ADSM-L

[no subject]

2015-10-04 18:11:36
An interesting issue.

~ I could have allowed the option of bypassing restoring security
~ information but I didn't because I tend to think this would be
~ a security hole which would circumvent NT security.

I am not sure whot hole would you have created.

I assume Rusty had previously rights to read this files (well, he backed-up as 
admin, so we cannot be sure about that. But since these files are in his home 
directory,  this assumption might be correct.).
If so, he was able to read, print or copy this files to any directory where he 
has  write acces.  Let us say, copy to floppy disk. Thus causing the file to 
loose all security descriptors, becaus FAT on a floppy does not use it. . And, 
as he has write rights in his home directory, he surely could copy this file 
from floppy back to home directory - where it would obtain defaul security 
information.
So, I believe, ADSM only prevents from this security hole, which is opened 
through COPY command.

There is another point of view, which pleads for your solution:
allowing to restore file along with loosing ist security information might be 
seen as changing file through backup&restore.
Because of this, I would be happy with  warning message produced - but not 
fatal one.
Or a switch could change the restore operation from strict to leisure mode.

There are countless examples of backup programs which work this way - all 
common unix backup programs I know (tar, cpio, fback, ..)  will restore files 
with default attributes for common users, while restoring original access 
rights if run with administrators rights.

By the way - what do you do with security information when restoring NTFS files 
to FAT drive? I am not sure for NT, but under Warp I can restore files with 
security information from HPFS386 (like NTFS) to FAT partitions. It is  very 
similar security "hole", isn´t it?

Jura SALAK,
KEBA Banking
sal AT keba.co DOT at


 ----------
~ Von: Pete Tanenhaus, ADSM Client Development
~ An: Multiple recipients of list ADSM-L
~ Betreff: Can't restore files
~ Datum: Donnerstag, 5. Dezember 1996 18:18
~
~ The reason you can't restore NTFS files you own is that the restoring
~ NTFS auditing security descriptors requires particular NT user rights
~ which normal (i.e user or domain user) users don't possess.
~
~ Every NTFS file/dir has at least a default auditing SD so they can't
~ be ignored even if auditing is turned off on your system.
~
~ I could have allowed the option of bypassing restoring security
~ information but I didn't because I tend to think this would be
~ a security hole which would circumvent NT security.
~
~ You could define a restore schedule and have the scheduler service
~ restore the files for you.
~
~ Pete Tanenhaus
~ ADSM Client Development
~  ---------------------Original Append--------------------------------
~ From:         Rusty Wright <rusty AT GROAN.BERKELEY DOT EDU>
~ Subject:      can't restore files
~
~ I'm on a pc running Windows NT Workstation 4.0.  I'm using the adsm
~ backup client, version 2, release 1, level 0.5 (ip20863) and can't
~ restore some files that had been backed up with the adsm backup client
~ ip20681.  The server is version 1, release 1, level 0.11 running on
~ vm.
~
~ Due to problems not related to adsm I decided to wipe my disk and
~ reinstall Windows NT Workstation 4.0.  The backups had been done by
~ adsm running as an NT service.  After I reinstalled the system, when I
~ try to restore the files in my home directory (c:\users\rusty) I
~ always get
~
~         ANS7211E Access denied
~
~ This is if I've logged in as rusty.  If I logout and login as
~ administrator then I can restore the files.
~
~ It seems rather useless if normal users can't restore their own files.
~
~ And the error message is as close to useless as they get; I can't tell
~ if the "access denied" is due to access restrictions on the adsm
~ server or on my workstation.  Everything on my workstation shows that
~ I can write to the directories where I'm trying to restore the files
~ to; I can create new files and folders there.
~
------ =_NextPart_000_01BBE382.6C25C990--
=======================================================================
<Prev in Thread] Current Thread [Next in Thread>
  • [no subject], Unknown <=