User-friendly way to issue chown commands on remote servers

I'd like my technically unversed users to have, on demand, the benefit of chown commands giving them ownership of certain files being executed on remote servers. I'd like this to be doable without administrators' involvement and with no physical access to the servers by any of the users being entailed.
By "benefit of chown commands" I mean the results a competent user would get entering the command if he or she were actually doing so. By "technically unversed" I mean specifically that said users aren't and won't ever be trained to ssh into subject servers and issue chown commands themselves directly.
I should mention that the "Get Info" interface does not in this case avail users of a way to take ownership of particular files because ACEs apply to the files in question. That ACEs apply changes what is presented: instead of any editable fields under Ownership and Permissions, all users see in the "Get Info" interface is a list of whatever ACEs apply.
Please note that users do, by virtue of ACEs, have "change ownership" permissions for the files in question. Also, authentication to the servers in question under subject users' own logins is possible as necessary.
What I'd like to start with is getting some idea how complicated this could be for me to do myself as a beginning AppleScripter. I'll describe what I guess would be involved and hope for someone to shed light.
I'm guessing that something the user at his or her own machine does involving a file he or she has selected would constitute an Apple Event which a process on the client would send to a process on the server. Then I expect the server process would issue the chown command locally respectively of
1) which file was selected when the Apple Event took place, and
2) subject user's identity.
Finally, I expect some feedback might contingently be sent to client process incidentally to need to give user feedback.
Is this a fair sketch of how this should work? What is a beginner with limited time likely to accomplish attempting this?
(Find context for this posting here: http://discussions.apple.com/thread.jspa?threadID=831517&tstart=0)
PowerMac   Mac OS X (10.4.8)  

First, if I understand you correctly, I'd be using
Curl and, say, Perl rather than Applescript to get
this done. In other words, what you wrote in
Applescript is about all I'd need in that
language--yes?
That's correct, give or take any errors in the script. (For obvious reasons I didn't test it.)
Then, please note that I want to chown, not chmod. Is
this an issue?
Nope. (Beyond what you pointed out below.)
I am looking at Perl documentation and read that "on
most systems, you are not allowed to change the
ownership of the file unless you're the superuser..."
(http://perldoc.perl.org/functions/chown.html).
However, isn't apache running as root?
I never thought about that. Wow, this is complicated! Are you really sure you can't make do with chmod instead?
Anyway, the answer is yes and no. The main Apache process usually runs as root, but executes CGI scripts (and other requests) as another user to avoid inherent insecurity. So unless you do something terribly, terribly insecure, you will not be able to chown from Perl. (And, although I am often lax about security, enabling root access for CGIs strikes even me as dangerous, which means it's a very bad idea.)
Really what you want is for the CGI, which does not run as root, to hand off to another process which does. I'm not a Unix guru, and would never claim to be, but I think the two following methods might work:
1. Set up a cron job running as root which looks in a directory once every minute/hour/whatever. The file name should be the user to change the owner to, and it should contain a delimited (in some form; return is possibly safe) list of files. Have the cron job walk through the list of files and use chown, then clobber the contents of the file. (Note that a CGI can use "chmod", which can make sure that the files it creates in the directory are readable by the cron job.) (Also note that you'll want to use flock to avoid race conditions between the cron job and the CGI!) This method would not be instantaneous, since the cron job only runs periodically.
2. Set up a script which runs as root which takes a line of text in the format:
user:path/to/file
and executes chown using that information. Make this process run at startup as root. Have it open a named pipe, with permissions such that CGI script can write to it, and watch for input from that pipe.
Some general notes:
A. Whatever you do, make sure that the binary/script/whatever running as root can't be written to by anyone who doesn't have root permissions.
B. Make sure to check that the user and file actually exist before doing anything with them. (And make sure to do it in the root process, since you have no guarantee that someone won't figure out what's going on and come up with some clever injection scheme to make your root process break security.) (And don't do it by passing a command to the shell; use Perl's chown or some equivalent, so that you'll be somewhat less vulnerable.)
C. For that matter, don't forget to check and make sure that the path you're about to chown is within the share point, and that the user you're going to chown to makes sense in context, so that nobody can (for example) take over someone else's user directory, or get write permission to /sbin, or something evil like that. (In fact, it might be for the best if you limited the chown operations to files only, just to be sure.)
Also, I get the part about how a constraint involving
"do shell script" method argues against using pure
Applescript in this case. But just for my information
is Applescript otherwise sufficiently capable?
If it weren't such matter of getting everything on
one line, could Applescript send commands between
hosts, convert local paths to paths on servers, issue
change ownership commands, and handle authentication?
Do methods adequate to those purposes exist in
Applescript?
Or would using multiple scripting languages be
entailed anyway? I'm guessing the latter.
Yes and no. Helpful answer, right?
First and foremost: AppleScript was originally created as a language to control programs, which would have an extensible grammar through the installation of files called "Scripting Additions". It has since been puffed up via AppleScript Studio to an application-building language in its own right, but the language itself does not have support for a lot of things which, nevertheless, the language can do by controlling another program or by extension.
AppleScript can send messages between hosts. If the remote host is a Mac, and has "Remote Apple Events" turned on in the "Sharing" control panel, then you can send commands to programs on the remote machine almost exactly as though they were local. (The only differences are in how you specify the application and how you let AppleScript know what the remote application "understands".) This support is built into the language.
If the remote host is not a Mac, you must control a program which can "translate". When it comes to terminal programs, for security reasons Apple did not include any interactive systems which could be controlled. (Although they did include "expect", I see, which would theoretically allow you to work around this...)
Since converting a path is really just text processing, yes, AppleScript can do that. I didn't try to build that in because I am under the impression that you know some other language/shell scripting tool better than AppleScript, so it makes better sense for you to put as much of the work into the parts you know, in order to make debugging easier. One method of doing it in AppleScript:
set x to [a POSIX path found somehow for a file on a connected server]
if (the offset of "/Volumes/" in x) is 1 then
-- "the offset of" uses 1-based offsets, not 0 as in most languages
set x to text 10 through -1 of x
-- This removes "/Volumes/" from the beginning of x
set x to text ((the offset of "/" in x) + 1) through -1 of x
-- That removes up through the next slash, which is the volume name
set x to "/Path/To/The/Share/Point/On/The/Server/" & x
else
error "The path isn't in /Volumes/, so either the server is mounted in a nonstandard way or the path isn't on a remote host at all." number 9000
end if
(The other method of which I am aware is to change AppleScript's text item delimiter to "/", convert the path to a list, test whether the first item is "Volumes", then put together items 3 and up into a string again. I have always had a semi-irrational prejudice against using this method because Apple's documentation circa about 1996, from which I learned AppleScript, made it sound like this might be dangerous, but it works.)
The Finder (which can be scripted) can apparently change ownership and permissions -- a fact which I did not know until just now; I must have missed it last time I looked for it -- and of course "do shell script" can be used to call "chmod" and "chown". The problem with both of these methods, vis-a-vis your particular difficulty, is that your files are not local. You could turn on Remote Apple Events and have the Finder do it, but that's really a security hole. And a potentially maddening one to figure out if anyone starts exploiting it.
I'd stick with a CGI and the cron/named pipe scheme. No matter what you do you're going to have a little extra security risk, just because chown requires root permissions, but minimizing that risk is probably a good thing.

