Questions tagged [access-control-list]
An access-list is a list of rules, usually held on network devices such as switches, routers or firewalls, that matches network traffic. The specific term 'access-list' is used in the context of Cisco devices, although the concept of an 'access list' is more generic.
775
questions
132
votes
3
answers
354k
views
What does Apache's "Require all granted" really do?
I've just update my Apache server to Apache/2.4.6 which is running under Ubuntu 13.04. I used to have a vhost file that had the following:
<Directory "/home/john/development/foobar/web">
...
- 2,005
59
votes
4
answers
116k
views
linux/setfacl - Set all current/future files/directories in parent directory to 775 with specified owner/group
I have a directory called "members" and under it there are folders/files. How can I recursively set all the current folders/files and any future ones created there to by default have 775 permissions ...
- 1,581
38
votes
11
answers
178k
views
How to take ownership of files from the command line?
Every so often I run into a file that I need to take ownership of. I normally use cacls for changing ntfs permissions, but it doesn't seem to do ownership. Under *nix I would run something like ...
- 1,555
33
votes
8
answers
48k
views
How to workaround the NTFS Move/Copy design flaw?
As anyone that has dealt with file server permissions is aware, NTFS has an interesting design feature/flaw known as the Move/Copy problem.
As explained in this MS KB article, the permissions for a ...
- 599
23
votes
4
answers
81k
views
icacls granting access to all users on windows 7
I'm trying to give full access (read, write) to a specific folder to all users on Windows 7. The problem is that I don't know how to do that using icacls.
- 333
23
votes
6
answers
21k
views
Why does cp not respect ACLs?
A common way to set up a directory for file sharing within a group, is:
$ mkdir foo
$ chgrp felles foo
$ chmod g+ws foo
$ setfacl -m group:felles:rwx foo
$ setfacl -dm group:felles:rwx foo
This ...
- 351
20
votes
3
answers
87k
views
Change owner recursively with Powershell?
I'm trying to use Powershell to change owner of a folder, recursively.
I'm basically using this code:
$acct1 = New-Object System.Security.Principal.NTAccount('DOMAIN\Enterprise Admins')
$...
- 687
19
votes
3
answers
66k
views
How do I match a wildcard host in ACL lists in HAproxy?
I have the following lines in my haproxy.conf:
acl valid_domains hdr(Host) -i mysite.com images.mysite.com docs.mysite.com admin.mysite.com
redirect location http://mysite.com/invalid_domain if !...
- 731
19
votes
2
answers
18k
views
Difference between 0.0.0.0/0 and ::/0 in access control lists
When setting up access control lists, what's the difference between 0.0.0.0/0 and ::/0?
I'm seeing this for an AWS EC2 instance I'm setting up
- 2,395
18
votes
2
answers
13k
views
Why does chmod(1) on the group affect the ACL mask?
I am trying to understand this Unix behavior (which I happen to be testing on Ubuntu 11.10):
$ touch foo
$ setfacl -m u:nobody:rwx foo
$ getfacl foo
# file: foo
# owner: michael
# group: michael
user:...
- 859
17
votes
1
answer
62k
views
HAProxy ACL multiple OR conditions
Using Haproxy 1.5.12 running on Ubuntu 12.04
I need to restrict access to my website to requests either coming from certain IPs or having a defined parameter in the request.
So for example the ...
- 375
16
votes
2
answers
18k
views
setfacl to reset file to default permissions?
I have a directory with the following default ACLs:
default:user:phptutor:rwx
However, none of the files/directories in that directory have that default permission (because it was added after they ...
- 281
16
votes
4
answers
14k
views
How do I copy ACLs on Mac OS X?
Most unix derivates can copy ACLs from one file to another with:
getfacl filename1 | setfacl -f - filename2
Unfortunately Mac OS X does not have the getfacl and setfacl commands, as they have rolled ...
- 311
15
votes
2
answers
28k
views
Can I override my umask using ACLs to make all files created in a given directory world readable?
Assume that my umask is 0077.
I have a directory, foo, that I want to have special permissions applied to it. All files I create in foo should be world readable, and all directories should be world ...
- 526
15
votes
3
answers
7k
views
Working around an AWS network ACL rule limit
At a maximum, a VPC network ACL can have 40 rules applied.
I have a list of over 50 IP addresses that I need to explicitly block access to in our systems, over any port and any protocol. This is an ...
- 2,227
14
votes
1
answer
31k
views
setfacl: x.txt: Operation not supported
What I did and what it did:
> getfacl x.txt
# file: x.txt
# owner: cwhii
# group: cwhii
user::rw-
group::r--
other::r--
> groups
cwhii adm dialout cdrom plugdev lpadmin admin sambashare
> ...
