About chroot jails and ACL

I want to run rtorrent in a chroot jail. Correct me if wrong, but jailing rtorrent would consume much more RAM cause rtorrent will not use libraries that it needs and may be already in memory.
So I wonder, why people just don't create a new user, install ACL, block everything to that user but read access to /lib and some config files, and execute permission to only the needed binaries. It would be easy to do since as I understand if you block all /bin permissions to the restricted user, all future files there will inherit those permissions. The only problem I see is that if you update, you will have to set some permissions again, easily fixed with a script. ACL seems much more easier to setup than chroot jails!
When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
So, why is it that people seem to prefer chroot jails? Does installing ACL has some kind of performance penalty?

_Mike_ wrote:Does installing ACL has some kind of performance penalty?
Do you mean Mandatory Access Control? Filesystem ACL is already installed on every Linux system.
When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
Chroot jails were not created to be used as a security tool and are very easy to break out of. Filesystem ACL is very limited in scope and also provides little security.
You might want to look into using Mandatory Access Control (MAC) which is available with TOMOYO Linux, AppArmor, SELinux or SMACK. SELinux is the most powerful, but will take a long time to master. TOMOYO Linux is easier to use and the relevant packages are already in [community]. See the wiki page for more information.
All MAC implementations have a small degree of performance penalty. SELinux probably has the greatest penalty, but overall you probably won't notice anything with any of the implementations.
Last edited by jnguyen (2011-04-13 06:48:36)

Similar Messages

  • [solved] nginx chroot jail: open() "/run/nginx.pid" Permission denied

    I used the perl script from the nginx wiki to configure chroot jail and also configured the nginx systemd unit file. When I try to start the service I get
    # systemctl start nginx
    Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details.
    # systemctl status nginx.service
    nginx.service - A high performance web server and a reverse proxy server in chroot jail
    Loaded: loaded (/etc/systemd/system/nginx.service; enabled)
    Active: failed (Result: exit-code) since tis 2013-05-07 20:58:49 CEST; 4s ago
    Process: 418 ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g pid /run/nginx.pid; daemon on; master_process on; (code=exited
    , status=1/FAILURE)
    Executing the ExecStartPre line produces the open error.
    # /usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
    nginx: [emerg] open() "/run/nginx.pid" failed (13: Permission denied)
    What could be causing this?
    Here's my nginx.service
    # cat /etc/systemd/system/nginx.service
    [Unit]
    Description=A high performance web server and a reverse proxy server in chroot jail
    After=syslog.target network.target
    [Service]
    Type=forking
    PIDFile=/srv/http/run/nginx.pid
    ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
    ExecStart=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
    ExecReload=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
    ExecStop=/usr/bin/chroot --userspec=http:http /srv/http /usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit
    [Install]
    WantedBy=multi-user.target
    /srv/http/run
    # ls -ahl /srv/http/run/
    totalt 8,0K
    drwxr-xr-x 2 root root 4,0K 7 maj 20.53 ./
    dr-x--x--x 9 root root 4,0K 7 maj 20.16 ../
    -rw-r--r-- 1 root root 0 7 maj 20.53 nginx.pid
    edit:
    # chroot --userspec http:http /srv/http /usr/sbin/nginx
    nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
    I tried to change the port to 8080 and got
    # chroot --userspec http:http /srv/http /usr/sbin/nginx
    nginx: [emerg] open("/dev/null") failed (13: Permission denied)
    solution:
    The problem was due to the partition being mounted nodev,nosuid.
    Last edited by seron (2013-05-08 11:25:12)

    I know this post is quite old but I wanted to say thank you to the author that you posted this solution. THANKS!!!

  • /dev/random and chroot jail

    I have a BIND configuration in a chroot jail - Solaris 10, u8, SPARC.   I need to create a /dev/random device in the jail to go along with the other devices that already exist in the jail (such as /jail/dev/null, etc).  The man page for mknod says "With the advent of physical device naming, it would be preferable to create a symbolic link to the physical name of the device (in the /devices subtree)  rather than using mknod."  Creating a link to the actual device in /devices however would entail a link that leaves the jail, and I always thought any link leaving the jail is not secure.  Any thoughts on this?  Should I use the link as suggested by the man page or use the mknod command within the jail and create the device there?