Similar Messages

  • Group and display characteristics in a user friendly way

    Hi all,
    We have a scenario where we have created a DOC type which we assigned to a class with several characteristics.
    The problem is that the characteristics are not disaplayed in a very user friendly way in tab "additinal data".
    Is there any customizing we can do in order to group the characteristics?
    For example:
    -Is it possible to show 3 or 4 characteristics and then have an empty line and then show another 4
    -or Is it possible to customize to create sub tabs?
    Any other ideas that can make it easier for the end users to change/display their characteristics would be helpful!
    Best Regards
    Mikael

    Hi,
    Is there any customizing we can do in order to group the characteristics?
    For example:
    -Is it possible to show 3 or 4 characteristics and then have an empty line and then show another 4
    -or Is it possible to customize to create sub tabs?
    All the configuration data is stored in some tables. So adding some lines as a separator into a database won't be possible since tables have fields which have certain data types which won't match the requirement.
    Hence your requirement cannot be met.
    Hope this answers your query.
    Regards,
    Deepak Kori

  • Most user friendly way to browse document libraries for saving documents

    We are trying to figure out the most user friendly way to save office documents to different site collection document libraries.  The locations appear fine when we click "save as" for recent folders.  We can even click browse and use
    the up arrow for getting closer to the root path of the site.  This works fine, but there is not an easy way navigate to a different site collection.  Sure, I can copy/paste the web address in the file path, but I think that is asking too much for
    basic end users.  Is there a different approach I am not aware of?
    Thanks,

    How about Link a library to the Windows Favorites Folder, the use favorite to save document.
    https://www.youtube.com/watch?v=VJeRX-h7Hjw
    Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply.

