We have a traditional UV account. Data files in one directory, application programs & subroutines in another directory. Our latest projects is implementing JDBC and in order to fully access the subroutines from java, I belive I need to create a schema on the existing uv account.
How can I do this? I tried logging in as uvadm and create a schema. Get the following error:
CREATE SCHEMA TEST;
UniVerse/SQL: "uvadm" is not an SQL user.
Can anyone help?
They're both admin, per the docs, but a UniVerse Admin is simply someone who has r/w perms on the underlying files used in creation (uvadm and/or root).
Who Is a UniVerse Administrator?
To
perform most administration tasks, you
must be logged on as a UniVerse
Administrator. On UNIX systems,
UniVerse administrators must log on as
root or as uvadm. On Windows systems,
UniVerse administrators must log on as
a member of the Administrators group.
You can then use UniVerse Admin and
UniVerse administration commands to
perform UniVerse administration.
However, a UniVerse SQL admin is the person who has read/write permissions on the CATALOG. If you can't create a catalog it is probably because you don't have r/w perms on the directory you're in, because the catalog is just a file.
When you installed UniVerse, who did you say the owner of uvsql is - uvadm or root? The only way I know to resolve this problem is to go through a reinstallation to allow answer uvadm so all the files within SQL will be setup and cataloged properly.
Related
Using Windows Server 2008 version R2 Standard / Service Pack 1.
I have a shared folder containing the home folders of users. This is called user$.
I have the following share permissions on user$: Everyone: Read/modify
I have the following file permissions on user$:
CREATOR OWNER: Deny: Change permissions and take ownership: Subfolders and files only.
CREATOR OWNER: Allow: Everything except take ownership and change permissions: Subfolders and files only
SYSTEM: Full control: This folder, subfolders and files.
BUILTIN\Administrators: Full control: This folder, subfolders and files
Domain Users: Allow: Traverse, list, read, read attributes, read permissions, create folders: This folder only
I have applied this to the user$ share and replaced all child permissions with inheritable entries. So why do users still have permission to change permissions? Take ownership is not allowed and seems to work as expected.
The reason I need to do this is because something (still unknown) is changing the permissions in a way that makes the files inaccessible to users and messing up a lot of processes. This seems to happen randomly on a daily basis to about 5-10% of users.
Thank you.
The Owner has an implict Read and Change permission access and has precedence over Deny permissions.
Check the effective access rights of an user to the file.
I suggest you enable Permission change auditing and see what is causing the issue.
is there any possibility to change the permission when a folder in fileadmin is created per ftp and now you cannot copy a file into this folder?
TYPO3 is version 8.7
Greeting
Volker
You will have 3 Options:
Create the folder with a user that is in apache/nginx/php group, respectively dont use the FTP-Root user on creation.
Connect via FTP and fix the permission of the folder.
Connect via SSH and fix the permission in terminal context.
Regards
Ribase
Your problem is not TYPO3 specific. It's an unix problem.
or better: you need to understand rights management on unix systems.
there are three levels: owner, group, everyone
for each level you can define the possible rights (read, write, execute)
in octal notation this matches exact the bits of coding
rwxrwxrwx
||||||+++-- everyone
|||+++----- group
+++-------- owner
Also each file holds an owner and a group.
Folders are a special kind of files which need execution rights to see the content (list of files).
Then there are default bits that are set if a file (or folder) is generated. These bits can be configured with the umask command - or the program you create the file. with TYPO3 you can define it in the install tool.
Maybe your FTP program has similar configuration.
Depending whether your FTP-user and the PHP/Apache-User are identical, share one group or have nothing in common you need to set the bits for each file to grant access each other.
be aware: independent from your BE-user which you use for login in TYPO3 BE, any file action in the BE (or FE) is done with the apache/PHP user, which probably is not your FTP user.
In a shell you have the commands chmod to change the assess bits and chown to change the owner and group of a file. (hint: chgrp will only change the default group assigned to new files)
If you do not have the writing rights for folder and file you can not change any rights of a file. Especially not the right to modify a file (remember: folders are files).
The best option to modify the rights is to use the same user than the file was created (as an owner you have the most rights).
Second best is to be root. Root is allowed to do anything, but therefore you should avoid being root, as you also can destroy anything.
This message appears every time I try to save the data to the DB.
