permissions « WordPress.com Tag Feed

How to determine effective permission of an SQL Server 2005 object?

imak47 — Tue, 12 Aug 2008 13:56:01 +0000

You can find out the effective permissions on an SQL Server 2005 object by using a function called fn_my_permissions. Here's what's written in the books online.

fn_my_permissions

Returns a list of the permissions effectively granted to the principal on a securable.

Syntax

fn_my_permissions ( securable , 'securable_class')

Arguments

securable: Is the name of the securable. If the securable is the server or a database, this value should be set to NULL. securable is a scalar expression of type sysname. securable can be a multipart name.

'securable_class': Is the name of the class of securable for which permissions are listed. securable_class is a sysname. securable_class must be one of the following: APPLICATION ROLE, ASSEMBLY, ASYMMETRIC KEY, CERTIFICATE, CONTRACT, DATABASE, ENDPOINT, FULLTEXT CATALOG, LOGIN, MESSAGE TYPE, OBJECT, REMOTE SERVICE BINDING, ROLE, ROUTE, SCHEMA, SERVER, SERVICE, SYMMETRIC KEY, TYPE, USER, XML SCHEMA COLLECTION.

I used it like this:-

USE myDatabase

Select * from fn_my_permissions ('my_storedProc, 'OBJECT')

also remember that this is a table valued function so you can't use the EXEC Statement with this

iPod Mail.app problem and solution

basshead — Sat, 09 Aug 2008 21:25:08 +0000

While the upgrade to 2.0.1 firmware on my iPod Touch went smoothly and appeared to be working fine, I later discovered a problem with the Mail.app. Since upgrading the firmware erases the installed OS, it also removes the mail messages. As I use Gmail with IMAP access these messages are stored in the Gmail account so should be synchronised when accessing the Mail application. What was happening was two attempts at downloading the mail messages then Mail.app quit.

I tried deleting the mail account on the iPod, but this wouldn't budge. iTunes returned an error message that the iPod cancelled the sync when trying to copy the mail account from the Mac to iPod (see above). This looked like a permissions problem to me, so I connected to the iPod using SSH. You need to install OpenSSH from Cydia on a jailbroken device for this to work.

At first trying to connect returned a warning message as the secure key had changed (the firmware had been updated so I suspect this was the cause). The recommendation was to add the new key to the Users/Your_Account_name/.ssh/known_hosts file. I use the excellent Forklift for quickly getting to hidden files, and this quickly revealed that there was only one key in the file. I renamed it to known_hosts_old and this forced the generation of a new secure key in a new known_hosts file. Once logging in via SSH works it's easy to use an FTP program (I use Fetch) to browse the iPod or iPhone's directory tree using the SFTP protocol.

The directory that I wanted was /private/var/mobile/Library/Mail. Permissions on this were set to 755, and changing this to 777 (allowing write for the group mobile) resolved the problem. as soon as this was changed the Gmail account could be deleted, restored by iTunes and messages downloaded. I'm not sure if this is a PwnageTool bug or a 2.0.1 firmware problem, so I will have a search to see if anyone else has the same issue.

Reinstalling VMWare Fusion

misgatos — Fri, 08 Aug 2008 20:23:09 +0000

With the Bar done, dead and over, I decided to reinstall VMWare fusion... and quickly ran into a problem. VMWare kept saying it couldn't authenticate my Boot Camp installation, and suggested that my permissions were incorrectly set.

A quick knowledge base search led to the solution:

The fix is to re-create the Boot Camp virtual machine. To do this, delete the folder "~/Library/Application Support/VMware Fusion/Virtual Machines" where the tilde represents your home folder. Then restart Fusion and try your Boot Camp partition again.

If the problem persists, could you upload the file "vmware.log" that you'll find in the ~/Library/...blah... folder?

It's possible but pretty unlikely that you have an actual problem with your hard disk. Running a disk scan from within Boot Camp Vista could tell you.

Automatically update Ubuntu Hardy Heron server with a ruby script

lani78 — Wed, 06 Aug 2008 20:58:18 +0000

Needs

I wanted my newly installed Ubuntu server to check for updates every day and then automatically update itself if there were any new updates found. I search the web trying to find an existing solution that would work out of the box for me. But I am of course very picky of what I want, so I could not found anything that met all my needs:

Automatically check for updates every day.
Automatically download and install any updates that were found.
Report both success and failures to my e-mail and show me in the subject if the update failed or succeeded.
Use an external smtp-server with authentication.

As I am also trying to learn the Ruby programming language, besides from Linux, I decided to use it to create my update script.