  • Load external text in a user friendly way

    Ok this is what i want to do.
    I know how to load external text files in AS3 but I want the user to be able to do it from within my excited swf file. The obvious way to do this is to load the text file  using a string from a dynamic text field (e.g: "myfile/myTextFeild.txt") but i want it to be more user friendly.
    If you click file open in Microsoft word, for example, you get the user friendly open box where you can find the file you want to load by browsing through your hard-drive.
    Can you do something like this is AS3?
    Any feedback would be much appreciated.
    Thanks

    see if you can extrapolate the path from there. FileReferenceList.browse()

  • Handling contraint violations in a user friendly way

    How do you trap constraint violation errors is a user friendly manner ...
    I've seen a number of related posts on the forum but have not yet seen a solution that people are happy with.
    Ideally, Id like to:
    - avoid displaying the 'raw' oracle error to the user
    - display a user-friendly message in an alert box
    - sent the user back to the entry forms with his
    entered data present.
    This requirement seems fundamental to the development of a reasonable application, somebody must have solved it.

    I'm no expert, but here's info from my own experience.
    1. Trap those pk/uk constraint violations in an appropriate exception block. Get this working and test it under all conceivable exceptions.
    2. Write an exception handler, producing the javascript/html/redirects you need.
    Oracle exception handling is pretty mature, but you need to put some effort in to catching everything listed in the package throws declarations.
    If you're working with forms or other components the approach is different, but you weren't terribly specific in your question.

  • User friendly way to let user pick a report?

    I have a table that stores report names, the user that generated the report and report date. What is the best method for displaying a list of available reports and letting the user select one for viewing? Would it be an LOV?
    Darren

    Hai,
    Try Tree View Or List item with List Style as Tlist. Because the user can see more than 1 report name at a time.
    Regards,
    Manu.

  • Send a Command to many servers at sametime

    Hello.
    Could someone please tell me that there is a simple way to send a command to many servers at onetime without using Invoke-command  powershell cmdlet???

    Hi,
    You can use the free utility by Microsoft -
    PsExec.
    PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive
    command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.
    Checkout the below thread on similar discussion,
    Running a command on multiple Windows servers
    Regards,
    Gopi
    JiJi
    Technologies

  • I was found I pad Air is not that user friendly than I pad 4 even I pad 2, as I was a TaoBao fans and every time when I get in their link, I pad Air cannot show all the pictures on the screen and very slow. It make me very disappointed about this issue.

    I was found I pad Air is not that user friendly than I pad 4 even I pad 2, as I was a TaoBao (www.taobao.com) fans and every time when I get in their link, I pad Air cannot show all the pictures on the screen and very slow. It make me very disappointed about this.  Could you please help to improve this. Thank you vey much!

    iPad running slow? How to speed up a slow iPad
    http://appletoolbox.com/2012/07/ipad-running-slow-how-to-speed-up-a-slow-ipad/
    If You Think iOS 7 Feels Slow Here’s How to Speed It Up
    http://osxdaily.com/2013/09/23/ios-7-slow-speed-it-up/
    You may have many apps open which can possibly cause the slowdown and possibly the loss of wifi. In iOS 4-6 double tap your Home button & at the bottom of the screen you will see the icons of all open apps. Close those you are not using by pressing on an icon until all icons wiggle - then tap the minus sign. For iOS 7 users, there’s an easy way to see which apps are open in order to close them. By double-tapping the home button on your iPhone or iPad, the new multitasking feature in iOS 7 shows full page previews of all your open apps. Simply scroll horizontally to see all your apps, and close the apps with a simple flick towards the top of the screen.
     Cheers, Tom

  • Is there a way to go back to the old calendar system rather than the one currently in ios7?  The ios7 calendar is cumbersome and not user friendly.

    Is there a way to go back to the old calendar system rather than the ios7 calendar?  The ios7 calendar in the iphone does not allow one to see the exact time of appointments in the month mode, it is not user friendly.  It's lost its flexibility.  How can I go back to the old operating system?

    I'm sorry, but Apple does not provide a downgrade path for iOS. Because downgrading is unsupported by Apple we cannot discuss it on these forums.
    You may leave comments at Apple Feedback.

  • This is old. ITunes doesnot have a support you can call to get things done.  There needs to be an easier way to contact them? The screens are not user friendly.

    Help!  I need to contact ITunes by email because they have no phones to call anyone.  The screens are not user friendly.  This makes life very diffcult.

    Click Support at the top of the page, then click Contact Us.
    Very simple.

