Regarding ACL

Similar Messages

• RE: Help needed regarding ACL in weblogic 6.0

  Abishek, I've also posted this response to the newsgroup as I think there
  has been some discussion about it before without ever a complete answer.
  No. You can't use ACLs for servlets or JSPs in 6.0 and later. Prior to 6.0
  we used ACLs as there was no standard for servlet or JSP security. In 6.0 we
  moved to the J2EE standard of deployment descriptors. I do believe that we
  had a documentation bug in 6.0 that said the ACLs continued to work. This
  was fixed in 6.1.
  -----Original Message-----
  I am using weblogic 6.0. I need to authorize servlets, and JSPs. So far,
  I am using the deployment descriptors, web.xml and weblogic.xml to
  authorize users. However, can ACLs be used to authorize servlets and
  JSPs, especially through the admin console of weblogic? All the ACLs I
  have made using the admin console have been ineffective in authorizing
  and no authentication is asked for.
  I would be grateful, if you could throw some light on this matter.
  TIA,
  abhishek.

  Hi,
  Were you ever able to find out how to turn debug on for the realm??
  Thanks,
  Rob
  [email protected]
  Sam Li wrote:
  In weblogic 5.0, to view RDBMSRealm debug information one just need to set "weblogic.security.realm.debug=true" in weblogic.properties file. However, in weblogic 6.0, weblogic.properties file is replaced with Admin Console. I just couldn't find anything in Admin Console that I can set realm.debug=true. Your help will be greatly appreciated!
  Sam

• ACLs on WLC

  hi Experts,
  just a question regarding ACL configuration on the WLC. I am a bit confused on when to use CPU ACL and when should we apply the ACL on an interface?
  it seems CPU ACL is used to filter traffic processed by CPU, so normally used to prevent access to WLC through GUI/ssh/telnet.
  and if we apply ACL on an interface,  then this is mainly used to filter data traffic.
  can you please help to clarify the difference between the two and what would be the best practice to use them?
  appreciate for any comments.
  Andy

  If you do configure acl’s on the WLC, I would not create a cpu acl, because you might end up locking yourself of the wlc. You can create acl’s for the interface to deny or allow traffic from that interface or even do a pre-auth acl if you wanted to. I only use acl’s on the wlc if I have to (webauth) or else I would use acl on the layer 3 switch instead.

• ACL-confusion

  I have gotten confused with the many posts regarding ACL
  Could someone kindly tell me the Terminal code for removing the ACL on this file: (as revealed by Disk Utility)
  ACL found but not expected on "Applications/Utilities/Disk Utility.app/Contents/Frameworks/DUSupport.framework/Versions/Current"
  And what exact code would I use for removing the ACL from ALL the files in my Utilities folder?
  Many thanks.

  OK, tried what you suggested and I think it worked for my home directory, however when I run DR, I get a huge list of:
  ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrinterSharin gSetUp.html".
  2008-06-10 18:04:29 -0400:
  ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrinterSelect iondlg.html".
  2008-06-10 18:04:29 -0400:
  ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrintDPOFSele ction.html".
  2008-06-10 18:04:29 -0400:
  ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrintDirectFr DigitalCam.html".
  2008-06-10 18:04:29 -0400:
  ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrintDialog.h tml".
  2008-06-10 18:04:29 -0400:
  ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrintCartridg es.html".
  It goes on for over 35 minutes -- all referring to Library/Printers/*,
  then it follows with:
  [I did not include every line of Group differs on "Applications/System Preferences. . . ]
  2008-06-10 18:05:22 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj/InfoPlist.strings", should be 0, group is 80.
  2008-06-10 18:05:23 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj/Localizable.strings", should be 0, group is 80.
  2008-06-10 18:05:23 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj/MainMenu.nib/keyedobjects.nib", should be 0, group is 80.
  2008-06-10 18:05:23 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj/MainMenu.nib", should be 0, group is 80.
  2008-06-10 18:05:23 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj/NSPrefPaneGroups.strings", should be 0, group is 80.
  2008-06-10 18:05:23 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj", should be 0, group is 80.
  2008-06-10 18:05:24 -0400: ACL missing on "Library".
  2008-06-10 18:05:24 -0400: ACL found but not expected on "bin".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/ps".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/bash".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/sh".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/chmod".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/cp".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/dd".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/df".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/link".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/ln".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/ls".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/mkdir".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/mv".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/pax".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/rm".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/rmdir".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/unlink".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "usr/bin/cpio".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/launchctl".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/rcp".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/cat".
  2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/ed".
  2008-06-10 18:05:25 -0400: ACL found but not expected on ".".
  2008-06-10 18:05:26 -0400: Group differs on "private/etc/cups", should be 0, group is 26.
  2008-06-10 18:05:27 -0400: Permissions differ on "Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool", should be -rwsr-xr-x , they are -rwsrwxr-x .
  2008-06-10 18:05:27 -0400: Permissions differ on "Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy", should be -rwsr-xr-x , they are -rwsrwxr-x .
  2008-06-10 18:05:30 -0400:
  2008-06-10 18:05:30 -0400: Permissions repair complete
  2008-06-10 18:05:30 -0400:
  2008-06-10 18:05:30 -0400:
  Can you tell me how to remedy this sutff? I understand about the "private/etc/cups" thing but what about all the ACL's on "bin/. . . "?
  should those be there?
  Can I log in as root user to change these??
  Any assistance greatly appreciated.

