Restrict FileSystemView to a Directory

Similar Messages

• Restrict FTP User to a Directory

  I am using Solaris 10 on SPARC.
  SunOS ddw 5.10 Generic_139555-08 sun4u sparc SUNW,SPARC-Enterprise
  I have put some text files in a directory '/u01/network'
  I want to create a ftp user which can just read the files in the network directory. The ftp user shouldn't be able to navigate or see any other directory outside of the network directory.
  The user ftp_usr is the owner of /u01/network directory.
  Following are settings in /etc/passwd:
  ftp_user:x:3008:1::/u01/network:/usr/bin/ftp-only
  The settings in the /etc/ftpd/ftpaccess:
  allow-retrieve relative class=realusers /u01/network
  restricted-uid ftp_user
  Please advise.

  The problem has resolved. It was a permission issue.
  Please see the details at:
  http://fahdmirza.blogspot.com/2010/11/restrict-ftp-user-to-directory-in.html

• Restrict global (network) directory account in GRC CUP

  Hi,
  How can i restrict to Globad directory( active directory) account in GRC CUP.When i try to create new account in GRC CUP with example test id or any id that is not active directory account,Request is created and approval can approve it too. I want to restrict to global(network) directory.In workflow,intiator i try to define network status,but it asking a value.I have no idea what value to assign.
  Thanks
  Shahed

  Hi Shahed,
  When CUP is allowing you to create IDs with generic names, that means the configuration is not done correctly. Please visit the below link which has complete information on configuring CUP with LDAP:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/b089fb71-a3b7-2a10-64a2-8c77243b0664
  Hope this helps!!
  Regards,
  Raghu

• How to add a new schema in active directory by jndi?

  I can add new objectclass schema and new attribute into eDirectory from JNDI. But I failed doing the same to active directory. I search all topic in this forums and seems like there is no such answer. So for active directory, the only way to add new schema is by using MS MMC + AD schema snap-in?

  You can update the schema via LDAP. Any tool that uses LDAP, such as Active Directory Services Interface (ADSI), Java/JNDI, LDAP Data Interchange Format (LDIF) can be used. You are not restricted to the Active Directory Schema Management snap-in.
  I strongly recomend that you read the following article http://windowssdk.msdn.microsoft.com/en-us/library/ms677995.aspx as schema extensions are not to be undertaken lightly.
  Also, if you are extending the schema, DO NOT use other organization's schema OID's. Imagine how directories would become inoperable because you defined hat size as an integer value with an OID of 1.2.3 and someone else defined Social Security Number as a string with an OID of 1.2.3 ! You can obtain your own OID branch from either Microsoft (http://msdn.microsoft.com/certification/ad-registration.asp) or from a standards organization such as ANSI.
  I'm kind of hoping that seeing as though you have mentioned that you have extended the schema for e-Directory, that you understand LDAP schemas and that you have your own valid OID. Do not use my shoe size OID !
  The following snippet illustrates how to extend the schema using JNDI.....
  String attrName = "cn=ms-ShoeSize,cn=Schema,cn=Configuration,dc=antipodes,dc=com";
  LdapContext ctx = new InitialLdapContext(env,null);
  Attributes attr = new BasicAttributes(true);
  attr.put("cn","ms-ShoeSize");
  attr.put("objectClass","attributeSchema");
  attr.put("ldapDisplayName","msShoeSize");
  attr.put("isSingleValued","TRUE");
  attr.put("attributeID","1.2.840.113556.1.4.7000.141");
  attr.put("attributeSyntax","2.5.5.9");
  Context newattr = ctx.createSubcontext(attrName,attr);Having created a new attribute, you could then either add it to an existing class, or create another abstract class, add it to the new abstract class, and add the the new abstract class as an auxilliary class to an existing structural class. For example create a new auxilliary class called "clothes Sizes", add the attribute "Shoe Size" as a mayContain attribute, and then add "Clothes Sizes" as an auxilliary class to inetOrgPerson.
  Note that you need to wait for the schema cache to refresh, before adding attribute or class definitions to one another, and before instantianting new objects with the new classes & attribute definitions. You can either wait for teh schema cache to refresh itself, or you can force a refresh by writing the value of 1, to the attribute "schemaUpdateNow" on the RootDSE.
  As I mentioned at the start of this response, I personally prefer to use LDIF, simply because it enables end-users/customers to review the schema extensions and understand their potential impact before applying them. A sample that accomplishes the above would look something like:dn: CN=ms-ShoeSize,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
  changetype: add
  objectClass: attributeSchema
  cn: ms-ShoeSize
  ldapDisplayName: msShoeSize
  attributeID: 1.2.840.113556.1.4.7000.141
  attributeSyntax: 2.5.5.9
  isSingleValued: TRUE
  dn:
  changetype: modify
  replace: schemaupdatenow
  schemaupdatenow: 1
  dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=Antipodes,dc=com
  changetype: modify
  add: mayContain
  mayContain: mSShoeSize
  dn:
  changetype: modify
  replace: schemaupdatenow
  schemaupdatenow: 1
  -

