security

security related information 

Miscellaneous Information


DESCRIPTION

2012/8.1/2012R2/10/2016/2019 systems offers security features that are not available on older Windows systems. 2012/8.1/2012R2/10/2016/2019 supports user and group names, domains, file attributes and file access control lists. The PTC MKS Toolkit on 2012/8.1/2012R2/10/2016/2019 now provides facilities for displaying and using this kind of information.

On each 2012/8.1/2012R2/10/2016/2019 system, the Security Account Manager (SAM) maintains a security account database. This database contains information about all user and group accounts on the machine. On networked systems, both individual workstations and collections of workstations can be grouped together to share a common user account database (SAM database). These workstations are considered to be members of a domain (which has a specific domain name) and their common account database is administered by an 2012/8.1/2012R2/10/2016/2019 Domain Server. This configuration allows a user to log into any of these workstations using a single account. The SAM database accessed at login time depends on whether the user wants to log into the workstation or into the domain. The user can select the database in the login dialog window.

User and group accounts have a name and a number. The user and group names have a format of "DomainName\Username", and are known as security identifiers (SID). A standard notation for SIDs makes it easy to visualize the components in the SID. This format is:

S-r-i-s-s...

where

S  is the letter S and identifies that this string is a SID
r  is the revision level
i  is the value known as "identifier-authority"
s  is a subauthority value

There are several SID values that have built-in or well known values including the following:

S-1-5-32-500	Administrator user
S-1-5-32-544	Administrators group
S-1-5-32-545	Users group
S-1-1		Everyone

On 2012/8.1/2012R2/10/2016/2019, SID values are used in all security operations including file access and ownership. Files on the NTFS file system have an owner, a group and usually a Discretionary Access Control List (DACL). The DACL contains a list of Access Control Entries where each entry specifies accessibility of a specific user or group account.


APPLICATION USAGE

User and Group Identifiers 

Since SID numeric values are so large that they do not fit into the PTC MKS Toolkit's implemented range of numeric user and group ID (that is, 0 to 64K), an internal mapping table is used to store the SIDs and the index into this table is used for the numeric values of the user and group ID. Thus, if a PTC MKS Toolkit utility displays or uses a numeric user or group ID, this value is the table index. This value is not very useful to the user since every utility builds its own table every time it is executed.

User and Group Names 

Files on networked file systems may have ownership, group or DACL information containing SIDs that are not recognized by security manager in the user's current domain. In this case, the user and/or group name corresponding to the SID cannot be obtained so the SID value is used instead in the format of the standard SID notation defined above.

Since SID values are usually very large, the TK_NTSECURITYINFO_SID_TERSE environment variable can be set causing the SID values to be shortened. In this case all the subauthority values, except the last one, are replaced by the string "-...-".

The /etc/passwd File 

Older versions of the PTC MKS Toolkit obtained user and group information from the password file $ROOTDIR/etc/passwd and the group file $ROOTDIR/etc/group. Newer PTC MKS Toolkit versions running on 2012/8.1/2012R2/10/2016/2019 now use the native system security information instead of these password and group files. For example, typing

	~testusr

on the shell command line is replaced by the home directory of user testusr. (This directory was initialized when the user account was created using 2012/8.1/2012R2/10/2016/2019's UserManager Administrative Tool.) This security information is stored in the 2012/8.1/2012R2/10/2016/2019 SAM database on the primary domain server.

These security features can be disabled (See NOTES).

The chacl command 

The chacl command changes Access Control Entries (ACEs) in the Access Control List (ACLs) on files or directories, and various other 2012/8.1/2012R2/10/2016/2019 objects.

The lsacl command 

The lsacl command lists object access control lists for a specified object. Most objects under 2012/8.1/2012R2/10/2016/2019 have ACLs controlling permissions to operate on that object.

The ls command 

The 2012/8.1/2012R2/10/2016/2019 version of the ls command has been enhanced to display the owner and group names of files if the file's SIDs can be obtained and if these SIDs have an associated name in the SAM database. If the file has an SID associated with it, but the name of the SID cannot be determined, the value of the SID is displayed. This can happen when the current user is not in the domain that was used when the file was created. If the file does not have an SID (for example, on non-NTFS file systems), or if the file security information cannot be accessed because the file is locked by another process, then the user and/or group names appear as <unavail>.

The ls command also has an additional option (-X) which allows you to display the file's DACL and the file's attributes. By specifying ls -X a or ls -X A, the file's attributes are displayed. By specifying ls -X d or ls -X D, the entries in the file's DACL are displayed. The lowercase letters specify the terse format and the uppercase letters specify the verbose format.

The find command 

The find command now supports user and group names specified in the -user, -group, -nouser, or -nogroup options. Thus, to find all files owned by the user name testusr in the current directory tree, you can use:

find . -user testusr -print

The find command also supports a -acl option. This option specifies a pattern and an optional access mask and matches if the file has a name in its Access Control List which matches the pattern and the access mask information also matches.


NOTES

By default, the PTC MKS Toolkit tries to use the 2012/8.1/2012R2/10/2016/2019 security information whenever possible. Obtaining this information requires additional overhead and may significantly decrease performance especially on network drives. You can turn off the 2012/8.1/2012R2/10/2016/2019 security enhancements by setting the TK_NTSECURITYINFO_OFF environment variable to any value.


AVAILABILITY

PTC MKS Toolkit for Power Users
PTC MKS Toolkit for System Administrators
PTC MKS Toolkit for Developers
PTC MKS Toolkit for Interoperability
PTC MKS Toolkit for Professional Developers
PTC MKS Toolkit for Professional Developers 64-Bit Edition
PTC MKS Toolkit for Enterprise Developers
PTC MKS Toolkit for Enterprise Developers 64-Bit Edition


SEE ALSO

Commands:
chacl, find, id, ls, lsacl

Miscellaneous:
stat


PTC MKS Toolkit 10.3 Documentation Build 39.