DESCRIPTION
8.1/2012R2/10/2016/2019/11/2022 systems offers security features that are not available on older Windows systems. 8.1/2012R2/10/2016/2019/11/2022 supports user and group names, domains, file attributes and file access control lists. The PTC MKS Toolkit on 8.1/2012R2/10/2016/2019/11/2022 now provides facilities for displaying and using this kind of information.
On each 8.1/2012R2/10/2016/2019/11/2022 system, the Security Account Manager (SAM) maintains a security account database. This database contains information about all user and group accounts on the machine. On networked systems, both individual workstations and collections of workstations can be grouped together to share a common user account database (SAM database). These workstations are considered to be members of a domain (which has a specific domain name) and their common account database is administered by an 8.1/2012R2/10/2016/2019/11/2022 Domain Server. This configuration allows a user to log into any of these workstations using a single account. The SAM database accessed at login time depends on whether the user wants to log into the workstation or into the domain. The user can select the database in the login dialog window.
User and group accounts have a name and a number. The user and group names have a format of "DomainName\Username", and are known as security identifiers (SID). A standard notation for SIDs makes it easy to visualize the components in the SID. This format is:
S-r-i-s-s...
where
S is the letter S and identifies that this string is a SID r is the revision level i is the value known as "identifier-authority" s is a subauthority value
There are several SID values that have built-in or well known values including the following:
S-1-5-32-500 Administrator user S-1-5-32-544 Administrators group S-1-5-32-545 Users group S-1-1 Everyone
On 8.1/2012R2/10/2016/2019/11/2022, SID values are used in all security operations including file access and ownership. Files on the NTFS file system have an owner, a group and usually a Discretionary Access Control List (DACL). The DACL contains a list of Access Control Entries where each entry specifies accessibility of a specific user or group account.
APPLICATION USAGE
- User and Group Identifiers
-
Since SID numeric values are so large that they do not fit into the PTC MKS Toolkit's implemented range of numeric user and group ID (that is, 0 to 64K), an internal mapping table is used to store the SIDs and the index into this table is used for the numeric values of the user and group ID. Thus, if a PTC MKS Toolkit utility displays or uses a numeric user or group ID, this value is the table index. This value is not very useful to the user since every utility builds its own table every time it is executed.
- User and Group Names
-
Files on networked file systems may have ownership, group or DACL information containing SIDs that are not recognized by security manager in the user's current domain. In this case, the user and/or group name corresponding to the SID cannot be obtained so the SID value is used instead in the format of the standard SID notation defined above.
Since SID values are usually very large, the TK_NTSECURITYINFO_SID_TERSE environment variable can be set causing the SID values to be shortened. In this case all the subauthority values, except the last one, are replaced by the string "-...-".
- The /etc/passwd File
-
Older versions of the PTC MKS Toolkit obtained user and group information from the password file $ROOTDIR/etc/passwd and the group file $ROOTDIR/etc/group. Newer PTC MKS Toolkit versions running on 8.1/2012R2/10/2016/2019/11/2022 now use the native system security information instead of these password and group files. For example, typing
~testusr
on the shell command line is replaced by the home directory of user testusr. (This directory was initialized when the user account was created using 8.1/2012R2/10/2016/2019/11/2022's UserManager Administrative Tool.) This security information is stored in the 8.1/2012R2/10/2016/2019/11/2022 SAM database on the primary domain server.
These security features can be disabled (See NOTES).
- The chacl command
-
The chacl command changes Access Control Entries (ACEs) in the Access Control List (ACLs) on files or directories, and various other 8.1/2012R2/10/2016/2019/11/2022 objects.
- The lsacl command
-
The lsacl command lists object access control lists for a specified object. Most objects under 8.1/2012R2/10/2016/2019/11/2022 have ACLs controlling permissions to operate on that object.
- The ls command
-
The 8.1/2012R2/10/2016/2019/11/2022 version of the ls command has been enhanced to display the owner and group names of files if the file's SIDs can be obtained and if these SIDs have an associated name in the SAM database. If the file has an SID associated with it, but the name of the SID cannot be determined, the value of the SID is displayed. This can happen when the current user is not in the domain that was used when the file was created. If the file does not have an SID (for example, on non-NTFS file systems), or if the file security information cannot be accessed because the file is locked by another process, then the user and/or group names appear as <unavail>.
The ls command also has an additional option (
-X ) which allows you to display the file's DACL and the file's attributes. By specifying ls -X a or ls -X A, the file's attributes are displayed. By specifying ls -X d or ls -X D, the entries in the file's DACL are displayed. The lowercase letters specify the terse format and the uppercase letters specify the verbose format. - The find command
-
The find command now supports user and group names specified in the
-user ,-group ,-nouser , or-nogroup options. Thus, to find all files owned by the user name testusr in the current directory tree, you can use:find . -user testusr -print
The find command also supports a
-acl option. This option specifies a pattern and an optional access mask and matches if the file has a name in its Access Control List which matches the pattern and the access mask information also matches.
NOTES
By default, the PTC MKS Toolkit tries to use the 8.1/2012R2/10/2016/2019/11/2022 security information whenever possible. Obtaining this information requires additional overhead and may significantly decrease performance especially on network drives. You can turn off the 8.1/2012R2/10/2016/2019/11/2022 security enhancements by setting the TK_NTSECURITYINFO_OFF environment variable to any value.
AVAILABILITY
PTC MKS Toolkit for Power Users
PTC MKS Toolkit for System Administrators
PTC MKS Toolkit for Developers
PTC MKS Toolkit for Interoperability
PTC MKS Toolkit for Professional Developers
PTC MKS Toolkit for Professional Developers 64-Bit Edition
PTC MKS Toolkit for Enterprise Developers
PTC MKS Toolkit for Enterprise Developers 64-Bit Edition
SEE ALSO
- Miscellaneous:
- stat
PTC MKS Toolkit 10.4 Documentation Build 39.