Database Search

match allmatch any Look in all areasLook in current areas Check all datesPrevious dayPrevious 3 daysPrevious weekPrevious fortnightPrevious monthPrevious 2 monthsPrevious 3 monthsPrevious half-yearPrevious year

TechHome

• Add Workstation to Workstation Group
• Adding or Removing Groups
• Attributes for User NDS Object
• Change Home Directory Attribute
• Changing Novell Account Management Passwords
• Check Login Expiration Time
• Check Netware User Status
• Create a List of Workstations
• Disable a User Account in Novell
• Error 120 nwSvrShutdown
• FFFFFD63 Error and nwVfyPassword
• Getting Trustees in a Directory Tree
• Issue NetWare Console Commands
• Mac Address with NetwareX extender
• NDS Copy Passwords
• NDS Disk Space Ownership
• NDS Servers Configurations
• NDS Volumes Usage
• Netware Force Password Change Next Logon
• Netware NDS Volumes Usage program
• NetWare User Creation Problem
• NetwareX 1437 AddExtender dll load failed
• NetwareX NDS Users Inactive For XX Days program
• Netwarex Support for NW6 NDS 8 eDirectory
• nwAddUserToGroup Fails
• nwGetFileInfo to Get List of Inherited Trustees
• NwGetSrvParam problems
• nwListObjects and 273 Error
• nwModifyObject Ill Formatted Attribute Value Error
• nwSearchFilter Error 239
• nwSearchFilter Error 298
• nwSearchFilter Issue
• nwServerList Problem
• nwSetPassword Error 233
• nwSetPassword Issue
• Problem with nwGetObjInfo on Alias
• Retrieve the Alias in the User Container
• Run with Elevated Privileges in NDS

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

nwGetFileInfo to Get List of Inherited Trustees

---

Question:

You can use nwGetFileInfo(), request #9 to get a list of objects who have been given direct trustee rights on a file...works great.

In Netware, you can also inherit permissions from your parent folder(s).

I've been asked to write a script to generate all the effective rights on a set of files on various servers.

nwGetFileInfo() also has request #8. This gives you the IRF (inherited rights filter) for a particular file. This is what acls are allowed to propagate down.

I cannot seem to find any way to generate a list of ALL users, ous, and objects who have rights to that file.

I know this can be done, as the search engine I've been asked to audit is able to do it.

Once I have the users that have SOME FORM of rights to the file, I can use nwGetFileInfo(), request 10 in order to find out that objects "effective rights" to the file.

Thoughts? Any help would be much appreciated. And as always... yesterday is fine. :)

Answer:

Hmmm... Let me think very hard about a flux capacitor and just maybe I can project my thoughts back to yesterday and get a retroactive message posting to occur purely through shear force of will....

OK, let's review NetWare file system trustee assignments. This applies to both TFS and NSS volumes. Explicit rights can be assigned to any folder or file, including the root folder of the volume. At any given point in the folder hierarchy, an IRF [Inherited Rights Filter] may be applied that masks off the trustee rights that may be inherited from an ancestor further back in the hierarchy. At any given point in the folder hierarchy, additional explicitly assigned trustee rights may be applied.

The calculation of effective rights is actually performed dynamically as access is being requested, so there's a traversal of the file system directory structure occurring as trustee rights assignments are being evaluated to determine if the desired access will be permitted.

The calculation of effective rights is performed by a built-in function within the Novell Client for NetWare v4.x & newer, but for NetWare v3.x, there is no such API function. To support NetWare v3.x servers in this way, I had to actually duplicate the functionality. Here's how it works...

All of the summarizing of effective rights is performed based on the security principle, which is the object for which effective rights are being calculated.

At the root folder level, all explicitly assigned trustee rights are evaluated to see if the security principle should be granted the rights assigned to trustees. The security principle is eligible to be granted those rights if it is either contained by a trustee [e.g. is in an O, OU or some other eDir container], is contained by a subordinate container under the trustee, or is in the "Security Equals" list of any of the trustees [e.g. is a member of a group or organizational role]. And, of course, the security principle itself might have explicitly assigned trustee rights.

Anyway, all trustee rights the security principle is eligible to make use of get combined in a bit-wise OR operation. Then those rights are treated as the inherited rights that are passed on to the next folder down in the folder hierarchy on the volume. The IRF for that subfolder is used to mask off rights that are not allowed to be inherited, then the process is repeated again for evaluating all of the trustee rights assigned to the subfolder.

Repeat this process as you work down through the folder hierarchy to reach the folder that contains the file you want to access and then repeat the process on that file itself. What you end up with are the effective rights that the security principle has on the specified file.

At no time is any record kept regarding where individual trustee rights actually come from. Due to this summarization of information, there's no built-in means of simply asking "Who all has access to this folder or file?"

You are going to have to code the same thing that the auditing package does, which is to walk down through the folder hierarchy looking for explicitly assigned trustee rights and determining whether they are assigned to containers or to other objects that have a "security equals" attribute or if they are individual objects and you must build up a list of "possibly maybe might have rights if they aren't masked off at some pointer further on down the folder hierarchy". Then, once you have this list of candidates, you then need to evaluate every directly assigned object and all of the indirectly assigned objects [e.g. children of an OU, members of a group] to see if they have any effective rights on the desired folder or file.

This can be done in a UDF that calls itself recursively.

---

Article ID:   W17081

File Created: 2007:07:03:14:28:12

Last Updated: 2007:07:03:14:28:12