[ Pobierz całość w formacie PDF ]
.SUPER + Add SV equivalence and leave it switchable.SUPER + User=Admin Make user ADMIN SV equivalence; make switchable.SUPER SYSCON Execute SYSCON as supervisor.SUPER.EXE (Windows version)The Windows versions displays the SUPER status of up to 8 servers ata single glance.Advantage: * Nice icon* Up to 8 servers at one glance* Point and ClickLimitations: * Not applicable to other users* No commands executable with temp SV rights.Background:SUPER allows a user who in Supervisor equivalent to do thedaily work as normal user, while Supervisor equivalence isavailable when needed.This reduces the risk of accidentaldamage to files caused by carelessness, unattendedworkstations, or viruses."SUPER -" will modify the security byte of your binderyproperty SECURITY_EQUALS to 0x22 (read/write object).Thisallows the user to change his/her own security equivalences.Then the Supervisor equivalence is removed.Since the user may change the equivalences now, he/she canlater add Supervisor equivalence with "SUPER +" when needed."SUPER " will first add Supervisor equivalence,then execute the command, and finally remove Supervisorequivalence.NetWare v3.12 considerations:This NetWare version does not allow to set the binderyproperty SECURITY_EQUALS to 0x22.On NetWare v3.12 SUPERwill make the user manager of self and SUPERVISOR.Again,this is mot a security breach, since s/he was SUPERVISORequivalence anyway.NetWare v4.x considerations:SUPER affects only objects in the current bindery context.The 'Switchable' flag cannot be set, however.SUPER will try to make you equivalent to SUPERVISOR and (ifavailable in the bindery context) to ADMIN.Hints, Internals, Security and Warnings:SECURITY.EXE brings a warning:'Has incorrect access security on the SECURITY_EQUALS property'.BINDFIX warns:'Warning: Object property SECURITY_EQUALS has incorrectsecurity flags.'Basically, for each user there is a standard property in the binderyassociated with the user called SECURITY_EQUALS, which contains alist of users and groups to which that user has security equivalence.When a user is created, the rights to this property are SupervisorWrite (meaning that only a supervisor equivalent can grant or changeequivalences) and User Read (meaning that a user can read their ownequivalences).The supervisor also has the ability to change therights mask to this property.This is what SUPER.EXE does.it changes the rights mask for auser (can only be done by somebody with supervisor equivalence) sothat the user then can add their own security equivalences."SUPER -" will modify the security byte of your bindery propertySECURITY_EQUALS to 0x22 (read/write object).This allows the userto change his/her own security equivalences.SUPER allows a user who is Supervisor equivalent to do the dailywork as normal user, while Supervisor equivalence is available whenneeded.This reduces the risk of accidental damage to files causedby carelessness, unattended workstations, or viruses.SOLUTIONThe warnings are expected and desired in combination with SUPERsince a supervisor should be informed about the existence of othersupervisors - even the 'hidden ones' with a non-standard securityaccess flags.If the users that were highlighted in SECURITY or BINDFIX did NOTuse SUPER there might be a severe security gap, because these usershave received their rights from ther sources.You can use SUPER(DOS) to correct this, however.SUPER has parameters that allow resetting the bindery flag to it'soriginal state - obviously this will prevent these users fromreceiving SV equivalence with SUPER.This program was written by Wolfgang Schreiber in Borland's Turbo Pascal
[ Pobierz całość w formacie PDF ]