5

Effective Permissions displays incorrect information

view full story
linux-howto

http://serverfault.com – I have a security mystery :) Effective permissions tab shows that a few sampled users (IT ops) have any and all rights (all boxes are ticked). The permissions show that Local Administrators group has full access and some business users have too of which the sampled users are not members of. Local Administrators group has some AD IT Ops related groups of which the sampled users, again, appear not be members. The sampled users are not members of Domain Administrators either. I've tried tracing backwards (from permissions to user) and forwards (user to permission) and could not find anything. At (HowTos)

taskli's picture
Submitted by taskli on 07/04/2012 – Made popular on 07/04/2012

Stories similar to Effective Permissions displays incorrect information

Managing users is an important activity in Linux. For a Sysadmin, you want different access permissions for developers, maintainers and moderators. Groups are an easy way to categorize users. Rights/permissions given to a group will be applicable to all its members. In this howto, I will tell you how to add users to a group.

I've created an NFS share on my ubuntu 12.04 machine and am now trying to properly set up permissions on it.

I need to prevent users from looking up the membership of groups that they are not members of.

So for example,

Bob is in GroupA but not GroupB, so if Bob were to look at properties in AD he would see all the members of GroupA but non of the members of GroupB.

This is part of a QA test for software that enumerates groups using IADsGroup.IsMember.

I'm getting 'Access Denied' errors when trying to connect users to network drives. A user belongs to the 'Users' group and file permissions are set as such on drive P:

Security: Administrators - Full Control Authenticated Users - Modify SYSTEM - Full Control Users - Read & Execute

Sharing: Everyone - Full Control

This is on Windows Server 2003.

I've got a particularly vexing issue that I can't quite seem to figure out.

One of the devs here wrote a very simple web app that takes user input and sends it as a specially-formatted email to our clients.

I'm running a sandboxed application as a local user. I now want to deny almost all file system permissions for this user to secure the system, except for a few working folders and some system DLLs (I'll call this set of files & directories X below).

The sandbox user is not in any group. So it shouldn't have any permissions, right?

We have a Windows 2003 single domain. A share located on a server have full rights for every authenticated users. Under this share, a folder is read-only for everyone (except Administrators group). Everything work as intended.

I discovered one user who, from his Windows 7 pro workstation, have full access on this folder. He can do whatever he wants.

I'm hoping someone can help me with this NTFS permissions problem. The short version is that I can't write a new file in F:\SomeDir even though I seem to be granted full permissions via both the "Domain Admins" group and a second unprivileged group.

Whenever I run the Group Policy Result wizard and select a Domain Controller as the target computer, the summary shows BUILTIN\Administrators in the list of "Security Group Membership when Group Policy was applied" under Computer Configuration, as illustrated below:

(Domain, user and computer name left out)

Since Domain Controllers are not a member of Administrators (at least not from what I ca