How to set user permissions in net-snmp snmpv3 agent? - snmp

I have net-snmp SNMPv3 agent.
I have a MIB with read-only and read-write command. I know I can configure SNMPv3 user with read-only or read-write permissions - but, can I have more than that?
Is there a way to configure for example full write permission and partial write and grant such permission to a user?
Thanks

There are so called VACM views in SNMPv3. So you restrict access to particular branches in the tree. Find out more at: http://net-snmp.sourceforge.net/wiki/index.php/Vacm

Related

Chef::Exceptions::WindowsNotAdmin: can not get the security information due to missing Administrator privileges

We were trying to deliver a solution to manage a Windows 2012 server for a client using Chef, but unfortunately chef-client run failed with Chef::Exceptions::WindowsNotAdmin: can not get the security information for <some_file> due to missing Administrator privileges exception.
This was a bit weird as we have confirmed that the domain account we used to remotely manage the server is a member of the Administrators group. And we were able to use it to manage other servers within the same domain. Besides, when we connected to the server using the domain account via Remote Desktop, started PowerShell as an administrator and initiated a chef-client run, it failed with the same exception.
Running below commands reveals that the domain account is indeed a member of the Administrators group. This can be verified by the SID of the group.
Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_Group
[System.Security.Principal.WindowsIdentity]::GetCurrent().Groups
Not sure what settings on the server could have caused this.
With insights provided by this thread, further digging into the code of Chef reveals that a win32 function GetNamedSecurityInfoW gets called here to determine the security information of an object (file, folder etc.). This occurs during cookbook installation where some resource files or gems need to be created on the endpoint server.
Firstly an empty file will be created, after that the file content will be updated atomically if that is an option. During file content update, the file’s security access control list needs to be checked by the function GetNamedSecurityInfoW. To call this function, the logged-on user needs to have a privilege SE_SECURITY_NAME. Chef itself also tries to handle this by adding this privilege before calling the function and revert it after the function call, but this is not always guaranteed. System settings seem to prevail.
We hacked Chef code a bit to try to print out the output of the function call on GetNamedSecurityInfoW, and it was a status code 1314, indicating a required privilege is not held by the user.
We tried to run whoami /priv on the server and found that SeSecurityPrivilege privilege is not found in the list. Below is just a sample output on a normal Windows server.
Privilege Name Description State
========================================================================
SeLockMemoryPrivilege Lock pages in memory Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
...
Note that the state column only indicates whether a privilege is being used by the user. It's existence indicates whether the user has it or not.
After adding back this privilege to the domain account, i.e. set the security setting of Manage auditing and security log to Administrators group in the Local Securtiy Policy editor, and rebooting the server, chef-client run became successful.
It seems that Chef is heavily using win32 API functions to manage Windows nodes. And these API functions seem to need various privileges to run. It's a bit strange that Chef rescued all win32 API errors and just propagated the Chef::Exceptions::WindowsNotAdmin to chef-client run log, as indicated here. It would be good to actually parse the error a bit and provide some more useful information.

MacOS X file system watcher

I am developing an utility application which logs other apps' file system activities. Therefore I am looking for a way to receive file system change notifications including the file paths as well as the corresponding PIDs.
According to my state of knowledge the only way to do this is to listen at "/dev/fsevents" using root privileges. Is there another option to track those file system changes without running a root privileged process?
Thanks in advance!
regards,
Tobias
No. You need to use /dev/fsevents or dtrace or something, all of which require root privilege.
As you know, the public FSEvents api doesn't give you fine grained info as you want.
But this is as it should be. When you ask "is this possible without root privilege?", you should ask yourself "do you want others to do this without root privilege on my machine?"
Then you know this is clearly wrong if it's possible without root privilege: you shouldn't be able to know, without root privilege, which file is accessed by a privileged process.

Some of my windows registries(Vista) are not accessible due to permission violations. How to resolve it?

Some of my windows registry permissions have been changed.It denies access to services like SQL Server. What is the issue here and how can it be resolved? Moreover I am able to login only in safe mode.
You can change permissions using regedit.exe. Try clicking on a registry key and choosing the "Permissions" option. On my computer the permissions are set in the following way:
the System group and the Administrators group - full control
the Restricted group - read
the Everyone group - read (on branches like HKEY_LOCAL_MACHINE)

Copy file with elevated privileges

Is there a way to elevate privileges to the level required to write files to a network folder with our Delphi 2006 (Win32) application?
The user running the application does not have permission to write (or view) files in the network folder in question.
Any recommended techniques or alternative suggestions?
You could prompt the user to enter credentials for a user with elevated permissions and then temporarily operate under that other user's login while writing to the network share. To do this, you are looking for the LogonUser and ImpersonateLoggedOnUser functions. Please see this answer.
Use WNetAddConnection2 to connect to the UNC path, you will need to use the lpUsername and lpPassword parameters (either ask the user for them or hide them somewhere in your app).
You can choose if you want to map a local driver letter to the UNC path or not (in that case use nil for the lpLocalname parameter). After you've done that you can access the UNC path without specifying credentials.

Getting/setting security attributes of files on a network share

I am able to get/set security attributes (group, owner, DACL, SACL) of files on a NTFS volume by using the GetSecurityInfo/SetSecurityInfo API. The handles I pass to these APIs must be opened with specific access rights (READ_CONTROL, ACCESS_SYSTEM_SECURITY, WRITE_DAC, WRITE_OWNER) which require certain privileges (SE_SECURITY, SE_BACKUP, SE_RESTORE) to be enabled while creating them with CreateFile, which is no problem at all if the files are located on an NTFS volume, and of course if the calling process has sufficient rights. There is a problem, however, if the files are actually located on a network share - creating the file handles would fail with ACCESS_DENIED(5) or PRIVILEGE_NOT_HELD(1314). I guess this is due to the fact that the attempt to create the file handle is actually made on the remote machine in the context of a network logon session which represents my user on the remote machine, and the required privileges are not enabled for that remote process. Is there a way I can get past this limitation, i.e. be able to get/set security attributes of files on network shares?
A similar problem is getting a handle to a directory on a network share. While being able to do it locally (by using FILE_FLAG_BACKUP_SEMANTICS), I understand that this particular flag is not redirected to the remote machine, which I believe is the reason I can't open a handle to a directory on a network share. Is there a way to do this?
Well, it seems I was the one at fault here - I have been testing this case with a user which, although an administrator on my local machine, is a regular restricted user on the file server, which caused all the trouble. You can copy security attributes and open handles to directories on a network share if you connect to it with a user which has sufficient rights on the file server which is sharing the resources.

Resources