Failed to update database because the database is read only
Note: This error comes only when the application is installed to C drive.
Front End: VB.NET
Back End:SQL Server
Is there any way to overcome this issue?
Or any way to restrict the user from installing the application on C drive?
I would check the file system privileges. I suppose you talk about an SQL server file database. You receive the message because the account trying to access your file database does not have the file system permissions to do so.
In order to confirm my suggestion, you allow everyone to access the specific directory with full permissions.
Then, you have to check what is the account trying to do the actual access. Probably it's a system account (user ASPNET or NETWORK SERVICE). You have to give the respective permissions to the specific account.
Then, restart IIS.
If you want to do this for a distributed stand-alone application. Then these permissions would have to change on each machine where the program would be installed. In order to avoid putting users in such a fuss, the setup program should do it. I am not an expert on setup programs, but even the simplest ones would give you the option to do it, after asking the system adminstrator's approval. I suppose you could build a custom action during the setup program which would change the specific folder's permissions, perhaps by using xcacls.exe.
Hope I helped!
As we all know that with shared web hosting other users (websites) files could be revealed to others if 'others' have the (read) permission .
I think 0700 or 0711 permission is the best way( in shared hosting) to protect important files the contain secret information .
I suppose that the server is using suPHP or any similar module so that keep the UID of the process is the same as the owner of the files being accessed.
So what do you say ?
You are correct. 700 would ensure nobody can read/write/execute that file, except the owner. So that would be good enough! In case it is to be executed, 711, else, 700.
However, if some operation involving that file fails, you should consider 711.
EDIT:
As you have mentioned, if it contains a connection string, you can safely assume that nobody needs to be given write privileges, and give everyone execute privileges.
So, 511(which is r_x __x __x) should do it.
You'll need execution rights only for directories, if your files are PHP source files you certainly do not need execution rights.
0640 and 2750 are usualy good rights for respectively Files and Directories (the 2 in the directory rights make the new files inherit user & group of the directory).
That is for files:
-rw-r-----
And directories
drwxr-s---
Which is right if the webserver is using the group rights and the FTP-or-such user being the owner. With Suexec and such you could maybe adjust these settings depending of who is the owner and who is the web reader (user? group?), the web reader does not need write access, except maybe on some specific directories depending on the application.
And do not forget files & directories rights are only one point in separation of user in a shared envirronment. For PHP envirronments using per-user open_basedir settings, temporary files and upload directories and per-user session directories is always a good idea (that can be defined in per-user virtualhosts).
Should I give "modify" permissions to 'everyone' or 'users' or 'authusers' if, under UAC, I want to make data folders and files writable to non-admin users of the program?
I want that basically everyone who can sit at the computer can read/write the data through the program. I've also read that using 'everyone' for modify permission can open a security hole over the network. What is the difference between everyone, users, and authusers? What are the security implications?
Implementation details for InnoSetup follow:
Using InnoSetup, I install an EXE in a standard Program Files subfolder, and a Data subfolder within it, like this:
C:\Program Files\My Prog\Prog.exe
C:\Program Files\My Prog\Data\MyData.dat
Now, to make it so that MyData.dat can be modified by Prog.exe even if Prog.exe is launched by a non-admin users, I give "modify" permissions to the subfolder "Data" with this line:
[Dirs]
Name: "{app}\Data"; Permissions: everyone-modify;
;This is the question: should I use users or authusers instead of everyone?
[Files]
Source: "MyProg.exe"; DestDir: "{app}"; Flags: replacesameversion;
Source: "MyData.dat"; DestDir: "{app}\Data"; Flags: replacesameversion;
This question is similar to 2686918 but I didn't find enough info there about the types of permissions, hence this new one. I'll update that question after clarifying this one.
InnoSetup in particular defines these groups:
admins Built-in Administrators group
authusers Authenticated Users group
everyone Everyone group
powerusers Built-in Power Users group
system Local SYSTEM user
users Built-in Users group
Which of those is the nearest to "any user who is sitting at the machine, admin, non-admin, or whatever, but nobody who is accessing the machine from networks"?
You're going the wrong way! Don't store your application data under %PROGRAMFILES%! Use the directory which is intended for this: CSIDL_APPDATA
Consult Microsoft, if you want to have more informations about the security identifiers.