Installing Ruby

Ruby is not installed by default on Hardy Heron but can easily be installed from the Ubuntu repositories:

sudo apt-get install ruby

The Script


#!/usr/bin/ruby
##### Information ##############################################
# DESC:	This is an update script for Ubuntu Hardy Heron 8.04.
#	It will fetch any availible updates with aptitude and
#	install them. An e-mail with the result is then sent
#	using the configured smtp-server.
# AUTH:	Niklas "Lani" Lagergren
# REV.:	1.0 2008-08-06
#	* Initial release.
#
# COPY: No copyright claimed. No rights reserved. No warranty
#       given.
################################################################

##### Configurable mail server options: ########################
# These parameters needs to be changed to match your enviorment
################################################################
@mail_server = 'your.mail-server.com'
@mail_port   = 25
@mail_domain = 'your.mail-domain.com'
@mail_user   = 'username'
@mail_pass   = 'password'
@mail_from   = 'from@your.mail-domain.com'
@mail_to     = 'to@somewhere.nil'

require 'net/smtp'

# Format date according to rfc 2822, example:
# Fri, 11 Jul 2008 09:13:20 +0200
def time_to_rfc2822(time)
  time.strftime('%a, %d %b %Y %H:%M:%S ') +
    if time.utc?
      '-0000'
    else
      off = time.utc_offset
    sign = off < 0 ? '-' : '+'
    format('%s%02d%02d', sign, *(off.abs / 60).divmod(60))
  end
end

# Send e-mail according to the configuration in the instance variables.
def send_mail(subject, body)
  msg = "From: Ubuntu Server <#{@mail_from}>\r\n" +
    "To: Server Administrator <#{@mail_to}>\r\n" +
    "Subject: #{subject}\r\n" +
    "Date: #{time_to_rfc2822(Time.new)}\r\n" +
    "Message-Id: <#{Time.new}@#{@mail_domain}>\r\n" +
    "\r\n#{body}\r\n"

    Net::SMTP.start(@mail_server, @mail_port, @mail_domain, @mail_user,
      @mail_pass) do |smtp|
      smtp.send_message msg, @mail_from, @mail_to
    end
end

# Run aptitude commands to update the system and capture it's output.
puts 'Running aptitude...'
body = `aptitude update 2>&1`
body << `aptitude dist-upgrade -y 2>&1` if $? == 0
body << `aptitude clean 2>&1` if $? == 0

subject = "#{@mail_domain} update #{$? == 0 ? 'succeded' : 'FAILED'} #{Time.new}"

puts 'Sending mail...'
send_mail subject, body
puts 'Mail sent.'

Set the script to run every day
Obviously you need to change the mail settings in the script as the comment suggest. Then save the script, I named it "autoupdate". To run the script on a daily basis copy it to "/etc/cron.daily". And don't forget to set execute permissions on the script (and as I have the password stored in the file I also removed all permissions from "others":
sudo chmod 770 autoupdate

Test the script
The easiest way to test the script is of course to just execute it:
sudo ./autoupdate

If you really want to make sure that it will execute when executed in the same way as when execute by the cron job you could run:

sudo run-parts /etc/cron.daily

Note that this will execute all scripts in the cron.daily folder. Another side note is that it probably won't run with the same permissions as when executed from the cron job, and it will probably take a long time to execute.

Now check your mailbox or the log files for the result:

cat /var/log/aptitude

Hopefully someone out there can benefit from this script as it is, or if you're like me; tweak it to suite your own needs ;)

Granularity of Permissions

gvwilson — Sun, 03 Aug 2008 13:54:00 +0000

Excerpted from Greg Wilson's blog:

A user's membership in a project is represented by a triple (project, user, role), where a role is a set of permissions defining what can be done. The simplest model for permissions would be to define READ and WRITE for each component, e.g., WIKI_READ ("can see the wiki, but not modify it") and WIKI_WRITE ("can create new pages, or update/delete existing pages").
Tickets mess this up. Open source projects often allow non-developers to file tickets (in fact, they encourage it). The only way to support this if the only permissions available are TICKET_READ and TICKET_WRITE is to give anonymous users (i.e., people who haven't logged in) a role that contains TICKET_WRITE. However, that would also allow them to modify or delete other people's tickets, which is clearly a Bad Thing.
OK, so what about TICKET_READ, TICKET_WRITE_ALL, and TICKET_WRITE_OWN? Easy enough to create three permissions---but it would complicate the processing logic and conceptual model.
Here's another wrinkle. In every ticketing system I've ever worked with, tickets have a one-line "title" or "summary" field, then a longer "description" field. For small projects (our target market), most tickets only need the former, so I've been thinking about taking the latter out of the tickets themselves, and providing an easy way to link to specially-named wiki pages (e.g., ticket #123 automatically links to a page called Ticket123, but only if someone has bothered to create it). This neatly supports the common situation in which a "ticket" turns into something more akin to a BBS discussion, where lots of people post back and forth about the best way to solve a problem. But how would the permission system handle this? Would the special logic to handle TICKET_WRITE_OWN propagate to the wiki, so that if a page was associated with a ticket, and that ticket belong to Fred, and Fred's role in the project included either TICKET_WRITE_ALL or TICKET_WRITE_OWN, then Fred would be allowed to modify the wiki page?