• Error in writing to directory /tmp/OraInstall2009-05-06_10-44-05AM.

  Hi,
  Am trying to upgrade OID using 10.1.0.4 patch.How evr when am invoking the installer it is prompting the following error.
  Checking installer requirements...
  Checking operating system version: must be redhat-Red Hat Enterprise Linux AS release 4, redhat-2.1, redhat-5, SuSE-9 or UnitedLinux-1.0
  Passed
  All installer requirements met.
  Checking Temp space: must be greater than 400 MB. Actual 9879 MB Passed
  Checking swap space: must be greater than 1536 MB. Actual 33025MB Passed
  Checking monitor: must be configured to display at least 256 colors. Actual 65536 Passed
  Checking if CPU speed is above 450 MHz. Actual 1992 MHz Passed
  Preparing to launch Oracle Universal Installer from /tmp/OraInstall2009-05-06_10-44-05AM. Please wait ...sh: /u02/oracle/product/OIM: No such file or directory
  Error in writing to directory /tmp/OraInstall2009-05-06_10-44-05AM. Please ensure that this directory is writable and has atleast 60 MB of disk space. Installation cannot continue.
  : Success
  [oracle@stcfmw02 install]$
  Please anyone suggest on this!!!!
  Thanks,
  Arsh:)

  For security reasons some admin put restrictions on the /tmp directory (for a good reason). You can change the default setting of the tmp directory used during installation by setting the environment variables TMP and TEMP to a different directory. Don't forget to set BOTH!!! variables.
  HTH,
  --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Time Machine does not backup home/user directory (on separate drive)

  I recently installed a SSD into my Mini. Due to size restrictions, my home/user directory has to be kept on another drive. I retained the stock 1TB drive that came with the Mini for this.
  Ok, installed the SSD, restored a Time Machine backups (sans user data). Used a different admin user and configured my user to use the 1TB drive for it's home directory (/Volumes/1TB/home/<user>). Restart, log in as my user, all is good. All data, settings, etc is there. Everything looks normal.
  Time Machine REFUSES to backup this directory. It will backup the 1TB drive and anyting else I create in it, but not the home directory. I tried every permission trick I could think of or found online. I even tested it further by formatting the 1TB drive fresh, adding a new user, configuring the user to use the 1TB for their home directory and it still won't back it up (this was a test of permissions the OS set, to make sure I didn't change my data perms somewhere along the way). Time Machine would not backup the new user's home directory on the 1TB drive.
  Any thoughts? I can't be the first person to have their home directory on a non-OS drive.
  If I were to create a folder/file in /Volumes/1TB/<test file> ... Time Machine gets it perfect. It just will NOT touch /Volumes/1TB/home/<anything here>
  Thanks!

