DEC OSF/1 and Pathworks 5.0 access control vs symbolic links from Niels Kokholm on 1995-12-04 (tru64-unix-managers)

From: Niels Kokholm <kokholm_at_math.ku.dk>
Date: Mon, 4 Dec 1995 11:49:39 +0100 (MET)

Hi,

Does anyone know a way to avoid the following "feature":

SETUP)
HostA runs DEC OSF/1 3.0 with Pathworks v5.0c (primary domain
controller).

Various values in lanman.ini:

[server]
security=user
[lmxserver]
ignoreunix=no
fullpermcheck=yes

(These are all default values)

OSF/1 account userb has home directory /home/userb.
Pathworks user userb is mapped to OSF/1 account userb:

   hosta:> mapuser -l userb
   USERB=userb

Userb has full Pathworks access to his home directory:

   hosta:> net access 'C:\HOME\USERB'
   Resource Permissions Permissions
   -----------------------------------------------------------------------
   C:\HOME\USERB
             USERB:RWCXDAP
   The command completed successfully.

PROBLEM)
If userb from his unix account makes the following symbolic link:

cd; ln -s / all

he will have access to all files on HostA through the Pathworks server
using \\hosta\userb\all\ as the UNC name of the root of the filesystem.
The
access through Pathworks will not be limited by Pathworks access rigts,
since USERB:RWCXDAP will be used to limit access. Userb will still be
somewhat limited by unix access rights, though.

It seems to me after realizing this, that it is impossible to enforce an
access policy to the Pathworks shares based on Pathworks access rights,
unless I move these shares to another host, where there is no directories
simultaneously accessible by Pathworks and unix.

Moreover, (the real) HostA functions as a central Pathworks and NFS
fileserver, serving user home directories. The users are disallowed
interactive unix login through the passwd file (* passwd field, /bin/false
as shell). I would like a.o. the content of various "world readable"
system files on HostA not to be accessible by the users. But due to the
possibility of making symbolic links this is not possible.

Is there some lanman.ini variable I do not know of like the
SymLinksIfOwnermatch facilities in the NCSA httpd?

   Niels Jørgen Kokholm | email: kokholm_at_math.ku.dk
   Matematisk Institut | phone: +45 3532 0759
   Universitetsparken 5
   DK-2100 København Ø
   Denmark
Received on Mon Dec 04 1995 - 12:19:57 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:46 NZDT