Places

pawsinsd — Sat, 02 Aug 2008 09:52:42 +0000

Every place I go has food memories. I remember things from my childhood, especially food created by the people to whom I dedicated this blog.

I'd like to take you on some travels that have enhanced my appreciation for, and knowledge of food, its preparation and enjoyment.

To do this, I'll have to make some outlines and give you cookbook references if I can't get permission to post a recipe. I'll give a name to the series (three parts for now) and hopefully start in the next week or so.

For now you'll have to settle for a non-recipe and story.

My great-aunt Anna died when I was young. I've always had cool aunts. And uncles, sorry godfather! My parents didn't think we were old enough for a funeral so went themselves, a 10-hour drive each way. Our regular sitters were college students but we needed a live-in.

They hired the most awful woman who broke our Scandinavian chairs from sitting in them and when I came home showing a 98% grade on a test just dismissed me. But the worst sin follows.

Mom followed Dad's mother's recipe for spinach that calls for a special roux that I (yes I can make a roux) don't know even today. This woman made us spinach and I couldn't eat it. I said, at age seven, "where's the roux?" Yeah, I ate it because she probably would have thrown me across the room if I didn't. But at nearly fifty, have I forgotten the spinach incident?

While we were good kids and didn't put dead rodents in her bed or anything, I'm sure her brief stay was anything but pleasant. I can sleep well at night knowing that mean nannies will get their due.

Msql Table Maintenance and Repair Guide

repairvuwu — Fri, 01 Aug 2008 08:48:11 +0000

mysqlcheck a table maintenance and repair program mysqlcheck must be used when the mysqld server is running whereas myisamchk (similar in function to mysqlcheck) should be used when it is not The benefit of using mysqlcheck is that

Recipe H-e-double toothpicks

pawsinsd — Mon, 28 Jul 2008 06:21:00 +0000

A fellow blogger has run afoul of a myopic mini-dynasty by modifying a recipe on her blog. I'm sure she would agree that when each of us reads a recipe we see things a kid doesn't like so substitute, and make other changes. I do try to a do a new recipe as written, taste the results and make changes according to my tastes.

Food bloggers are being hampered by huge publishing firms from printing any of their recipes (denying permission and not allowing any modifications to their recipes because they are "perfect.")

No-one was looking for the 18 year-old nut recipe I gave you yesterday but they still wouldn't allow me to print it with appropriate credit to the sources. Don't you think if I credit the magazine, article, author and publisher that it would help magazine sales rather than hurt them?

OK, I'm not a Michelin-starred chef (if I was one why would I be asking for a recipe) but they'd give it to me. But serious cooking bloggers are out there and are being threatened by huge corporations because we're raising interest in their products via a mechanism that their lawyers don't understand.

It's too bad because cooking is a creative enterprise and if we bloggers find a new twist or change things about you'll sue us. That's the bad side of patent law. The good side is our side and we will make that known in due time.

It looks as if the magazine industry is going the same way as movies fighting television. The new technology (witness iPods et al) is going to win out and your ways are going to have to change to deal with it. Bloggers are here to stay, at least for the next XX years. Dee

Recursively chmod only directories or files

RainSoft Letters — Tue, 22 Jul 2008 19:14:54 +0000

Ever come across the problem of needing to chmod a directory and its many, many, sub-directories, but you don't want to touch any of the files? Maybe it's the exact opposite, or you need to recursively change the permissions on only files with a specific extension. Well I had a similar problem with one of the RainSoft Letters server backups.

Luckily, I came across a post on movabletripe that dealt with the problem, as well as having some additional find snippets in the comments. The original article is here: Recursively chmod directories only.

find . -type d -exec chmod 755 {} \;

This will "find" all directories, starting at ".", and chmod them to 755.

find . -type f -exec chmod 644 {} \;

This snippet does the opposite and finds only files. The difference (beside the file permissions) is the "-type f", "f" specifies files and "d" directories.