    I have a BIND configuration in a chroot jail - Solaris 10, u8, SPARC.   I need to create a /dev/random device in the jail to go along with the other devices that already exist in the jail (such as /jail/dev/null, etc).  The man page for mknod says "With the advent of physical device naming, it would be preferable to create a symbolic link to the physical name of the device (in the /devices subtree)  rather than using mknod."  Creating a link to the actual device in /devices however would entail a link that leaves the jail, and I always thought any link leaving the jail is not secure.  Any thoughts on this?  Should I use the link as suggested by the man page or use the mknod command within the jail and create the device there?

  • Chroot-jail password problem

    I've got a running chroot-jail to allow semi-trusted users ssh-access to my webhosting server. The problem is that they can't change their passwords because `passwd` can't access files outside the chroot-jail (as it's suppose to be). I've read about someone solving this using nsswitch.conf and some sort of setup to make it possible for the users to change their passwords.
    The question is basically, how do I get around this problem, making it possible for the logged in users to change their own password?

    Oh what a tangled web we weave.  I read up on keychain and I don't understand what I'm reading.  Right now I cannot download my email on my computer, I can access it through the cloud. I'm sure it will be the same for the other iCloud feathers.   When I go to preferences and select iCloud when ever I try to sign in I get some dialog box it shows up "A keychain cannot be found to store 1076701306.  It doesn't matter whether I reset it or cancel it out iCloud preferences remains grayed out. 
    In keychain access on the left side under keychains and Read's local item, systems, and systems roots.
    When I select local items nothing shows up to the right under the name column even when down under all items is selected nothing shows up.  And nothing shows up to the right when under categories I selected the other options password etc.  On the other hand when I select under keychains systems, systems roots I do get items to show up on the right side under names under all items, passwords, etc.  Where do I start?

