Admittedly this question I'm asking is just to assist me in an argument I've been scheduled to have with a client.
Our Dev's who reside in another country have an FTP server which has mostly full public access available to all anonymous users, this to simplify the acquisition of new documents and updates for users of the application.
One directory in specific, let's call it updates, actually houses all the new updates but does not grant a directory list to anonymous users due to Access restrictions, so if you try to list the files in the directory using an FTP client, you're met with the generic response:
550 Access is denied.
Failed to retrieve directory listing
However, if you have the exact URL for a file available to the anonymous users in that directory e.g. ftp://ftp.company.com/updates/latest_update_1.zip you can very easily download that file without issue.
My question comes in that I have a client who is somehow monitoring that directory as an anonymous user and knows when a new file (which anonymous has access to) becomes available in that directory and then immediately downloads it. This directly affects their application as often times files are dropped there by Devs during QA and they're not officially available as we've not yet sent out notice of the change log and URL.
So my question is, how exactly is this client doing this? How is he able to list files that anonymous has access to, in a directory which does not list it's files to anonymous users?
Related
I currently have access to a third party's FTP server which, upon login, automatically redirects me to a directory that does not contain the files I am trying to download.
ftp://ftp.fakehost.com -> ftp://ftp.fakehost.com/uselessDir
My files are in ftp://ftp.fakehost/usefulDir.
This ftp server does not support directory traversal so I cannot get to usefulDir by simply modifying my url. FileZilla works since I can execute specific ftp commands to get to the directory I want.
Can a Data Factory FTP service or dataset be customized to work around this problem since Data Factory cannot access the usefulDir directly ?
Please correct me if I doesn't understand your question correctly. Have you tried create a dataset and manually put the usefulDir in folderPath property directly, instead of using the Authoring UI to navigate to that folder (which is not possible based on your description.)
Our application uses a shared directory to store files that are 'checked out', modified via our application, and then 'checked in' to a shared directory, which is being accessed via SMB (The environment is hosted on a set of AWS servers, and our end-users access it via Citrix).
All users have read, write, etc. permissions for the shared directory.
We've recently changed the architecture of the application a bit. Previously, each user had his/her own subdirectory in the shared directory where the checked in/checked out file was stored.
In the new architecture, the individual subdirectories aren't used, so that all files checked in by users are stored directly into the shared directory. Users are then allowed to checkout/checkin any file in the shared directory.
The checkout process involves doing a File.Copy of the library version of the file to the user's local, non-shared directory. The user then uses our application to make changes to the file, which is then saved locally and File.Copy'd back into the shared directory.
Except that in the new architecture, the 'checkout' operation fails when User 2 attempts to checkout a file that was originally checked in by User1. As near as we can tell, this is because when, for example, User 1 checks a file in to the shared directory, the file implicitly receives a security entry for his specific AD login. A subsequent File.Copy operation by User 2 gets a permission error. If a full admin for the host system removes the security entry for User 1, then the File.Copy from the shared directory to User 2's local directory works fine.
Note that both users are assigned to a group with read, write, modify, etc to the shared directory (but not 'full control').
This doesn't seem like that unusual of a situation. We haven't (yet) tried to see if the application can programmatically remove the security entry created on the checkin - even assuming that's possible, it would be nice not to have to resort to that. But we've not found any arrangement of security settings that works.
Any information or suggestions will be appreciated.
Thanks...
As requested:
\\citrixfile01\Shares\clients\002\library
ALIGHTENT\002.EightTwoConversion:(I)(OI)(CI)(M)
NT AUTHORITY\LOCAL SERVICE:(I)(OI)(CI)(RX)
S-1-5-21-3973462947-2300097736-545649627-500:(I)(OI)(CI)(F)
ALIGHTENT\citrix:(I)(OI)(CI)(F)
ALIGHTENT\alightcalc:(I)(OI)(CI)(M)
ALIGHTENT\Domain Admins:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
\\citrixfile01\Shares\clients\002\library\AML_AmPac_8.2.amox
ALIGHTENT\002.Admin1:(I)(M)
ALIGHTENT\citrix:(I)(F)
ALIGHTENT\AEAdmin2:(I)(M)
ALIGHTENT\Domain Admins:(I)(F)
BUILTIN\Administrators:(I)(F)
When a file is moved, Windows does not update the ACL to add or remove inherited permissions. This is presumably for backwards-compatibility reasons; the permissions model looked somewhat different in the earliest versions of Windows NT.