If you check the comments, you'll find a few additional snippets:

find . -type f -name '*.htm*' -exec chmod 644 {} \;

This lets you "find" files ("-type f") with a specific extension ("-name '*.htm*'") and chmod them with your desired permission ("-exec chmod 644 {}").

chmod -R o+rX

This snippet will recursively chmod "other" ("o") permissions with read/eXecutable ("+rX"), and the capital X ensures that directories and files set (user/group permissions) to executable will be properly modified, while ignoring regular (non-executable) files.

Problems with Apache and .htaccess on a HFS+ partition

ruiwen — Sat, 28 Jun 2008 18:01:10 +0000

Ran across this nasty problem today.

I recently set up a LAMP environment on my laptop, intending to do local development for one of our sites.

I did the usual setup of Apache VHosts and all.. only to find that the site had decided to stopped working. This was pretty strange since I'd just checked out a fresh copy from SVN, and the working copy on the dev server was.. well.. working.

Delving through the logs, I saw Apache trying to do something seemingly strange. It was trying to access files as if they were directories, looking into each of them for .htaccess files.

Like this:

[Sat Jun 28 17:14:36 2008] [crit] [client 127.0.0.1] (13)Permission denied: /home/ruiwen/Projects/app/webroot/favicon.ico/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

Last I checked, favicon.ico wasn't a directory.

Some Googling turned up this page, which hinted that this behaviour stemmed from the fact the HFS+ might have been presenting the files as directories.

In some cases, this error can also be caused by special file-systems that return unexpected errors on attempted directory access. For example, some file-systems allow files to be treated as directories in certain cases. If httpd believes that a file is actually a directory, it will try to look inside for an .htaccess file. If it gets a permission denied error in return, it will deny access. This type of situation is usually a faulty file-system behavior and cannot be fixed within Apache. In this case your only choice is to turn off .htaccess processing as in the first solution above.

Turning off .htaccess processing wasn't exactly ideal since the site needed the functionality.

However, setting more relaxed permissions on the site directory as recommended in the second solution on the page seemed to work.

Currently my permissions for the files are

-rwxrwxr-x 1 ruiwen www-data 3322 2008-06-28 16:39 index.php

This seems to work fine for now. Not sure why the relaxed permissions helped the problem though, and will be glad for any insight into this.

On Gay Modern Love: Andrea Neighbours Not Very Happy About Parody

The Gay Recluse — Fri, 27 Jun 2008 01:46:52 +0000

In which The Gay Recluse provides a postscript to last week's Gay Modern Love, the weekly feature in which he parodies Modern Love, the column in The Times in which openly gay writers almost never appear and even less frequently write about romantic love. (For our quantitative analysis, click here.)

So it turns out that unlike Kayla Rachlin Small, who loved our riff on her Modern Love column (and no coincidence wrote one of the most moving columns ever), not every author is so enamored of our efforts to call attention to the plight of Gay Modern Love in the Times.

Today, for example, we received this note from Andrea Neighbours, the author of last week's essay:

Hey there,

I see you've parodied my Modern Love essay from last week's New York Times (On Gay Modern Love: How My Partner Won Back My Vote). Would you kindly remove it? Or at least remove my name and make clear this is a parody of an essay you lifted from the Times without permission.

Thank you.

Best,

Andrea Neighbours

Hey Andrea, no probs. We couldn't have said it any better ourselves, so consider it done. Sincerely yours,

The Gay Recluse

Dokeos, new course, error about group permissions

ywarnier — Wed, 25 Jun 2008 02:52:03 +0000

There is a common problem appearing when installing a new Dokeos portal that I have seen a lot recently, so I thought I'd share the details here.

The problem

When installing Dokeos on a cPanel-kind-of-hosting, it might happen that you complete the installation, but when you want to enter a newly-created course, an ugly error appears. Something of the likes of:

Internal Server Error

or, if you are lucky

/.../courses/COURSECODE/index.php cannot be displayed because it is writable by the group.

Either way, those two error message precisely when the URL of your browser shows http://your-domain-name/courses/YOURCOURSECODE/index.php mean that you have a "secured" version of Linux.

This implies that for any PHP script that you want to execute, this message will appear if the script is writable by any other user than the owner of the file.

In a cPanel system, you will see that this file (and possibly the directory it's in) have write permissions for the group.

The permissions syntax

I'm reviewing basic stuff here, so if you know about UNIX permissions or just don't want to know, just skip to the next section.