  Open the Time Machine preference pane and unlock the settings, if necessary. Click the Options button. If there is one particular folder with items that are not being backed up reliably, add it to the list of excluded items. If there are many such folders, add your home folder to the list, or add a whole volume (i.e., what Apple calls a "disk.") Save the changes.
  Start a backup, or wait for one to happen automatically. When it's done, open the preference pane again and remove the exclusion(s) you made earlier. Back up again and see whether there's a change.

• How to create email users with open directory?

  I'm trying to used a mac mini as a mail server for my domains. It works well for SMTP server/gateway for multiple locally networked systems running Lion, Mountain Lion and Maverick. The server is running Mavericks 10.9.2 server 3.1.1.
  I need to add email users to it, so I tried Open Directory. I added a user with an email address with a domain listed in the mail server's domains. Then used the server app to give the user permission to use the mail service and selected to have the mail be saved on the server.
  However, even though I set the mail server to accept any authentication method, I couldn't log in to get mail (via IMAP) from any email client on my computer. I tried Mail and Sparrow.
  The IMAP log on the server says 'Disconnected (auth process communication failure)'. I tried everything that I could from the server app and the workgroup manager app. When using 'Mail.app', the IMAP log shows an empty user name. Trying with Sparrow shows the user name in the log, but still fails.
  I restricted authentication to Open Directory, but that didn't help either. Tried with Secure Connection and without.
  Am I missing something? Is there anything that I need to do to make the server accept IMAP connections? The mail service is running and handling SMTP.
  The domain has an MX record pointing the server's domain name.
  All the services are secured with a self signed certificate.
  Doing a CLI check with 'sudo serveradmin fullstatus mail' results in the following:
  [snip]
  mail:protocolsArray:_array_index:0:status = "ON"
  mail:protocolsArray:_array_index:0:kind = "INCOMING"
  mail:protocolsArray:_array_index:0:protocol = "IMAP"
  mail:protocolsArray:_array_index:0:state = "RUNNING"
  mail:protocolsArray:_array_index:0:service = "MailAccess"
  mail:protocolsArray:_array_index:0:error = ""
  [snip]

  Didn't find a way to edit my post above.
  UPDATE:
  Trying to log in with Thunderbird showed differently in the IMAP log. It's user disabled instead.
  imap-login: Info: Disconnected (user disabled): user=<username>, method=CRAM-MD5, rip=192.168.8.101, lip=192.168.8.99, TLS
  How do I 'enable' this user?

• An iView with access only to certain KM directory

  Hallo,
  I'd like to create an iView responsibile for showing certain   KM directory. Access should be restricted only to this directory and its subdirectories. I'd like also enable users to change files located in these directories, creating new files, removing.. etc.
  Is there an iView template or something? Thanks for any adivice.
  Best regards,
  Josef Motl

  Darrell,
  did you mean the KM Search iView? I can't locate KM explorer iView on my portal.
  I don't know how to set starting and root directory in KM Search iView
  Now, I found KM Navigation iView. You surely meant this iView.
  Josef
  Message was edited by: Josef Motl

• Http Response - needing to hide application directory from browser

  Hi,
  i need to hide the application root directory from the browser, as you can see at these steps example:
  1) Http request: www.xxxx.com
  2) Apache runs module Alias: redirect www.xxxx.com to www.xxxx.com/somedir/
  3) Apache returns www.xxxx.com/somedir/ to the browser
  But, i need to change the step 3: Apache must just return "www.xxxx.com" to the browser, instead of ".../somedir". How can i do it?
  Thanks in advance, Euclides.

  Is your question related to Web Cache or to access control in general? I'll take a stab at answering the question anyway, in hopes that I understood you correctly.
  If you are wondering whether Web Cache supports user/group restrictions on file or directory access, the answer is "not yet". Until that time, requests that require access control should be flagged as non-cacheable, either in the Web Cache configuration or by using Surrogate-Control: no-store in the response headers.