• I have finally solved my SMB sharing troubles

  Hi!
  I have read two most enlightening postings regarding ACLs and POSIX rights. I have always seen that they both affect access rights but have not been able to figure it out quite right. It seems very easy on first sight but it is not. Just try to edit MS Office document on a Windows PC right on the SMB share and you will see what I am talking about. But to cut the long story short, here's what I have done with my SMB configuration and why.
  1) I modified /etc/smb.conf to disable streams support.
  ; stream support = yes
  vfs objects = darwinacl
  We don't need or use streams on our shares, buaving them enabled will occasionally block files from being read from the share. So in our case it is better to disable them.
  2) I have removed all Deny statements from ACLs.
  If you edit documents on the SMB share using MS Office, ACLs get messed up big time. The most important thing is that you don't know where you Deny ACEs will end up, so they could be the first thing in the ACL and you could be denied of any access.
  3) I have set all POSIX rights to None on all directories and files.
  darwinacl module will combine the POSIX rights and the ACL and will show POSIX rights as ACL entries to the Windows client. If the Windows client now saves something, the combined entries will all land in the saved file's ACL. E.g. if you have POSIX right r/w for group staff, the ACL will have an entry for group Users afterwards.
  All in all I have only set ACLs to allow selective Allow rights for directories and no Deny statements at all. It works pretty well on Windows clients and also on Mac SMB clients. I have not enabled AFP at all for easier management.
  The only downside is that the access-rights-limited directories are still listed for everyone who has access to the level above them.
  Oh, for everyone who is interested in the two postings I read and found so good, here's the link:
  http://lists.apple.com/archives/Macos-x-server/2008/May/msg00335.html
  See the reply too, that's the second interesting posting.
  Hopefully someone will find this information helpful! I have seen too many cries for help on this same issus.
  Best regards,
  Andrus Suitsu

  I have experienced some new troubles with my shares. This time it is with OS X 10.6.2 smb client only. If a Windows user creates a new folder on a Leopard share, it has all the good POSIX rights and good ACL also. The POSIX owner has changed to the creator, but that should be fine. But still only the creator can access that folder over SMB from 10.6.2 client. Windows XP clients are not affected by this problem. From the Server Manager everything looks good, only the POSIX owner is different. Looking at the directory from the command-line reveals that the new folder has Execute bits set while other have not. Clearing the X bits made the problem go away.
  You cannot change the share settings directly in /var/samba/shares because Leopard will overwrite your changes. So I changed the share settings using WGM (log in to Local). Clicked the last icon (2 concentric rings) and chose SharePoints. Then went and changed smb_createmask and smb_directorymask to 0000. This is okay, because I use only ACL to grant access to whoever needs it.
  I then ran the /usr/libexec/samba/synchronize-shares script to write out the files in /var/samba/shares. After restarting the SMB service, things were once more better than before I started. New folders and files are created with empty POSIX rights, which is exactly what I need.