This is represented by the permissions indicator

-rwxrwxr--

which can be translated as: the owner can read, write and execute this script, the owner *group* can read, write and execute this script, and all other users can read the script, but not write or execute it.

The write permission gives you the right to edit the file, but you need a write permission on the containing *folder* to actually create or remove this file.

Anyway, so the risk is that, by letting too many people access this script, it could be used (and modified) by a cracker (an evil hacker) to execute his code instead of yours on your server.

Fixing the problem now on the server

Now the quick fix is to read carefully the error message and change the permissions accordingly. The server tells us that this script cannot be opened because it is writable by the group. So all we need to do is remove the write permission on this file. Just click on whatever option allows you to change the permissions on that cPanel and remove the write permission for the group.

This should result in your file's new permissions to look like this:

-rwxr--r--

If the server bothers you with write permissions about the directory, you need to set the directory's permissions to

- rwxr-xr-x

Execution permissions are needed to read inside this directory (and get to index.php).

This should solve your problem for this course. Now you want to avoid doing that for all courses to come, don't you? Read on...

Fixing the problem for the future from inside Dokeos

Since Dokeos 1.8.4 (or a little before that), we added a few settings inside the database that lets you mention what type of permissions you want new files and directories to use. Well, this is precisely one case for which we did that.

You want to head towards your "Portal Administration" tab, "Platform" section, "Dokeos configuration settings" link, then "Security", then the "Permissions for new directories" and "Permissions for new files" settings. By default, these are set to 0777 and 0666. Considering you want the groups not to have write permissions, and considering 0777 is representing rwxrwxrwx and 0666 is representing rw-rw-rw-, you just want to change these to 0555 and 0444 respectively.

That's it, you can now create a new course without having to worry about files permissions!

The modify permission

Ivanova Shostakovich — Sat, 21 Jun 2008 07:58:16 +0000

   A recent, and very helpful comment from Thaumata Strangelove has prompted me to write about our permissions philosophy.
   We have made our furniture so that customers can modify it.
   GREENE concept makes no-copy versions and no-transfer versions of our products, everything about them is modifiable except for their scripts. This way an experimenting owner cannot accidentally break the scripts. But they can add a tint to individual components or even replace the textures with ones of their own making.
   While it is true that no mod scripts cannot be edited or viewed by their owners, and thus they cannot be turned off individually, it is possible, since the customer can modify the whole product, for them to turn off all scripts running in the product using the tools menu while in edit mode.
The customer who wants to, may turn off the existing scripts and add their own scripts, and add their own animations if they are so inclined.
   We will generally advise against modifying a no copy item extensively.

   Thanks for reading.

Sample Copyright License Agreement (For Text and Written Works)

moviedistributionfacts — Fri, 20 Jun 2008 09:39:51 +0000

Below is a sample copyright license agreement for text and written work. if you are the author, you representative agent or publishing company will send this to the filmmaker/licensee if the license is available for use in a movie in adaptation or for a print run of so many books to sell.

Conversely, if you are looking for the rights to works, you may find the licensor of the work and call or email if the rights are available and they agree on terms, they will send you a copyright license agreement like this below. Please reply for any questions to the post or at moviedistributionfacts@gmail.com

Sample Text Permission and Copyright Agreement

___________________ ("Licensor") is the owner of rights for certain textual material defined below (the "Selection"). _____________________("Licensee") wants to acquire the right to use the Selection as specified in this agreement (the "Agreement").

Licensor Information
Title of Text (the "Selection"): ________________________
Author: ____________________________
Source publication (or product from which it came): _____________________________
If from a periodical, the ISSN, volume, issue and date. If from a book, the ISBN: __________________________
If from the Internet, the entire URL: __________________________
Number of pages or actual page numbers to be used: _____________________________

Licensee Publication Information
The Selection will appear in the following publication(s) (the "Work"): _____________
(check if applicable and fill in blanks)
[ ] book-- title: ______________________________
[ ] periodical-- title: _____________________________________
[ ] event handout-- title of event: _________________________________________
[ ] website-- URL: ___________________________________
[ ] diskette-- title: ___________________________________
Name of publisher or sponsor: ___________________________________
Author(s): _____________________________________
Estimated date(s) of publication or posting: ________________________________
Estimated number of copies to be printed or produced (if a book, the estimated first print run): __________________
If for sale, the price: $_____________________
If copies are free to attendees of a program, cost of program: ______________________
If a Website, indicate the average number of visitors per month: ____________________

Grant of Rights
Licensor grants to Licensee and Licensee's successors and assigns, the:
(select one)
[ ] nonexclusive
[ ] exclusive
right to reproduce and distribute the Selection in:
(select all that apply)
[ ] the current edition of the Work.
[ ] all editions of the Work.
[ ] all foreign language versions of the Work.
[ ] all derivative versions of the Work.
[ ] in all media now known or later devised.
[ ] in promotional materials published and distributed in conjunction with the Work.
[ ] other rights __________________________________

Territory
The rights granted under this Agreement shall be for __________________ (the "Territory").