  • "Some of the object names cannot be shown in their user-friendly form"

    Error states:
    "Some of the object names cannot be shown in their user-friendly form. This can happen if the object is from an external domain and that domain is not available to translate the object's name"
    We are receiving this error when we click on a group with ADUC and the members of that group were added from the trusted domain.  Domain A has a one way non transitive trust wtih domain B that is in place and active.
    We have checked every possible setting and configuration and cannot resolve this problem.  Domain A has Windows 2008 R2, domain B is 2003.  Domain A is at a windows 2008 functional leve, domain b is at a 2003 functional level.
    YOu can add account from domain B into domain A , but they immediately turn to SIDS once you hit "apply".
    Validated trust on both ends
    triple checked DNS and see no issues
    checked policies
    dcdiag returns no errors
    Could this be a bug with having a trusted domain on 2003 and the non-trusted domain on 2008 R2?

    Hi,
    This error occurs if:
    (1) the other domain is not available (meaning, not connected or name
    resolution is bad, etc)
    (2) the object in the other domain has been deleted
    (3) Broken secure channel
    Please refer to the below link:
    http://us.generation-nt.com/answer/objects-names-translation-help-77158972.html
    Regards,
    Yan Li
    If you have any feedback on our support, please click
    here
    Cataleya Li
    TechNet Community Support

  • Subscription renew process not user friendly

    This morning I restarted my Mac, as it was switched off over the weekend to save power.
    I opened Dreamweaver.
    A dialog popped up: "Renew your subscription: Go to the Subscription Manager to renew your subscription for Creative Cloud Membership and continue using your product uninterrupted. "
    I clicked 'Subscription Manager'.
    This took me to the Creative Cloud page: https://creative.adobe.com/
    There were no instructions here on how to renew my subscription.
    Do I need to reinstall each of the apps I am currently using via the Download links (which open Adobe Application Manager)? This is inconvenient because it means waiting for each of these apps to be downloaded.
    The whole process is really un-user-friendly and is creating a very slow start to the week as I cannot resume any work until my apps are reactivated.
    If this is to be a regular occurence is there some way for me to schedule this reinstall process to a time that is convenient for me (eg Friday afternoons every 3 months) so that I do not have these slow starts to the working week?
    Thanks.

    You can renew your subscription by going to the "My Adobe" page on Adobe.com: https://www.adobe.com/account.html. From there, click on "My subscriptions and services" under "My products and services". You will be taken to a page that shows your Creative Cloud subscription with an option to renew. You should not need to reinstall any of the applications you have downloaded.
    Thank you for mentioning the broken link from the application dialog box. I can file a bug report for you and hopefully this issue can be fixed soon!

  • This entire Apple Support Community feedback is not user friendly or meant for us oldies.

    Hi
    Thanks for the 2 replies from different people.  It's taken me 2 hours to try and find a way to respond to my 2 emailers...to NO avail.  I've tried so much that I can't even remember what I've done or where I've been to repeat the action.  Apple Support Community is too complicated for this old man to find/use or answer back on.  I'll be leaving Apple/itunes for good, and if I loose my purchased and/or personal library of 9,000 songs so be it.  Time to go android.  Perhaps it's easier to navigate than this mess.  This isn't user friendly at all, and doesn't answer very much because I can't answer back with parts of my dilemma I just do NOT understand.  I've tried in my 2nd message to the community to be concise and exact on my issue to no real avail.  It's NOT only my desire to go back to version 9...but the icloud debacle, and the genius issue as well.  AAARGH!!!
    But a huge thank you to my responders.  I'm afraid to use that last bit of help because I have questions upon questions.  That sounds like a band-aid rather than a true fix.  And personally I do NOT find version 11 the same as previous versions.  I really don't want it.  I want what I was comfortable and familiar with for the last 5-6 years...not this mess.
    Best wishes everyone and audios and a huge THANK YOU.

    and find a way to respond to my 2 emailers...to NO avail
    You don't respond to emailers because no one is emailing you. (looks like I am one of them).
    Apple Support Community (ASC) is emailing you because you subscribed to your topic post.
    When someone rersponds to your post in ASC, ASC will send you an email informing you there was a response to the topic you posted here.
    You then go to that post and review it and respond if you wish.
    To turn off emails from ASC, see this -> https://discussions.apple.com/docs/DOC-3661
    I'll be leaving Apple/itunes for good,
    Really? Just because you got an email?
    This isn't user friendly at all, and doesn't answer very much because I can't answer back with parts of my dilemma I just do NOT understand.
    You seem to be doing fine here -> https://discussions.apple.com/message/24556207#24556207
    then you abandoned your first topic and posted again here -> https://discussions.apple.com/message/24557775#24557775

  • How to create user-friendly MDX parameters for MS Reporting Services?

