an RBAC (Role Based Access Control) approach. This is an opinionated answer, so take a deep look, try it, and consider it.
Here the dbdiagram URL https://dbdiagram.io/d/5f5f2c007da1ea736e2dbe4c, I explain on the comment there

I would like to authenticate users using Radius, but place all successful users in the same home directory with the same shell replacement

I am trying to allow ssh users to be defined in Radius, but share a home directory, shell, etc. The idea is that all users share the same home directory and default shell (an application). I would like to avoid creating numerous accounts on the local machine (really a docker container) since their activity is constrained by the application. I think that I just need to replace the user database information, but I don't understand how to just override that part of the login activity. Has anyone else done this or should I be solving this a different way?
Ok, I am going to answer my own question. If you have better information, please contribute. This question might have been better in ServerFault, but as a programmer I spend more time on StackOverflow so I did not think of that.
The PAM library is useful for single sign-on, but it cannot replace the /etc/passwd file and related files. PAM and the other assets it brings in supplement the internal Linux info. So, while you can authenticate with a remote server like Radius, you will still have entries in /etc/passwd. The control flow is a list of rules in pam.conf and the top-level library works its way down the list letting each module (plug-in) do its work. Read 'man pam.conf' and 'man pam_mkhomedir' for good information on how this works.
A module implements 6 functions so it is very approachable to add new modules. See pam_deny.c for the simplest module.
Also, getpwnam is a function you may need in whatever it is you are trying to do. You can read about that using 'man getpwnam', but you probably already knew that.

How to log internet certificate users in IBM Domino server?

I know authenticated internet certificate users are logged. I would like to log the internet certificate users (that are NOT in Address Book). Currently these users appear as Anonymous in the log. I want to have the user's common name associated with the certificate to appear in the log. I know the CGI variable "HTTPS_CLIENT_CERT_COMMON_NAME" will capture this.
Any ideas would be appreciated.
V/R,
Kev
You'll have to put code in your applications to do this, or write a DSAPI plugin if you want it done at the server level.
If you're looking for a solution that doesn't involve writing custom code, that's really a question for ServerFault rather than StackOverflow - but I suspect that there's no solution for that.

Administrative IT Scripts (security issues)

I am doing homework and having a hard time finding the information I need; I am just looking for some guidance. I need to identify some administrative IT tasks that use scripting, but the script used causes some type of security issue. What would be the issue and how would the issue be solved? Summary, keywords, links, anything would be great. Thanks
This is a sample of something I could imagine some ignorant it guy doing...
Write a php script where you pass a path of where you a database backed up to. Then an adversary could pass a path inside the HTML document root. I could then download the entire database to my computer.
Might not be the best example but it happens.

More Than 32 Roles/Permissions Symfony2 Security System?

Everything in Symfony2 looks pretty good however there is one issue I can't seem to find a solution too. The issue is that Symfony2's security component is limited to 30-32 roles/permissions. One of my projects, a project management/issue tracker system, is going to need more than 32 permissions. There are a number of different components of the system that need to have there own set of permissions. Just because someone has create, read, update, or delete permissions to issues does not mean they have those permissions for projects, milestones, etc... Each component is going to need its own create, read, update, and delete permission not to mention component specific permissions and there is no doubt I will reach the 30-32 roles/permission limit.
I have questioned in IRC and the mailing list with no really direction of where to go. I would prefer to be able to just added this functionality on top of the existing security component (preferably through a bundle). I am not sure how I can achieve more than 30-32 roles/permissions with symfony2's security component.
I would really prefer not to have to development my own security system w/ ACL.
as stated before in the question comments by gilden:
But this is exactly the use case for ACL. You can start using the built-in ACL system today! It's quite easy to modify/extend as well to best suit your needs.
For beginners, I think it's best to read these articles from Symfony2 official book in the following order:
Security - Including info about: Authentication and Authorization, Users & Roles, Access Control in Templates & Controllers
Access Control Lists (ACLs) - Including info about: Bootstrapping & configuration, Creating an ACL, an ACE, Checking Access & Cumulative Permissions
Advanced ACL Concepts - Including info about: Design Concepts, Database Table Structure, Scope, Pre- & Post-Authorization Decisions, Process for Reaching Authorization Decisions
There are also some interesting question here at SO.com about Symfony2 ACLs
Good luck!
I think you kind of misunderstood the acl system you can only create 32 kind of role, but by domain object. This is done using bitmasks operations on integers ( this explaining the '32' limitation as an integer is ... well you know the answer ).
So for example the permission to delete one object would be same - 'MASK_DELETE' - for a project a milestone or a ticket. So if you used the ProblematicAclManagerBundle you would just have to do :
$aclManager->addPermission($ticket, $userEntity, MaskBuilder::MASK_DELETE);
or
$aclManager->addPermission($projet, $userEntity, MaskBuilder::MASK_DELETE);
to give your user permission to delete $project or $ticket for instance. It also creates the acl entry for the domain object and the entry for the user if they are not already there. What I need to know though is if you can create different masks names for a class, or every class of a bundle ?
You will find a deeper explaination on acls here
I know this is an old post, but I just wanted to share this with anyone who has a similar answer.
The key to providing a solution is in this sentence in your question:
There are a number of different components of the system that need to have there own set of permissions.
For each of these components you could create a separate voter.
Create a class that extends AclVoter.
Override the supportsClass() method to make sure the voter will only vote for classes of the component it is meant for.
Create your own PermissionMap containing the set of permissions the component needs.
Pass the PermissionMap to the AclVoter in your services configuration.
Tag the voter as security.voter so the AccessDecisionManager will start using it.
This should get you a long way.
I also recommend going thought the code of the ACL Component, there are a lot of features that unfortunately aren't documented.

Resources