Fees
Licensee shall pay Licensor as follows:
(select one and fill in appropriate blanks)
[ ] Flat Fee. Licensee shall pay Licensor a flat fee of $__________ as full payment for all rights granted. Payment shall be made:
[ ] upon execution of this Agreement
[ ] upon publication
[ ] Royalties and Advance. Licensee agrees to pay Licensor a royalty of _____% of Net Sales. Net Sales are defined as gross sales (the gross invoice amount billed customers) less quantity discounts and returns actually credited. Licensee agrees to pay Licensor an advance against royalties of $____________ upon execution of this Agreement. Licensee shall pay Licensor within 30 days after the end of each quarter. Licensee shall furnish an accurate statement of sales during that quarter. Licensor shall have the right to inspect Licensee's books upon reasonable notice.

Credit & Samples
(check if applicable and fill in blanks)
[ ] Credit. All versions of the Work that include the Selection shall contain the following statement: _________________________________________________
[ ] Samples. Upon publication, Licensee shall furnish ____________ copies of the Work to Licensor.

Warranty
Licensor warrants that it has the right to grant permission for the uses of the Selection as specified above and that the Selection does not infringe the rights of any third parties.

Miscellaneous
This Agreement may not be amended except in a written document signed by both parties. If a court finds any provision of this Agreement invalid or unenforceable, the remainder of this Agreement shall be interpreted so as best to effect the intent of the parties. This Agreement shall be governed by and interpreted in accordance with the laws of the State of _______________. This Agreement expresses the complete understanding of the parties with respect to the subject matter and supersedes all prior representations and understandings.

Licensor
By: ______________________
Name: _____________________
Title: _____________________
Address: _____________________
Date: ________________

Licensee
By: ______________________
Name: _____________________
Title: _____________________
Address: _____________________
Date: ___________________
Tax ID # ________________________

Permissions - the headache that protects us

Ivanova Shostakovich — Wed, 18 Jun 2008 10:09:53 +0000

We recently learned the importance of the permissions system of Second Life. Having newly created inventory transferred between our business associates taught us how important.
I confess that I had given the whole permissions system (with regard to IP rights) little more than a cursory glance, simply relying on it to do its thing.
I know now that modify rights are fairly straightforward. Copy and Transfer rights are more closely related to each other. Having an object that you intend someone else to own should not be composed of objects which contain things, such as animations or other objects, which have permissions contrary to the permissions you intend to set for the whole.This is just a good practice, but it is especially important if you want the intended owner to have any copy or transfer rights.
Bear in mind that I am talking about the permissions someone else will have when they buy or are given the object in question.
I believe modify rights are a little less touchy. You can set textures and scripts contained in a modifiable object to be no-modify. This is important for something that you wish your customer to be able to resize or adjust, but which contains scripting it would be best if no one went mucking about with, or if it has texture which is set just so and should not be changed. This cuts down on customer service calls :)

If you intend to build things to sell, learn the SL permissions system. It's worth it.

Migrating DHCP Servers

graycat — Sun, 15 Jun 2008 00:58:50 +0000

We're consolidating our servers at present so are shuffling a few roles about to their optimum places. One of which is moving the networking and AD roles in one office onto the one server rather then spread over a few. Migrating a brand new DHCP server is quite often as simple as copying the database from one to the other and restarting the service. However, if you want to move a love one with reservations and leases etc it becomes a bit tricker.

Microsoft very kindly provide information and even a "How To" for migrating between different versions (here). After reading it thoroughly I found it to be really useful but unfortunately it doesn't cover my situation adequately. If you're migrating from an NT4 / 2000 / 2003 member server to a 2003 member server then it is absolutely spot on. If you're doing something else it becomes less so.

Anyway, before we go into the situation I tackled tonight (it is late saturday night / early sunday morning afterall!) here's a brief outline of the MS page for those people who are migrating between two 2003 member servers:

compact the source database using the jetpack command

export the database using netsh dhcp server export c:\dhcp.txt all

import the database using netsh dhcp server import c:\dhcp.txt all

authorise the server if you haven't already and away you go

As I said, the Microsoft step by step guide is really good for member server to member server migration. Unfortunately for me, I had to migrate from a member server to a domain controller and this proves a little trickier.