• ACS 4.2 (Trial) User Group Restrictions?

  I'm currently in the process of migrating from Microsoft IAS to Cisco ACS 4.2. I'm running an Eval of CSACS v4.2 for Windows in a Lab so I can work out the issues.
  So far I've been fairly successful getting user accounts authenticated with active directory credentials using the "Windows Database" as my external user database. The only problem I've run into is that I can't seem to figure out how to restrict access to Active Directory group membership.
  For instance, in the lab I have a Cisco 3750 switch that is using ACS to control login access. But given my current ACS configuration everyone in the windows domain can login to the switch. How can I restrict that down to just the Network Operations group in Active Directory?

  Yogesh:
  To move existing users from one group to another you can:
  - go manually to each user and change its group membership. OR:
  - Use RDBMS synchronization where you can fill a CSV file with the actions that you want (change group membership in your case) and import that to the ACS.
  For RDBMS sync you can read the user guide:
  http://tiny.cc/n13b1w
  This config example may also be useful about how to import the csv file:
  http://tiny.cc/533b1w
  I suggest that you read the guide and come back to ask here if you have any concern.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• CG3Y - Directory specific authoirsation

  Hello,
  Certain users need to download files from CG3Y, but I would like this restricted to the actual directory, currently they have access to all.
  Can this be achieved?
  If the directory is called /example, will setting object S_DATASET and field name FILENAME to /example achieve this?
  Or is there a better way.
  Thanks,
  Jake.

  The problem with CG3Y (and CG3Z..) is that you cannot use the program name, as it is all the same program without restriction to it's capability.
  So yes, you should use S_PATH if you want to "hook it" and validate the entry.
  If you are on a relatively recent patch level there is a validation of the file name which includes the path as a "logical file name" --> transaction FILE. See SAP Note 14970003, which is actually more of a book than a note... 
  Cheers,
  Julius

• Few ?s re: Adding user/SSH/restricting

  I want to set up a user that can SSH in to my box but is restricted to his home directory. So let's say I make user guest, they shouldn't be allowed to venture outside of /home/guest, or access anything outside of /home/guest period. A few questions the more I google the more I am getting confused by all the varying answers:
  1. Doing useradd, what group do I put for this user guest?
  2. How to do the restriction? I have read about rbash but that supposedly only locks the user out of cd'ing outside the /home/guest, but not accessing outside (ls, mv, etc.) ??
  3. Say I give the user+pass for guest to a friend, he SSH's into my box, now how can I in realtime view his shell session? (Watch him cd/ls/etc.)
  4. How would I terminate the SSH session of the guest myself?
  Many thanks for any help

  *nix is designed as multi-user, so if you just make a user that's in the users group (just use adduser if you're not sure about useradd) and they won't be able to harm anything outside of their home directory unless you have messed up the default (fairly secure) settings. You might want to set up quotas if you're worried about them filling /tmp, /home or the various world-writable directories in /var.
  Completing taking away read access from /usr, /bin, etc. would stop them from running anything. Just make sure your home directory is set to 700 permissions and you don't have anything private outside of there.
  question 3 can be answered by a quick google search:
  http://serverfault.com/questions/12419/ … -real-time
  4. pkill, kill, killall? or just kill sshd
  Last edited by thestinger (2011-01-12 04:38:35)