Your options are to copy the file instead of moving it, or to explicitly reset the permissions after the file has been moved.
If you want to explicitly reset the permissions, you can do this using File.SetAccessControl. To apply the inherited permissions for the new location, the FileSecurity object should contain an empty ACL and the AreAccessRulesProtected property should be false.
I'm using Apache 2 to run my localhost on Mac (Mavericks), and every time I add a file or a folder in the default directory /Library/WebServer/Documents (and its subdirectories) the system asks me to authenticate:
This is a problem specially when using frameworks like Symfony or Zend Framework because they can't have writing access to folders. What can I do to solve this?
Mac/Linux grants access on different levels:
Per user
Per group
Per everybody
The folder Library/WebServer/Documents outside of the logged-in user paradigm (you) therefore write access (and other access like execute) is only granted to the administrator of the computer (or so-called root) which isn't you however on most Mac environment the password of root is your password (different users with the same password).
You will want to modify Apache2 configuration and change the directory to a folder located within your user's directory which is something like /Users/{whatever is your username} (you will probably need to create the folder).
Once, you moved the content of /Library/WebServer/Documents into the new folder, make sure the permission are set properly. Refer to the following documentation at the chapter "How to Modify Permissions with the Info Window".
The reason why your Mac is asking for permissions to write files outside of your user's directory is for security reasons. Imagine if you download a file, execute it and grant access (by giving the root password) then the file could potentially be a virus and erase or do all kind of things on your computer.
I have a windows network in which many files are shared across many users with full control. I have a folder shared for everyone in my system, so whenever I try to access it using the machine name (run->\Servername) from another system, I can see the shared folder and open/write files in it.
But my requirement is to close any open files(in my system) in network. So I used NetFileEnum to list all opened file ids so that I can close those files using NetFileClose API.
But the problem is NetFileEnum returns invalid junk ids like 111092900, -1100100090 etc so that I can't close it from another machine. So I listed the network opened files using net file command and by noting the id, say it be 43 I hard coded the id in my function call NetFileClose("Servername", 43); But when I executed, I got ACCESS_DENIED_ERROR. But if the same code is run on the server, it is successfully closing the files. I had given full permission in share for all users.
But why ACCESS_DENIED_ERROR and why NetFileEnum returning invalid ids? Is there anything to be done for this API to work? How can I use these APIs properly to close network opened files?
I am able to get/set security attributes (group, owner, DACL, SACL) of files on a NTFS volume by using the GetSecurityInfo/SetSecurityInfo API. The handles I pass to these APIs must be opened with specific access rights (READ_CONTROL, ACCESS_SYSTEM_SECURITY, WRITE_DAC, WRITE_OWNER) which require certain privileges (SE_SECURITY, SE_BACKUP, SE_RESTORE) to be enabled while creating them with CreateFile, which is no problem at all if the files are located on an NTFS volume, and of course if the calling process has sufficient rights. There is a problem, however, if the files are actually located on a network share - creating the file handles would fail with ACCESS_DENIED(5) or PRIVILEGE_NOT_HELD(1314). I guess this is due to the fact that the attempt to create the file handle is actually made on the remote machine in the context of a network logon session which represents my user on the remote machine, and the required privileges are not enabled for that remote process. Is there a way I can get past this limitation, i.e. be able to get/set security attributes of files on network shares?
A similar problem is getting a handle to a directory on a network share. While being able to do it locally (by using FILE_FLAG_BACKUP_SEMANTICS), I understand that this particular flag is not redirected to the remote machine, which I believe is the reason I can't open a handle to a directory on a network share. Is there a way to do this?
Well, it seems I was the one at fault here - I have been testing this case with a user which, although an administrator on my local machine, is a regular restricted user on the file server, which caused all the trouble. You can copy security attributes and open handles to directories on a network share if you connect to it with a user which has sufficient rights on the file server which is sharing the resources.