security – New file on my mack with odd customer permissions. Have I been hacked?

So today I was looking for something on my MacBook Pro and saw folder called library with the customer permissions.

It seems like it has to permissions, systems (read, write) and everyone no access.

I expanded the permissions so that I could view it. However it seems to have an empty folder inside. the empty folder has the same permissions.

The Folder is located in my iCloud > Documents folder and is called Library and the folder inside of it is also Logs.

Additionally I can see that the file was created two days ago.

Moreover, I have all sharing services turned off on may systems preferences > sharing.

There is no user profile currently under the name of systems in systems preferences > users & groups.

Why do I have a new file with custom permissions. Have I been hacked? Is there something I can check to see if there is something wrong going on?

(also got an email recently saying someone tried to reset a bestbuy password but that my be irrelevant for this)

php – Symfony / Doctrine field level permissions

How would you go about implementing field level permissions in Doctrine?

I want to achieve that whenever I get an entity from the database, the entity should be populated only with the properties that the current user has permission to access.

I’m not interested in solutions involving the controller layer / any controller logic. Also, just a simple general entity repository wouldn’t help, because a notable part of the db queries happen through Doctrine’s Query Builder.

7 – Error copying file. Is there a permissions issue?

I have a process that fetches a file, then moves it (overwriting if already exists). The copy part fails, and I cannot determine why.

Here is some PHP I am using to reproduce the issue I am seeing (with output functions from Devel module):

$source = 'temporary://someFile';
$destination = 'public://profile_pictures/someFile.jpg';

# Get name of Linux user running this
$username = posix_getpwuid(posix_geteuid())('name');
dpm($username);   # nginx

dvm(file_exists($source));       # TRUE
dvm(file_exists($destination));  # TRUE

# File permissions
dpm(substr(sprintf('%o', fileperms($source)), -4));       # 0600
dpm(substr(sprintf('%o', fileperms($destination)), -4));  # 0644

# Try Drupal's copy
$r = file_unmanaged_copy($source, $destination, FILE_EXISTS_REPLACE);
dvm($r);  # FALSE

# Try PHP copy that Drupal uses internally, to see the error
dvm(copy($destination, $source));  # TRUE    ( Copy backwards works... )
dvm(copy($source, $destination));  # FALSE   ( But this doesn't work.  )

The last line gives the following error:

Warning: copy(public://profile_pictures/someFile.jpg): failed to open stream: “DrupalPublicStreamWrapper::stream_open”

So copying backwards works, but it won’t copy from temporary:// to profile_pictures. Also, if I delete public://profile_pictures/someFile.jpg first, then it works.

Permissions of files and folders:

drwxrwx--- www-data www-data temporary://
-rw------- nginx    nginx    temporary://someFile
drwxrwxr-x www-data www-data public://profile_pictures
-rw-rw-r-- nginx    nginx    public://profile_pictures/someFile.jpg

The temporary directory is a sub-folder of public://. The nginx user is in the www-data group.

Is this a permissions issue? Looking at Drupal’s requirements, I don’t see what I am doing wrong.

permissions – How to run Termux commands from adb

I am trying to run the tshark command I have set up in Termux from the adb shell. I set up termshark by running the following commands:

pkg install root-repo
pkg install termux-api
pkg install termshark

After running those I was able to just run tshark as a command in Termux. I am now trying to run the tshark command through an adb shell. tshark is located at /data/data/com.termux/files/usr/bin/tshark but when I try to run that in adb I get a message saying the following

1|generic_x86_arm:/ $ /data/data/com.termux/usr/bin/tshark    
/system/bin/sh: /data/data/com.termux/usr/bin/tshark: inaccessible or not found

My Android device is not rooted, is there a way to access this command without rooting my device?

usability – How to best display read and read/write permissions in a table

Our app consists of different sections (here Section 1, Section 2 etc.) where the users can view and edit their data. The user can also choose to give read or read/write access for each of this sections to other users.

We have to design a new page which acts as an overview of the given permissions. As there are multiple sections and potentially hundreds of users, we have decided to use a table. It will have a pagination with 20 users per page. Please note that the user won’t be able to change the permissions on this page, it only serves as an overview (there is a separate process for managing access).