• GetDocumentBase returns null in Update 40

  The change to make getCodeBase() and getDocumentBase() return null has broken our FindinSite-CD signed applet which is out in the field on many data CDs and similar, ie running locally.  It doesn't provide any more security as our all-permissions applet can still access the same information (once it knows where it is).  The trouble is, the CD may be run from anywhere so I do not know the absolute path in advance. I have found that I can add code so that JavaScript is used to pass the current URL as a PARAM to the APPLET.  However this should not be necessary.
  Can you provide a better fix that does not break all our existing users who update to Update 25 or 40?
  I would be happy for our applet to have access restricted to its own directory or lower.
  Or for an all-permissions applet, make getCodeBase() and getDocumentBase() return the correct values.
  Please see the second link below for a further discussion.
  Bug ID: JDK-8019177 getdocument base should behave the same as getcodebase for file applets
  Oracle's Java Security Clusterfuck
  PS  There is a separate Firefox 23 issue stopping access to local Java applets - this should be fixed this week in version 24.
  Chris Cant
  PHD Computer Consultants Ltd
  http://www.phdcc.com/fiscd/

  Our company uses the above FindinSite-CD software to provide search functionality on our data CDs and we have done so successfully for many years.  These latest changes in Update 40 have now broken this vital component on our product and will cost us considerably in technical support time and replacing the discs when a fix comes out. Just an end user's perspective!

• Apache2.x and Tomcat5.0.x & Session' data

  hi everyone,
  i was just wondering how i can pass user's session data from Apache to Tomcat and visversa:
  an examples
  im restricting access to a directory secret/* with Apache Authentication on Mysql (AAOM)
  Inside that directory ther is a link to one of my servlets
  what i want is to pass the user's data already collected after the log in against AAOM (username, etc ...) to that servlet
  ill be glade for any ideas how i can perform this
  ps im using mod_jk which mean im using tomcat only as a servlet container behind apache since the most data iam serving is a static data
  Thanks in Advance
  YEL

  Hi,
  I believe that this must have been discussed somewhere but as you are saying that you could not get clear answers, please find the answers.
  In 3.x, we had Infopackages loading the data to infoproviders. In the infopackage itself, there was an option which asked you the way to update. i.e. Only to PSA, To PSA and subsequently to infoproviders, To infoproviders only. Thus, PSA was optional.
  In 7.x, PSA are mandatory and Infopackages can load the data only to PSA. DTP loads the data from PSA to infoproviders.
  DTP also provides many new options to us in BI. e.g. You can carry out delta load from PSA to infoprovider.
  Edited by: Rahul K Rai on Sep 6, 2010 3:56 PM

• Error while working samba through Windows XP+SP2

  Subject: Error while working samba through Windows XP+SP2
  Hi,
  I have problem with SAMBA Server on SOLARIS 10.0 while browsing shares through MS Windows XP Pro + SP2.
  Descriptions:
  1) SAMBA Configuration:
  #==== global settings ======
  [global]
  security = user
  hosts allow = 192.168.9. 200.0.0. 127. 127.0.0.1
  unix password sync = yes
  remote announce = 200.0.0.255/Workgroup
  192.168.9.255/workgroup
  remote browse sync = 200.0.0.255 192.168.9.255
  restrict anonymous = yes
  root directory = %H
  deadtime = 5
  #==== shares ======
  [homes]
  comment = Directory for User: %U
  browseable = no
  writable = yes
  [%U]
  comment = Private Directory for User: %U, R.Host: %m
  path = %H
  valid users = %U
  browseable = yes
  read only = no
  profile acls = yes
  [temp]
  comment = Temporary file space
  path = /tmp
  read only = no
  public = yes
  2) This configuration tested with MS Windows 2000 family and Windows XP Pro+SP2
  When I'm going to browse server by windows family stations, server asked for username/password, after authentication on both clients (Win XP and Win 2000) the share list appears correctly. for browsing shares contents through windows 2000 I have no problem but when i want to browse shares contents with windows xp+sp2 error message appears with "Access denied." subject.
  How can I solve this problem?
  Any help would be greatly appreciate.
  M.Chitsaz

  UPDATE
  i was able to connect and synced songs yesterday.
  but when i tried it again today. i cant connect again.
  i tried to disconnect and reconnect million times and i even dropped
  my iPOD and now it has some scratch and i hate it.