  • Errors found when using tar and ACL's

    Having difficulties with TAR and ACLs, and wondering if anyone had seen this before.
    Here's the scenario: create a few directories and a few files. Tar it up and extract the files. Now assign some ACL's to them (some default for directories), tar it up, and extract the files. Permissions should remain the same. Under most circumstances they are.
    Now repeat the procedure, but put a default directory ACL on the parent directory where the TAR is created. What happens is that the group permissions for anything un-tared gets trashed.
    Here's a script to test it out.
    Create a dummy user (I called mine foobar) -- required for setting ACL's. Run the script with the "-d" option at first. Things appear good. You can compare the permissions on the bottom for each file/directory.
    Run the script with the "-s" option setting default ACL's on the parent.
    #!/usr/bin/sh
    ROOTDIR=/export/home/christian/config
    TESTDIR=/export/home/christian
    USER_X="oam"
    # Run the script once with normal permissions (no ACL's) in the test directory (where tar is located)
    # --> ./test.sh -d
    # look at the result (ls -l) of .../sub1dir, .../sub1dir_acl, and /sub1dir_orig
    # They should be relatively the same:
    # --> rwxrwxrwx permissions on directories
    # --> rw-rw-rw- on files
    # Now run the script but set the parent directory of the script (where the TAR's are located) to have default ACL's
    # --> /opt/MMSsyscnf/sub2dir/test/test.sh -s
    # Now look at the result (ls -l) of .../sub1dir, .../sub1dir_acl, and /sub1dir_orig
    # They are COMPLETELY skewed. Both times we tried to untar the files, ACL's wound up
    # all over the place and permissions were not set correctly.
    # --> rwxrwxrwx permissions ONLY on original directory (not the product of an UNTAR)
    # --> rwxr--rwx permissions on directories created by untar
    # --> rw-rw-rw- on files ONLY on original directory (not the product of an UNTAR)
    # --> rw-r--rw- on files created by untar
    # ****** Why is group affected by this, but "other" is not?! It's gotta be a bug!
    # MAIN
    ACTION="NOPREP"
    while [ -n "$1" ]
    do
    if [ "ABC$1" = "ABC-d" ]; then
    #flag set to try and remove default directory ACL's
    setfacl -d u:$USER_X $TESTDIR
    setfacl -d d:u:$USER_X $TESTDIR
    setfacl -d d:u::,d:g::,d:m:,d:o: $TESTDIR
    elif [ "ABC$1" = "ABC-s" ]; then
    setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $TESTDIR
    setfacl -r -m d:u:$USER_X:rw- $TESTDIR
    setfacl -r -m u:$USER_X:r-x $TESTDIR
    fi
    shift;
    done
    # clean up previous run of the test
    rm -r $ROOTDIR
    # create files/directories
    mkdir $ROOTDIR
    mkdir $ROOTDIR/sub1dir
    mkdir $ROOTDIR/sub1dir/sub2dir
    mkdir $ROOTDIR/sub1dir/sub2dir/sub3dir
    #set permissions
    chmod 777 $ROOTDIR
    chmod 777 $ROOTDIR/sub1dir
    chmod 777 $ROOTDIR/sub1dir/sub2dir
    chmod 777 $ROOTDIR/sub1dir/sub2dir/sub3dir
    # create files
    echo "" > $ROOTDIR/sub1dir/sub2dir/file1.txt
    echo "" > $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
    chmod 666 $ROOTDIR/sub1dir/sub2dir/file1.txt
    chmod 666 $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
    # tar/zip the files:
    /usr/bin/tar -cvf $ROOTDIR/tarBeforeACLs.tar $ROOTDIR/sub1dir
    /usr/bin/gzip $ROOTDIR/tarBeforeACLs.tar
    # move the directory (so we keep the original as a template of what things should look like)
    mv $ROOTDIR/sub1dir $ROOTDIR/sub1dir_orig
    # untar/zip the files:
    /usr/bin/gunzip $ROOTDIR/tarBeforeACLs.tar
    /usr/bin/tar -xvf $ROOTDIR/tarBeforeACLs.tar
    ls -lR $ROOTDIR
    # Ok. These have been tested to be the exact same.
    echo "********************************************************************************"
    echo "********************************************************************************"
    echo "********************************************************************************"
    # Let's try using ACL's now
    # --> directories (owned by root) must be acessible to OAM user.
    # --> files (owned by root) must be read/writable by user OAM when created in the directories
    setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir
    setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir/sub2dir
    setfacl -r -m u:$USER_X:r-x $ROOTDIR/sub1dir/sub2dir/sub3dir
    setfacl -r -m u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/file1.txt
    setfacl -r -m u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
    setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir
    setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir
    setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir/sub2dir
    setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir
    setfacl -r -m d:u::rw-,d:g::r--,d:o:---,d:m:rwx $ROOTDIR/sub1dir/sub2dir/sub3dir
    setfacl -r -m d:u:$USER_X:rw- $ROOTDIR/sub1dir/sub2dir/sub3dir
    # here are things as they stand
    ls -lR $ROOTDIR
    echo "********************************************************************************"
    echo "********************************************************************************"
    echo "********************************************************************************"
    # tar/zip the files:
    /usr/bin/tar -cvfp $ROOTDIR/tarAfterACLs.tar $ROOTDIR/sub1dir
    /usr/bin/gzip $ROOTDIR/tarAfterACLs.tar
    # move the directory (so we keep the directory that was applied ACL's)
    mv $ROOTDIR/sub1dir $ROOTDIR/sub1dir_acl
    # untar/zip the files:
    /usr/bin/gunzip $ROOTDIR/tarAfterACLs.tar
    /usr/bin/tar -xvfp $ROOTDIR/tarAfterACLs.tar
    # here are things after we've untared them
    ls -lR $ROOTDIR
    echo "********************************************************************************"
    echo "********************************************************************************"
    echo "********************************************************************************"
    getfacl $ROOTDIR/sub1dir_orig $ROOTDIR/sub1dir_acl $ROOTDIR/sub1dir
    echo "********************************************************************************"
    getfacl $ROOTDIR/sub1dir_orig/sub2dir $ROOTDIR/sub1dir_acl/sub2dir $ROOTDIR/sub1dir/sub2dir
    echo "********************************************************************************"
    getfacl $ROOTDIR/sub1dir_orig/sub2dir/sub3dir $ROOTDIR/sub1dir_acl/sub2dir/sub3dir $ROOTDIR/sub1dir/sub2dir/sub3dir
    echo "********************************************************************************"
    getfacl $ROOTDIR/sub1dir_orig/sub2dir/file1.txt $ROOTDIR/sub1dir_acl/sub2dir/file1.txt $ROOTDIR/sub1dir/sub2dir/file1.txt
    echo "********************************************************************************"
    getfacl $ROOTDIR/sub1dir_orig/sub2dir/sub3dir/file2.txt $ROOTDIR/sub1dir_acl/sub2dir/sub3dir/file2.txt $ROOTDIR/sub1dir/sub2dir/sub3dir/file2.txt
    echo "********************************************************************************"
    Any ideas?