• Disk Utility Partition Error

  I updated from Tiger to Leopard, and in the last 2 wks noticed I had little remaining space on my hard disk. After checking in Disk Utility, however, I found that my hard disk partition had reduced from what should be a full 160Mb, to a mere 52Mb or so, but there is NOT another partition (just a grey area for the rest of the blank space)! When I try and increase my hard drive partition a little or even to the full amount, I get an error:
  "Partition failed with error:
  MediaKit reports partition (map) too small"
  I've tried updating to 10.5.2, OS is totally up to date, and have tried starting up from Leopard install disk and using Disk Utility on that to try and increase partition, but all with same error.
  Not sure if related, but when I try fix permissions, there are a few unfixed problems regarding ACL's (?), but no other issues.
  Message was edited by: gwa75

  I am having the same problems on 10.5.2. I have a maxtor onetouch 500gb, I reformatted it to work with time machine, and the partition on the disk is only 382.4gb, with a lot of grey space showing up. When I try to expand the Onetouch partition or create a new partition to fill in the space, it keeps giving me
  "MediaKit error: size of disk too small" or something along those lines!

• RV215W inbound rules with control ip

  Hello,
  I have a  Cisco RV215W and i want to create inbound rule (wan -> lan) with ip control.
  I ha created in "service management" a new service (rsync on 873 start port and and port)
  After i had created a new access rules :
  Action : Always Allow
  Service : Rsync ( a service created in service management)
  Status : enable
  Connection type : inbound (Wan -> Lan)
  source ip : single ip with outdoor serveur
  Destination ip : ip to NAS
  When i connected on outdoor server, i used telnet :
  telnet my_public_ip 873      and i cannot connect my NAS
  when i create a rule in "single port forwarding", my outdoor server can access on my NAS (but all outdoor customer can access on my NAS....)
  Do you have an idea?
  thank a lot per advance

  Hi Bruno, thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. You could create an ACL to allow the specific address to the NAS and deny the rest.
  Bellow I will share a Link with a document regarding ACL,
  http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3707
  http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3707I hope you find this answer useful
  “Please rate useful posts so other users can benefit from it”
  Greetings, 
  Johnnatan Rodriguez Miranda.
  Cisco Network Support Engineer.

• Xsan 2.x with StorNext 3.1.2 permissions

  I am running Xsan 2 on multiple FCP editing stations connected to storage that is managed by StorNext 3.1.2.
  When one of my editing stations creates files on the storage the owner and permissions are only for that user. When I try to access the media from another editing station I cannot because the permissions are not correct.
  How do I globally set the permissions on this Disk so that all my editing stations will have access to all the media on it by default?

  The StorNext filesystem does not manage permissions, those are set by the default UMASK settings on the users creating files. Read this to learn how you can get the default permissions behavior you are seeking.
  Access Control Lists can also solve what you are dealing with, but there is a support vacuum between Apple and Quantum regarding ACLs on StorNext filesystems for Xsan users. Apple only supports ACLs if you use Xsan MDCs, and Quantum doesn't support Xsan users. Catch 22! I've heard of some guys tinkering with the config files of StorNext to get them to pass Apple Open Directory ACLs, but AFAIK they have not been very successful yet. Here is a thread to help with that, but like I said, I don't know of anyone that has gotten that to work properly with your type of setup. UMASK mods are probably your best bet.

• Nered to know where I can view ACL denies regarding "access-list deny any log" ?