- 421
13
votes
5
answers
19k
views
How can I add ACL permissions for IIS APPPOOL\* accounts via Powershell?
I want to be able to set the IIS account for new websites to have modify permissions. I have the following script:
function Set-ModifyPermission ($directory, $username, $domain = 'IIS APPPOOL') {
...
- 235
13
votes
6
answers
30k
views
Fixing "This access control list is not in canonical form" errors from the command line
On several of our developer workstations, we've been getting the dreaded "This access control list is not in canonical form and therefore cannot be modified." error when we try and set permissions on ...
- 968
13
votes
3
answers
27k
views
Can Samba support full Windows-ACLs?
I've set up a Samba 3 host with AD integration and an ACL enabled filesystem. Using a windows client I can set users and groups permissions.
Up to now, Samba just maps to POSIX ACL's rwx permissions, ...
- 131
12
votes
5
answers
21k
views
Resetting NTFS Permissions Disk Wide
Someone messed up majorly in setting permissions on an NTFS drive and I'm looking at a way to reset all permissions to default. The OS will be reinstalled but I'm trying to salvage data from their ...
- 562
11
votes
3
answers
17k
views
How to allow members of a group to change file permissions on linux
I need to allow members of the group 'ftpusers' to be able to change permissions on all objects inside a certain directory. I was looking into how to do it but all I have found is how to do it on BSD:
...
- 135
11
votes
4
answers
32k
views
How to set Linux Default ACLs differently for directories and files
I have some ACLs defined on a directory as so:
# owner: root
# group: root
user::rwx
group::r--
mask::r-x
other::r--
default:user::r--
default:group::r--
default:mask::r-x
default:other::r--
I would ...
- 325
10
votes
8
answers
6k
views
Is this a recommended/valid approach for file server permissions?
File servers are a fact of life in IT and I'm curious if there are any generally accepted practices (I hesitate to use the word "best" here) for how you create groups and apply permissions for ...
- 599
10
votes
1
answer
988
views
Can I "merge" two groups using SID history?
I have two AD groups which were erroneously created while there should instead have been only one group; they contain the exact same users. However, these groups have been assigned various permissions ...
- 70.7k
9
votes
3
answers
20k
views
How are Windows MachineKey Container File Name's Derived?
In the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys directory there's an enumeration of Key Containers. The naming convention is <uniqueGUID>_<staticGUID> and I presume the <...
- 2,417
9
votes
1
answer
1k
views
Apache2: allow/disallow access to a directory by time on day
Let's say I have a directory I want to restrict access that way, so that users can access the directory only on like 6am to 6pm. I know how to do this by using PHP (using time()%86400). But can I do ...
- 236
9
votes
3
answers
1k
views
What good Active Directory + Exchange competition is there?
Based on this question regarding enhanced permission support in filesystems, what is the best permissions + directory and mail stack to compare against Active Directory on NTFS with Exchange?
I'm ...
- 18.6k
9
votes
2
answers
17k
views
Proxying TCP by hostname
I've got multiple game servers TCP ports on my single host machine. The goal is to have users be able to connect to server1.domain.net and have their directed based on that subdomain. My first ...
- 363
9
votes
1
answer
26k
views
How to correctly ldapmodify replace olcAccess lines?
This is a part from olcDatabase={1}hdb.ldif
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=somesite,dc=com" write
by * none
olcAccess: {1}...
- 281
9
votes
1
answer
12k
views
Haproxy: reject traffic by user agent from file
I am trying to reject connections from specific user agents (by matching a substring of the user-agent header) using an haproxy ACL with -f option to read from a file. However it is not working, it ...
- 221
9
votes
0
answers
223
views
Setting up IPv6 ACLs on 3com 5500g to block Router Advertisment messages
Is there a way to set up IPv6 ACLs on 3com 5500g switch to block RA traffic on access ports? I couldn't find settings for setting up any IPv6 ACL. Acording to guides, there should be ipv6 specific ...
- 101
8
votes
1
answer
17k
views
Setfacl: Operation not supported [duplicate]
Possible Duplicate:
setfacl: x.txt: Operation not supported
I am trying to do:
setfacl -m d:u:apache:rw /etc/asterisk/additional/
but getting:
setfacl: /etc/asterisk/additional/: Operation not ...
- 83
8
votes
2
answers
4k
views
Exim4 - temporarily freeze outgoing emails from specific user
I need to temporarily freeze outgoing emails from specific sender with exim4. The sender logs in with remote SMTP (i.e. over TCP/IP).
What I want to do is to freeze (but not deny) all his emails so I ...