    UFSDUMP has some limitations, including being on a file system that is read-only. Yes, I could force it on a read-write FS, but I normally stay away from big sticker labels found in man pages when I encounter them. :-(
    What I was originally after was a script that makes a backup of application configuration files before I modify them. Thus, I tar/zip the directory.
    These config files/directores have ACL's attached to them to allow various roles to access them (group permissions are not fine-grain enough). However, when I ran through a couple of tests, I came across a scenario that overwrote the original permissions. Tested it on Solaris 10 and Solaris 9, and both fail.
    So now (very late into the feature design) I'm VERY concerned about using ACL's on Solaris, and wonder what other side-effects there are that I'm not aware of. Can't seem to find a bug report on it, so I thought I'd ask around to see if it was just the behaviour of the TAR/ACL that I'm not quite getting, or if it really is a bug.
    /chris

  • Role based security and ACLs

    Hello,
    I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
    Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
    So:
    1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
    2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
    3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
    Your response is appreciated.

    Hello,
    I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
    Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
    So:
    1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
    2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
    3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
    Your response is appreciated.

  • Activate Document Browser and ACLs

    Hi all,
    I want to activate the Document Browser and ACLs tab in the DIR.
    I have followed CAC--> Document Management --> Control Data --> Activate Document Browser and ACLs and then I've maintained "X" for each tab, but in the DIR nothing appear.
    Have you any suggestions?
    Thanks,
    Marco.

    Hi,
    In this activity, you can activate the document browser and ACLs independently of one another.
    When you select the indicators, the tab pages Document Browser and Authorizations are available in document editing.
    The document browser contains the folder structure of SAP Easy Document Management, which you can use to edit documents. For more information about the document browser, see SAP Library under SAP ERP Central Component -> Cross-Application Components -> Document Management -> Document Browser.
    You use ACLs to pass on access rights that you created for a particular folder to other folders in the same structure. For more information about ACLs, see SAP Library under SAP ERP Central Component  -> Cross-Application Components -> SAP Easy Document Management -> Work with SAP Easy Document Management -> Authorizations in SAP Easy Document Management
    Also check ,
    As of SAP ERP 2005, all ACLs are automatically available in SAP Easy Document Management and the back-end system. As of SAP R/3 4.7, it is possible to implement ACLs and you have to implement ACLs up to SAP ERP 2005 (see SAP Note 798504).
    http://help.sap.com/saphelp_erp60_sp/helpdata/en/7c/4ca9429888b111e10000000a155106/frameset.htm
    https://www.sdn.sap.com/irj/scn/wiki?path=/display/plm/newFunctionalitiesinERP2005
    Benakaraja ES
    Edited by: benaka rajes on Jun 11, 2009 10:48 AM

  • Chroot jail in FTP?