  I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
  I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. Cheers

  Hi,
  Yes, with an extended access-list with the last line:
  deny ip any any log
  with "sh log" you can  see the source address of the packets being dropped.
  Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
  logging console debugging
  logging monitor debugging
  With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
  access-list 101 deny   tcp any range 0 65535 any range 0 65535 log
  access-list 101 deny   udp any range 0 65535 any range 0 65535 log
  access-list 101 deny   icmp any any log
  access-list 101 deny   ip any any log
  to log the sources and destinations IPs and port numbers.
  Best Regards,
  Pedro Lereno

• Anyconnect ssl vpn and acl

   Hi Everyone,
  I was testing few things at my home lab.
  PC---running ssl vpn------------sw------router------------ISP--------------ASA(ssl anyconnect)
  anyconnect ssl is working fine and i am also able to access internet.
  I am using full tunnel
  i have acl on outside interface of ASA
  1
  True
  any
  any
  ip
  Deny
  0
  Default
  i know that ACL is used for traffic passing via ASA.
  I need to understand the traffic flow for access to internet via ssl vpn.?
  Regards
  MAhesh

  As you say correctly, the interface-ACL is not important for that as the VPN-traffic is not inspected by that ACL. At least not by default.
  You can control the traffic with a different ACL that gets applied to the group-policy with the "vpn-filter" command. And of course you need a NAT-rule that translates your traffic when flowing to the internet. That rule has to work on the interface-pair (outside,outside).

• A problem with ACL in the class-map on the ACE module

                    Hi all,
  I configured the following on the ACE module:
  object-group network test
    host 192.168.1.21
    host 192.168.1.22
    host 192.168.1.23
  object-group service port
    tcp eq www
    tcp eq 8080
  access-list T line 8 extended permit object-group port object-group test any
  I tried to configure a class-map for matching this ACL:
  ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
  ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
  Error: Cannot associate acl having object-group ACEs in class-map.
  So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
  Thank you
  Roman

  Hi Roman,
  I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
  Regards
  Daniel

• Resetting a connection matched by ACL

  A requirement is to send a TCP Reset (RST) without changing ASA's global setting "service".
  The protocol for the connection is unknown.
  My understanding is that actions such as "reset", "drop" or "drop-connection" is for an "inspect" type Policy-Map and not for "Layer 3/4" type Policy-Map.
  So, how can I send a TCP Reset for an ordinary connection attempt (matched by an ACL)?

  Hi,
  The "service" command would be the only way to RESET a connection explicitly on the ASA device.
  As you correctly pointed out this will be a global setting on the ASA device.
  Thanks and Regards,
  Vibhor Amrodia

• ACL migration Error : 1210 could not find a domain controller for domain "Test Domain" (Old Domain)

  Hi
  We are migrating from old domain to new domain. Before live migration, we are trying to check the ACE/ACL migration through SubInACL. We are running the SubInACL on a cluster, which is a member of the Old Domain (Test Domain). We are able to resolve and
  ping both Old Domain and the New domain from this cluster machine. We have created a network share on this cluster, which is accessible to all Domain Users of the Old Domain. Both Domains have two way forest level trust. we are trying to migrate
  the ACL of this share (\\ClusterMachine\testshare$) to the new domain using SubInACL. We are trying to run the below command to get it done.  
  subinacl /outputlog=C:\Users\Administrator\Desktop\Migrationlog.txt /subdirectories
  \\ClusterMachine\testshare$\*.* /migratetodomain=OldDomain=NewDomain=mappingfile.txt
  Mapping file contains : Domain Users=NewDomain_Users
  But we are geeting the Error that "1210 could not find a domain controller for domain "Test Domain". Error finding domain name : 1210 the format of the specified computer name is invalid. Current Object "\\ClusterMachine\testshare$"
  will not be processed."

  Hello,
  how in detail is DNS set up in each domain?
  Any problems when using nslookup to verify?
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Renumbering with ACL-Friendly Role-Based Addressing or...?

  We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6.  Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
  As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
  Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN.  This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically.  Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches.  Why so many, you ask?  We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
  From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency: 
  Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch.  For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch.  For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
  Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch.  The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
  Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer.  I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
  Thoughts?  What issues have we neglected to consider?  No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations.  From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3.  It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
  Thanks in advance for your ideas!
  -Aaron

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• How do I enable ACL on an external unit in Mavericks?

  I have an external hard disk via FW 800 on a Mac Mini Server running Mavericks. I can not enter any settings in the ACL because every time I get an error message saying that I can not enter anything in the ACL because the ACL is not enabled on the unit.
  How do I enable ACL on an external drive in Mavericks?
  Regards
  Jonas Möller Nielsen

  The problem is solved.