- 413
7
votes
3
answers
8k
views
A network share folder is invisible to users
I have a network share folder that I was recently cleaning up permissions to. I took off the four individual names from the access permissions to the folder, and added a new security group (Universal) ...
- 646
7
votes
4
answers
4k
views
How do I clone ZFS ACLs from one file to another?
I'd like to clone all the ZFS ACLs from one file to another.
With POSIX ACLs this can be done by piping the output of getfacl to setfacl.
Is there an easy and quick way to do this with the NFSv4 ...
- 12.3k
7
votes
2
answers
9k
views
Is there a performance impact of direct AD universal groups assignment?
I'm implementing a tool which secures certain shared resources within AD forest (mostly file shares). By some criteria a list of users from different domains is generated, those users are added to a ...
- 171
7
votes
1
answer
3k
views
How can I use POSIX ACLs on an NFSv4 mount in Linux?
I have recently transitioned a Linux fileserver from offering only NFS v3 to also offering NFS v4. All of our clients happily started using NFS v4 automatically. Unfortunately, this effectively ...
- 3,106
7
votes
2
answers
21k
views
haproxy acl - accept only from specific IPs
I've got haproxy and need to provide smtp to servers which does not have direct connection.
Here is portion of my config:
listen smtp 10.12.23.10:3025
mode tcp
server smtp 172.30.33....
- 334
7
votes
1
answer
119
views
In what ways can access token update be triggered for administrator accounts on workstations?
This scenario emerged when changing the domain group membership that bestows membership in BUILTIN\Administrators. In particular, the group membership for the administrator did not update on the ...
- 1,653
6
votes
5
answers
12k
views
How can I make an internet facing TFTP server secure?
I have many Cisco IP phones that operate in the following manner (oversimplified):
Negotiate with DHCP for IP, DNS, TFTP, etc.
Look for SEPXXXXXXXXXXXX.cnf.xml configuration file on TFTP server where ...
- 101
6
votes
1
answer
38k
views
Replace permission entries on all child objects using icacls
I'm trying to set Replace permission entries on all child objects using icacls but I can't seem to do it. I want new folders/files to receive the permissions as well so I want to check the box Replace ...
6
votes
2
answers
1k
views
How NTFS folder access is checked in a Active Directory domain?
I understand that both NTFS folders and AD objects use security descriptors and DACL’s to check user/process access
MS Learn - How access check works
However, how does the access check resolves ACE’s ...
- 163
6
votes
2
answers
18k
views
file ownership for new files with administrator - why is it giving ownership to the group administrators?
I am logged in as administrator and I right click on a folder and then go to properties, then the security tab, then advanced, then the owner tab. I am not on a domain.
I see that the folder has a ...
- 753
6
votes
4
answers
17k
views
icacls, Network Service, and setting ACLs on Windows Server 2008
Setting ACLs on Windows Server 2008 via the command line is giving me some problems. As per http://web2.minasi.com/forum/topic.asp?TOPIC_ID=26907 I've tried all sorts of variations:
C:\Windows\...
- 248
6
votes
3
answers
5k
views
sudo or acl or setuid/setgid?
for a reason I do not really understand, everyone wants sudo for all and everything. At work we even have as many entries as there are way to read a logfile (head/tail/cat/more, ...).
I think, sudo ...
- 201
6
votes
2
answers
5k
views
Improved ACL editor for Windows file permissions
I have recently been doing a lot of updates to our network drive permissions... such as consolidating direct user permissions into group permissions. The built-in ACL editor (Advanced Security ...
- 646
6
votes
1
answer
12k
views
Is there a way to create ACL's from scratch in powershell, as opposed to copying existing ones and modifying them?
I know that I can copy existing ACLs using get-acl and then modify them using set-acl, but is there a way I can create a new, blank acl and then add in what I need? For example:
$foo = new-acl
#push ...
- 61
6
votes
2
answers
2k
views
How can I stop Samba from writing extended ACLs?
Is there any configuration option to stop Samba from writing extended ACLs for newly created files? I only found nt acl support but this seems to disable support for permissions completely. I want ...
- 235
6
votes
1
answer
4k
views
What exactly is included in the Windows "Everything" security identifier (e.g. does it include computer accounts like DOMAIN\MACHINE$)?
This is a generalization of a question I initially had asked about computer accounts. I asked:
When one sets Windows permissions for "Everyone", do these permissions
apply to computer accounts (...
- 1,073
6
votes
2
answers
15k
views
Setting per-directory umask using ACLs
We want to mimic the behavior of a system-wide 002 umask on a certain directory foo, in order to ensure the following result:
All sub-directories created underneath foo will have 775 permissions
All ...
- 1,366