My first attempt resulted in an error message stating something like:

COMMAND FAILED: Unable to access audit file path as specified

Understandably this was a bit off putting but nothing I couldn't deal with.
Initially I put it down to a file path issue as the source server has the OS installed on H:\ (no idea why, it just is ok?) and the new server has only the C:\ partition. My first attempt was to rejig the source set up to point to the C:\ partition for the backup and database path and try again. No change though so I tried a few more things like having services started or stopped at the various export / import phases but I still came back to the same message.

After reading the Microsoft document really in-depth, I spotted an almost through away line regarding importing on to a DC. The basis is that you need to explicitly be a member of the local administrators group and as there are no local user accounts on a DC, this could prove tricky.
The Microsoft article mentions in about half a line that you need to restart the server into Directory Restore mode and then use that local administrator account to import the database. This is a great idea ..... if you're onsite and have physical access to the server to do this. If, on the other hand you are like me and are sat on the sofa watching a movie, having a glass of wine and working over a VPN then this really isn't going to work all that well for you. Well, unless you happen to have either the server in your lounge or are sleeping at work. Again.

Worry not though! I found a trick that worked so smoothly I had to give myself a high-five. Sad, I know but it was the thing to do at the time.

My thinking at the time was that if I can't logon in directory restore mode, what's the highest local account I could access? Well, as the domain admin account I was using was second probably only to The Administrator account for admin rights I was a bit stuck. Until it hit me - I'm using a domain account but I need a local account on a machine that doesn't have any ..... but all machines have a system account! So using the age old trick to kick off a command line box as the local system account (detail upon request if you don't already know it) I ran through the import phase again.... and it worked a dream.

So in the end it turned out to be a permissions issue and that it could be resolved remotely by using the system account to do the final import. All that's left for me to do tonight is clean the two servers up, deactivate the old scope before unauthorising the old server. Tomorrow I'm going to check in on the new server a few times to make sure it's leasing correctly and all the settings have stuck after the transfer. To be honest, I'm 90% certain it's going to work but there's not point in risking it with a whole live network, is there?

Right, time for some more wine and a chill-out I think. Enjoy your weekend.

oS Commerce permissions problem

zlatipln — Tue, 10 Jun 2008 18:17:01 +0000

Today I installed my oS Commerce e-shop on craiglist.freehostia.com .

Freehostia has many free installers, seven subdomains, I like their hosting service.

When opened the index page, a message in pink appeared reading "Warning: I am able to write to the configuration file:

home/www/craiglist.freehostia.com/admin/includes/configure.php.

This is a potential security risk - please set the right user permissions on this file."

I understud that files catalog/includes/configure.php and catalog/admin/includes/configure.php, must be set to "read - only" status in order to prevent this warning.

First I tried to change permissions of those two files trough web interface - selected them and click on 'permissions.'

The pink message stayed on...

Then I deleted them /first made a copy!/ - a hudge error message came when tried to access index or admin page.

Restored the configure.php files.

After that I decided to change permissions to all the files in Include folders.

They was set to standard chmod 644.

I set them to suisidal 777!

A red warning appeared on webinterface telling me 'Are you crazy' /not exactly but with other words ;)

Some words about file/folder permissions a.k.a. CHMOD:

If you Right click on any file and select 'Properties'  a message box will appear.
You maybe know there are checkboxes 'Read-only', 'Hidden', 'Archive'. This is for files on your computer.
When files are to be uploaded and accessed through Internet, the term CHMOD is used.

CHMOD is similar but there are more possibilities to fine adjust access permissions - for example the Owner of the site can write and execute the file and another people - only to read it.

There are some combinations between Owner, visitors and their levels of access. So there is a unique three-digit number for each.

Chmod 777 means total freedom - everyone is allowed to read, write and execute the file. This is dangerous because someone visitor may re-write the file with some maliciuos code or just delete it!

Chmod444 and 600 put more restrictions for security reasons and are most often used.

You may ask - why are those numbers needed - just put restriction for everyone and no problems.

But if file is overprotected, it could not be changed/rewrited by some php scripts and another error messages appear. Your web site /eshop, forum, blog/ could not work normal.

CHMOD is a Linux - friendly command, so sometimes Windows files refuse to understand it and change as we wish.

In that case a good idea is to change chmod using FTP software. There are a lot of free FTP programs.

I used CuteFTP8.0 to connect via FTP protocol to my webhost /freehostia./

You have to know the ftp address to connect your host or ask your host provider or look in their support forum. Usually there is FTP info on your control panel page. Then run CuteFTP and paste this addres. Press 'connect'.