    I asked this question about two years back, but I'm hoping there's an
    answer now...
    Is there a way to lock ftp clients into their home directory, so that
    cannot go back a directory level? Essentially their home directory is
    their root directory.
    Previously using linux ftp servers, you could do this with an option
    called 'chroot jail', but I'm not seeming the same feature on the
    Netware ftp.
    Is there a way to do this? I'm running NW 6.5sp6.
    Thanks!
    Matt

    Did you check the date of the TID though ? <g>, I'm surprised no one
    pointed it out last time you asked
    Cheers Dave
    Dave Parkes [NSCS]
    Occasionally resident at http://support-forums.novell.com/

  • MySQL, to chroot jail or not?

    I didn't know that it was ever considered to be worth it.  This is not a common practice, even in large firms I am not aware of anyone doing this. I saw not worth it.

    Hey Guys,
         We're moving to a new host for our VPS and it's a different OS, (Ubuntu, we're coming from CentOS). 
         On our previous server we chroot jailed mysqld. but now I've been doing some research and there's a bunch of people out there that say it's not even worth it to do it anymore.
         Do you guys think this is true? Should I waste my time setting up the chroot jail? or should I just install it like any other application on the server base?
    This topic first appeared in the Spiceworks Community

  • Repairing disc permissions and ACL...

    When I repair my disc permissions, the software takes much longer than in previous OSX's and I routinely get "ACL found but not expected in "Library."
    Anyone know what this means?

    You can not think that Leopard repair and verify permissions would react as Tiger's. Two vastly different OS.
    The speed will take longer using Leopard and depends upon what Mac you are using. My Mac Pro takes about 3.5 minutes. My Powerbook takes about 8 mins.
    ACL just ignore that dialogue. This is an old posted issue that does not merit any investigate.
    In computer security, an Access Control List (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file XYZ gives Alice permission to delete file XYZ.

  • SFTP only access in chrooted jail?

    Hi
    I'm trying to make it so a user only has sftp access in a chrooted jail.
    I've tried following a couple walkthroughs with no success
    http://www.macresearch.org/restricted-sftp-mac-os-x-leopard
    http://www.debian-administration.org/articles/590
    This is 10.6.2 Server.
    I created my user and ran the following steps as root.
    chmod g-w /
    chmod g-w /Volumes/HD
    chown root /Volumes/HD
    mkdir /Volumes/HD/user_dir
    chown user /Volumes/HD/user_dir
    chmod 700 /Volumes/HD/user_dir
    I've added this to my sshd.config file:
    # override default of no subsystems
    #Subsystem sftp /usr/libexec/sftp-server
    Subsystem sftp internal-sftp
    Match User user
    X11Forwarding no
    AllowTcpForwarding no
    ChrootDirectory /Volumes/HD
    ForceCommand internal-sftp
    Here is what I get when I try to ssh or sftp:
    sftp user@localhost
    Connecting to localhost...
    Password:
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
    Connection closed
    Any helps is greatly appreciated.
    Thanks.

    hmmm strange. think i figured it out.
    finall went with
    Subsystem sftp internal-sftp
    Match User user
    X11Forwarding no
    AllowTcpForwarding no
    ChrootDirectory /chroot
    ForceCommand internal-sftp
    create a new dir chroot and another dir inside it.
    the Chroot must be own by root and groups or other cannot have write access to any of it.
    the dir i created inside chroot is chmod 700 and owned by my user.
    it looks like because ChrootDirectory must have the directory own by root and unwritable by others, you can't direct your user directly to their locked down dir. they must sftp in to chroot then cd to their folder.
    not sure how to get around this.