    In SQL Server Reporting Service, when I connect to my cube to create a dataset, in Query Designer I create my query with a filter. It creates the following MDX for me:
    SELECT NON EMPTY
    KPIValue("KPI1"), KPIGoal("KPI1"), KPIStatus("KPI1")
    ON COLUMNS, NON EMPTY
    [Create Date].[Month Num].[Month Num].ALLMEMBERS * [Create Date].[Hierarchy].[Month].ALLMEMBERS
    DIMENSION PROPERTIES MEMBER_CAPTION,
    MEMBER_UNIQUE_NAME ON ROWS FROM
    ( SELECT
    ( STRTOSET(@CreateDateYear, CONSTRAINED) )
    ON COLUMNS FROM [ERP])
    WHERE
    ( IIF( STRTOSET(@CreateDateYear, CONSTRAINED).Count = 1,
    STRTOSET(@CreateDateYear, CONSTRAINED),
    [Create Date].[Year].currentmember ) )
    CELL PROPERTIES VALUE, BACK_COLOR,
    FORE_COLOR, FORMATTED_VALUE,
    FORMAT_STRING, FONT_NAME, FONT_SIZE, FONT_FLAGS
    When I add this dataset, Reporting Services creates a parameter named CreateDateYear. When I pass a value like "2014" to this parameter I get nothing and I have to pass a value like
    [Create Date].[Year].&[2014].
    How can I change my report to change this parameter for passing the value like "2014" instead of ugly and not user-friendly string
    [Create Date].[Year].&[2014]?

    Hi ,
      Follow the below steps
      1. Create a dataset with MDX as below which would return the member caption (2005,2006 etc) and member uniquename ([Date].[Calendar Year].&[2005],[Date].[Calendar
    Year].&[2006] etc)
    WITH MEMBER [Measures].[ParameterCaption] AS [Date].[Calendar Year].CURRENTMEMBER.MEMBER_CAPTION
    MEMBER [Measures].[ParameterValue] AS [Date].[Calendar Year].CURRENTMEMBER.UNIQUENAME
    SELECT {[Measures].[ParameterCaption], [Measures].[ParameterValue]} ON COLUMNS
    , [Date].[Calendar Year].ALLMEMBERS ON ROWS
    FROM [Adventure Works]
    2. In the parameter's available values choose the above data set and set the options as 
    Value Field = ParameterValue
    ValueCaption = ParameterCaption
    In this way use will see only the years and based on the selection the respective values will be passed to the dataset as parameter.
    Best Regards Sorna

  • They did not get my itune gift card in email. It is not very user friendly to get to a place where I can resend to them.  How can I get a new email sent with their gift? It was for Christmas

    I bought an itune gift card but my sister never received her email.  I can not easily find where to resend.  I did send an email for help but this is just not very 'slick' or user friendly.  How can I get her itune CHRISTMAS gift card re-sent?

    Having the same issue. My bank account has already been charged, but I can't find the purchase anywhere in my Apple account history to retrieve a code, and my son still has not received an email. This is not cool. I'm beginning to understand why so many people dislike the company.

Maybe you are looking for

  • Problems with updating data in excel spreadsheet using ODI

    That's my first post on this forum, therefore I'd like to say Hello to everybody reading it before I present my problem. First I configured the ODBC connection to the xls file which conteins my data - the file isn't defined as read-only in the ODBC c

  • USAGE TRACKING Error in Obiee 11.1.1.6.0

    Hi All, I have configured usage tracking in our Obiee 11.1.1.6.0 version properly using enterprise manager. And, I have also created a a subject area in the repository called "Usage Tracking" where I gave all the details of "DEV_BIPLATFORM" schema in

  • When I try to restore my iPod i get the iPod is corrupt error...

    Ok, i've read through the answers that have been given for the error that comes up when people try to restore their iPod and get this: "iTunes has detected an iPod that appears to be corrupted. You may need to restore this iPod before it can be used

  • Adobe Reader: Missing Advanced Search Options

    I am using Adobe Reader XI (probably Standard) and trying to perform regular expression searches. When I go to Advanced Search (Ctrl-Shift-F) and click "Show More Options" I would expect to see the following options in the "Return results containing:

  • IWeb files in Snow Leopard

    Kia Ora - I'm a new mac user and have made a draft website using iWeb. Where are the files stored in Snow Leopard. I followed other advice and looked in user/library/application support/iweb but there's nothing there. There's actually not even an iWe