When connecter remotely, you will see two windows with folders and files - the left is your computer and the right is your web site /osCommerce in my case./

Find in tree structure catalog/includes/configure.php and catalog/admin/includes/configure.php files /one by one not at once as they are in different folders and subfolders./

Then rightclick on that configure.php files --> choose ' properties' and select read only - chmod 444.

This is all.

After refreshing the oSCommerce page, the pink message is disappeared for good!

Local Admin Accounts

pacerfan9 — Wed, 04 Jun 2008 15:58:32 +0000

Category    User Profiles ; Permissions; Useful Commands

Description

We are beginning to remove Domain Users from having Local Admin rights to their workstation. We have an application that will not launch properly without having local admin rights. To make the scenario more interesting the application spawns multiple processes so even if I use the command runas /user:domain\username "application.exe" the application fails to launch correctly.

Resolution

I executed the command cacls c:\appdirectory /e /t /p users:c to give the local users group change permissions on the applications directory. Because the application spawns multiple processes located in multiple directories I had to use the Sysinternals utility Process Monitor to locate all if the directories that are accessed by the application. Tip: If you use the Filter menu it is much easier to locate the necessary information. After running the command in each directory accessed by the application everything worked fine.

References

Difference between Power User and Administrator?

CACLS Syntax

Process Monitor v1.33

Archivos Importantes en Linux

Julián Rodríguez — Mon, 02 Jun 2008 19:22:51 +0000

Hace poco me preguntaba como era que funcionaban las personalizaciones en linux y que archivos vendrian siendo el "registro" de windows en esta plataforma. La respuesta era obvia eran los archivos de texto que se encontraban en los folders pero mi pregunta era cual eran los mas imporantes, asi que aqui les dejo esta lista.

Critical system files in Linux

File/Directory Permissions Description

/var/log/ 751 Directory containing all log files.

/var/log/messages 644 System messages.

/etc/crontab 600 System wide crontab file.

/etc/syslog.conf 640 Syslog daemon configuration file.

/etc/logrotate.conf 640 Controls rotation of system log files.

/var/log/wtmp 660 Who is logged in now. Use who to view.

/var/log/lastlog 640 Who has logged in before. Use last to view.

/etc/ftpusers 600 List of users who cannot FTP to the machine.

/etc/passwd 644 List of system’s user accounts.

/etc/shadow 600 Contains encrypted account passwords.

/etc/pam.d 750 PAM configuration files.

/etc/hosts.allow 600 Access control file.

/etc/hosts.deny 600 Access control file.

/boot/grub/grub.conf 600 Boot configuration file for GRUB bootloader.

/etc/securetty 600 TTY interfaces that allow root logins.

/etc/shutdown.allow 400 Users allowed to ctrl-alt-del

/etc/security 700 System access security policy files.

/etc/rc.d/init.d/ 750 Program startup files on Red Hat systems.

/etc/init.d/ 750 Program startup files on Debian systems.

/etc/sysconfig 751 System and network config files on Red Hat.

/etc/ssh 750 Secure shell configuration files.

/etc/sysctl.conf 400 Contains kernel tunable options.

File/Directory	Permissions	Description
/var/log/	751	Directory containing all log files.
/var/log/messages	644	System messages.
/etc/crontab	600	System wide crontab file.
/etc/syslog.conf	640	Syslog daemon configuration file.
/etc/logrotate.conf	640	Controls rotation of system log files.
/var/log/wtmp	660	Who is logged in now. Use who to view.
/var/log/lastlog	640	Who has logged in before. Use last to view.
/etc/ftpusers	600	List of users who cannot FTP to the machine.
/etc/passwd	644	List of system’s user accounts.
/etc/shadow	600	Contains encrypted account passwords.
/etc/pam.d	750	PAM configuration files.
/etc/hosts.allow	600	Access control file.
/etc/hosts.deny	600	Access control file.
/boot/grub/grub.conf	600	Boot configuration file for GRUB bootloader.
/etc/securetty	600	TTY interfaces that allow root logins.
/etc/shutdown.allow	400	Users allowed to ctrl-alt-del
/etc/security	700	System access security policy files.
/etc/rc.d/init.d/	750	Program startup files on Red Hat systems.
/etc/init.d/	750	Program startup files on Debian systems.
/etc/sysconfig	751	System and network config files on Red Hat.
/etc/ssh	750	Secure shell configuration files.
/etc/sysctl.conf	400	Contains kernel tunable options.