  • Error report on win 8.1 about conhost.exe and werfault.exe

    I am not sure exactly what is happening, but I have noticed recently a new problem with CONHOST.EXE and werfault.exe each time I was opened application. and I didn't know exactly about was there have relationship  with my brightness  control
    (increase or decrease) than I can't make any change after first time I have noticed about conhost.exe and werfault.exe. and other problem than my laptop more 'slowly' than before, but the console window will remain open fastly enough. (The host process
    exists, but I can see an orphaned CONHOST.EXE for the application in Task Manager.)
    I hope someone who sees this knows why this is happening, and can help me fix the problem.
    Thanks!

    Hi,
    Here is the details about conhost.exe process:
    Windows 7 / Windows Server 2008 R2: Console Host
    http://blogs.technet.com/b/askperf/archive/2009/10/05/windows-7-windows-server-2008-r2-console-host.aspx
    Same within Windows 8.
    The werfault.exe is used for Windows Error Reporting.
    You can go to event viewer to check if there are any error messages.
    For this kind of issue, you may also try Clean Boot to see if this problem persists.
    Alex Zhao
    TechNet Community Support

  • How do I file a complaint about horrible, incompetent and negligent customer service?

    I might sound super rambling but I am very frustrated and just tired of explaining the situation over and over and over.
    On Wednesday, January 21st, I got a call from Verizon Loyalty Department about a "promotion", which I get $25 credit on each line if I upgrade with edge plan. I wasn't sure what phone to change, so I asked them to call me back on Friday. They called me on Thursday, but I couldn't get the call, so I called them on Friday and talked to the customer service. I wasn't still sure about the upgrades, so I asked them about the upgrades with $25 credit would still apply several weeks later if I decide to upgrade, the first representative whom I've talked to looked at my plan and said something like, "Yes, that is absolutely possible. I was looking through your plan, and since you are a loyal customer and ended your 2 year contract with us, I can give you $25 off on your each line. I asked them would I still get the $25 credit for each line when I upgrade to edge plan. He said yes because the $25 off that he is giving me is for the monthly charge and the edge plan $25 credit was for the equipment charges. So Month to Month $25 off was applied on the Jan 24th, and activated on 29th.
    After I finally decided to upgrade my phone, I called Verizon customer service the next week. I do not recall the exact day but on 28th or 29th I called to upgrade it, and the second representative also assured me that the credits were going to happen, and then he offered me to bump down my data to 6 gb from 8 gb to save money because I use less then 6 gb each month. I bumped down to 6gb loyalty plan so I was only paying $60 per month instead of $70 per month. The representative told me I would be only paying around $120 per month. I forgot to ask my sister what phone she wanted to change, so I didn't upgrade it right a way. So only the data plan changed on that day.
    I was extremely busy with my work for few weeks, and I finally called again to upgrade it, the third representative told me different old me that the previous representative was wrong about giving me another $25 credit when I upgrade with edge plan. So I ended up upgrading both of my lines with $25 credit on each line plus $60 for 6gb data. But she said I would be still paying less then what I normally pay, which is around $183. I upgraded and took me few days to receive my phone. I checked my bill and it was showing different than what I was told. I called again and explain all this thing again and the lady adjusted my data plan - 6gb loyalty plan for $50. She said she doesn't know what other representative was doing, but this will fix that I would only pay around $150-160 per month.  After I got my phone, I called verizon to activate my phone (I don't really remember it was before or after, I just talked to them too many times and they have changed my promotions and plans too many times in very short time). He also confirmed $25 credit off for each line, but there was one time tax fee that none of the representative has mentioned while I asked bunch of questions about the upgrading fee and how much it would cost on the first month and etc.)
    After all of that happened, I was settled and didn't think about the payment until I got $290 with only $15 credit on my bill. I called again and asked what happened and the representative told me she doesn't know why this happened and why the previous representatives told you something that weren't true. and I had to go through the explanation again. She said she fixed it and everything was taken care of.
    I checked my bill today. My plan was changed to $90 for 6gb and I was paying $30 more than I originally paying which was around $180 and $50 more than I was supposed to pay. I called the representative today, explained the previous situation and asked why this happened. Basically he told me that all the previous representatives were lying to me. Are you kidding me? They were lying to me? How am I suppose to know if he wasn't "lying" to me? He said only thing he can do is change back to my original plan and amount, and I would pay $6 more than what I used to pay which was about $183.. I asked me if I would get the the 8gb back. He told me that isn't possible. The change did not happen so far. I am tired of calling verizon and more tired of getting different answers from different representative.
    I am seriously concerning about changing my service to different carrier. I have to call the verizon every single month when there is a change in my plan. If they were really lying about the promotion and plan just to sell more service, they should be suspended or fired or something, and I need my money back for overcharged fee and need some kind of compensation for my wasted time and stress I got from this.

