I want to create an access rule in Linux so that only files with a certain eXtended attribute can be moved, copied or created in a certain directory regardless of my priviledges in that directory.
The xattr should be created in system or security Namespace, so that I cannot change it as a user.
To my understanding, almost all ACL systems are focused around "subject to object" access control (i.e user/process to file/directory), but what I want is "object to object" (i.e file to directory) access control.
Perhaps SELinux?
Is this even possible?
Cheers,
Kalle
Related
I would like to save an Access database as an ACCDE and also have it trusted. The reason being every time I open ACCDE I keep receiving the message:
"A potential security concern has been identified..."
I know that I can sign a ACCDC file with SelfCert.exe but thats not what I need.
I want the Access File to end with ACCDE and have the message:
"A potential security concern has been identified..." not show up.
You can create a registry key that will add the directory as a trusted location and will not show the warning anymore. What's nice about this method is that you can easily automate this to happen on the computers where you deploy your app. See method #2 or #3 in this blog: http://www.accessrepairnrecovery.com/blog/fix-microsoft-access-security-notice
And in case the blog ever gets removed, here is the important bits: [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Access\Security\Trusted Locations\Location20] “Path”=”C:\Database\” “Description”=”My Database location”
Explanation about the key: – The number “14.0” is the version of MS Office. You can change the numbers that represent the version you are executing.
– The “Location20” is a unique name that you assign. 20 can be any number that is not previously used. Other programs include default MS Access wizards, already have used other numbers. But if you want to make more than one path as trusted location, then each location must end up with different number.
– The “C:\Database\” is the physical path that you want to set to be as Trusted Location. You can place any path that you choose here.
By copy and pasting the above coding into a text file and save it with a name such as RemoveSecurityWarning.reg, you can then run the file into your PC’s registry just by making double click on the file.
We are using PloneFormGen's SaveDataAdapter, and would like users who are not site admins to be able to download the CSV. The normal permissions don't seem to allow this. Is this possible in PloneFormGen?
You're right, there is a custom permission made for the download-view named "PloneFormGen: Download Saved Input", and Products/PloneFormGen/config.py defines that Managers, Owners and Site-admins get this permission by default.
In one of your add-on's profile-folder add a file named rolemap.xml to additionally assign roles (the default-roles will remain untouched, as they are assigned via a Python-script, not a GenericSetup-file):
<?xml version="1.0"?>
<rolemap>
<permissions>
<permission name="PloneFormGen: Download Saved Input" acquire="True">
<role name="Member" />
</permission>
</permissions>
</rolemap>
Note: This will set the permission globally, meaning you cannot restrict it to locations. For finer control per location, create a role "Downloaders", assign the download-permission to it in rolemap.xml and make the permission assignable locally via the sharing-tab of an item. For the last step one could give https://pypi.org/project/collective.sharingroles/ a try.
An alternative solution for the case that exactly one user needs to get the additional privilege for downloading the content of a save-adapter:
Append /ownership_form to the URL of the save adapter, choose new owner and save.
According to the Node-Webkit wiki the manifest for a program requires a name and this name must be globally unique because it determines the name of the directory that data files for the program are stored in.
I haven't been able to find anything else that this name is used for. Is it safe to just use a UUID as the name listed in the manifest? Or will that be exposed to the user somewhere potentially?
It's more typically related to the common program name that the user sees, but it doesn't have to be. For example on the Mac, the standard location for app specific data is ~/Library/Application Support/. When I look there I see things like GIMP, Skype, XDK &c. If your app happened to have the same name as another app, it would cause problems as they'd both writing to the same location, i.e. if I gave my app the name GIMP, both apps would try to write files to that dir.
Typically a user doesn't have to access this directly, so there's probably no harm in using a UUID here, though I would probably append it to a name related to my app name, just for clarity/simplicity, i.e. instead of making the name foo I'd make it foo-<UUID>.
But I'm no expert . . . .
I'm trying to make a bucket with Read/Write permissions for bucket/objects for particular users and Read permissions for objects only for AllUsers.
I've:
created a bucket,
added this to default acl list:
<Entry>
<Scope type="AllUsers"/>
<Permission>
READ
</Permission>
</Entry>
via: gsutil setdefacl <f> gs://bucket
added an object (test.png)
Now I'm trying to access this from browser with the url http[s]://storage.cloud.google.com/bucket/test.png but it takes me to the google account sign in page. When I signing in with another google acc (not that I've used to create project/bucket/object), which has no explicit rights set, it shows the pic.
gsutil getacl on the new object shows that READ permission is in place for AllUsers, but it works like AllAuthenticatedUsers.
Any ideas on what to do with permissions to work as expected?
When you say you added that Entry to the default ACL, you mean you added it as an element within AccessControlList.Entries, correct?
It's somewhat difficult to know what happened without seeing the full ACL text.
But also, since you're making objects publicly readable (READ permission grated for scope AllUsers), you don't need additional scopes in the bucket's default object ACL; you could simply do:
gsutil setdefacl public-read gs://bucket
and then upload objects to the bucket.
I realize you want to grant read/write permission for particular users, but write permission is controlled by the bucket ACL, not the object ACL (and thus also not by the default object ACL on the bucket).
Please try the above and let us know if you're still unable to access objects via a browser without first authenticating.
Mike Schwartz,
Google Cloud Storage team
My application stores its data in an Access 2010 database (accdb) file. It's password protected, which means it's encrypted w/ AES-128.
I'd like to add some meta data to the file that's publically available. This way older verisons of my application can investigate the file to see if it's even worth trying to open. Otherwise, they'll just get the dreaded "Unrecognized Database Format" error, which is usually associated with file corruptions.
In Windows, you can right-click on a file, click "Properties" and see attributes under the Details tab. I'd love it if I add attributes like the version of my application that last touched the file, and maybe other details. I'd like to avoid having a different file extension for each version of my app!
Is it possible to add some public meta data to an encrypted Access 2010 database?
You can add custom database properties : http://support.microsoft.com/default.aspx?scid=kb;en-us;q178745
You can change the file extension of an encrypted Access database and change the properties for that extension. The extension .enc is fairly descriptive and does not seem to be widely used.
The file will open normally when clicked and ask for the password. The icon will be recognizably Access and the description, "Encrypted MS Access" in this case, will appear under Type in a directory listing.
With NTFS, you can add an alternate data stream (ADS):
notepad.exe z:\docs\testde.enc:Extra.txt
Reading the stream:
more < testde.enc:extra.txt
More information: http://www.think-techie.com/2010/04/alternate-data-streams.html
http://www.irongeek.com/i.php?page=security/altds
This is a tough nut to crack! An application must read information about the ACCDB, but that information can't be stored in the ACCDB because you want the read without opening the ACCDB. And you can't use the suggested file system methods because this must work under Wine on Mac (I assume from another of your questions).
The only solution I can see is to create a companion file (with same base name but different extension) to hold the metadata. So if your application wants to know about SomeDb.accdb, it would look for a file named SomeDb.metadata and read that instead.
I suggested a kludge for your earlier question ... unfortunately this is another. :-) However, it's a simple kludge and it should work ... even on Mac.