    Okay. You are just missing the whole point, and I am not saying anything after this. I did go to the website to read about the edge plan after I got a call from the loyalty department. I asked the questions on some parts I didn't understand (or was confused of) to the representatives. But my main question was whether I was getting $25 credit and in what conditions. They all answered differently to the same question. (My original question - Do I get the $25 credit with edge plan?- One rep. offered me that month to month $25 off before my upgrade. Other rep. confirmed $25 off plus $25 credit with edge and offered bumping down data plan to save extra money. Another rep denied $25 off plus $25 credit with edge but confirmed decrease in my monthly payment by bumping down the data plan. Other rep denied both. You see what I am talking about? I asked one question to begin with: am I getting the $25 credit with edge upgrade plan - and they are the one who offered me different promotions and offers) 
    I also left the part that I actually went to the website and 'researched' the different plans that all the representatives were talking about after I hung up on the phone each time. I joined the forum today because I wanted to know where and how I could file the complaints on verizon customer service after today's call. I should have been more clear on what I was asking, but I thought I was clear enough on my title "How do I file a complaint...?"  Yes I am angry at the fact I didn't get what I thought I was getting, but I am more frustrated the fact every single time I talked to the customer service I get an answer from the rep. I am on the phone, saying "Previous representative you've talked were wrong about this," or "They were lying." The representative, then, would fix my issue, but I would still get the conflicted bills. Don't I suppose to call the customer service to fix it? What's the customer service for if it's not for that?

  • How to create a report of users in ucm about their roles and permission

    Hi All ,
    I need to create a report and it should contain all the users in ucm as well as their roles and permissions. Basically the report would be for the admin who can see all the users in a single report and can know about the roles and access of each and every users.
    How to create such report ?? I have tried from web layuot editor but the default report template i.e stdUserReport in user datasource does not contain more than three fields..Is there any method to get such kind of report???
    Please suggest!!

    There was an example component to demonstrate this kind of function. Under Stellent in version 7.5
    I do not know if they hand it out anymore but it is not on the standard samples page for Oracle. You may want to open a Support SR to ask for it. It should still be around in their servers if they can get permission to hand it out as a sample again.
    Sample CustomReports component to demonstrate how to create customized reports
    CustomReportsBundle.zip
    Date:     October 30, 2006
    Sample Version:     version=2006_10_20 (build 1)
    Product and Version:     Content Server
    Sample Status:     This is a Stellent Sample. Stellent Samples are free and include non-supported add-ons, utilities, tutorials or programming examples. It may require additional configuration or security auditing for maximum effect. It is not supported by Stellent without a consulting engagement.

  • Hey iphone an iphone 3g and i only have about 13 apps and the yellow bar on itunes for my phone is way to big i deleted all my photos all my music every thing i ryed restoring ans all it still takes up space for sum reason ?? please someone help me

    hey iphone an iphone 3g and i only have about 13 apps and the yellow bar on itunes for my phone is way to big i deleted all my photos all my music every thing i ryed restoring ans all it still takes up space for sum reason ?? please someone help me

    If Other (the yellow bar) is too big something is corrupted.  The only solution (that I know of) is to restore from your most recent backup using iTunes (see http://support.apple.com/kb/ht1766).

Maybe you are looking for