We are trying to find the most efficient way to convey the different types of access and have so far created following design:

A table with the columns User, Section 1, Section 2, Section 3, Section 4. The permission for each section are displayed with three types of icons: a light horizontal line for no permissions, an eye for read and a pen for read/write access. A legend above the table explains the meaning of each icon.

Our worries with this design are that:

  1. The users may overlook the legend above the table
  2. The pen icon is usually associated with write/edit actions, but here it also implies read access, as you can not edit without being able to view. We are not sure if this will be clear for the users
  3. We already use a pen icon as an edit button in other parts of the application, although with a different design. The user may expect some edit action behind the icon and click on it

We have also tried following design but weren’t convinced of it as the icons have no meaning on their own:

The same concept as the first image, but with different icons: a light horizontal line for no permissions, a semi-filled circle for read and a fully filled circle for read/write access.

Do you have any ideas how we could improve our design?

Access permissions in Active Directory not working

I’ve a server running Active Directory, and two servers for storage in my domain. Currently all the folders are open, but I wanna set up access authorizations with Active Directory groups, so only the allowed groups are able to access specific folders.

I’m adding shared folders to Windows Settings > Security Settings > File System (see image for reference). Then I configure the groups that can access it and their permissions.

But for some reason, the policy doesnt get applied (I’ve tried gpupdate), and the users without access permission, still can see and access the folder and it’s content.

What am I doing wrong?

ref image

workflow – What permissions are required to invoke a custom WCF web service deployed to the ISAPI folder (exposed through /_vti_bin/)?

Related / follow up to this question.

Because a site’s email settings (SMTP server, “from” address, etc.) are not available through any client-side APIs, I created a mini WCF web service that is deployed to the ISAPI folder. It takes a site’s URL as a query parameter, and uses that to open SPSite and SPWeb objects in server side code, retrieve the email settings, and then return that in a simple JSON payload.

It works perfectly fine when I test it from Postman.

But the main reason I need it is because I need to use the HttpSend web request action inside a VisualStudio declarative custom action (.xaml file) in order to get those settings and send them on into a custom code activity run by Workflow Manager. (I’ve gotten CSOM code to run inside the custom code activity, but again, I can’t get those settings from any client APIs.)

I’m used to the general rule that a workflow will run with the permissions of the person who initiated it, but when I test my workflow and it gets to that step, I’m getting a 401 UNAUTHORIZED. And not only that – as one of the first lines in my web service method, I log to ULS that the web service was invoked. I can see those log entries from the times that I invoke the web service from Postman, but I don’t see them for when I tried it with the workflow. Which means to me that it’s not even choking on the part where I SPSite site = new SPSite(siteURL). It’s not even getting that far because the initial log entry isn’t there.

So… what permissions do I need to set up to enable a workflow to invoke a custom WCF web service at <site>/_vti_bin/path/to/service.svc?

I’m no expert at WCF, so I haven’t set up anything that I can see around authentication/authorization there. Do I need to do something explicit there? (Why would I, if it works for me from Postman as it is currently set up?)

Do I need to set up workflows to run with elevated permissions using the whole app permission model? If so, what would the minimum permission level need to be just to get the WCF service to run? I’d rather not give workflows full control on the site, and I have no problem using SPSecuity.RunWithElevatedPrivileges inside the web service to retrieve the values I need, as long as I can get it invoked in the first place.

8 – systemAdminMenuBlockPage callback now respecting menu link permissions

I added a custom permission on “admin/commerce/config” to disable access for certain user roles.

class RouteSubscriber extends RouteSubscriberBase {

  /**
   * {@inheritdoc}
   */
  public static function getSubscribedEvents() {
    $events(RoutingEvents::ALTER) = 'onAlterRoutes';
    return $events;
  }

  /**
   * {@inheritdoc}
   */
  protected function alterRoutes(RouteCollection $collection) {
      if ($route = $collection->get('commerce.configuration')) {
        $route->setRequirements(('_permission' => 'administer commerce configuration'));
      }
  }
}

The page can now only be accessed when user has the permissions ‘administer commerce configuration’. But it is still visible on the “admin/commerce” page.
The page url’s are build by the systemAdminMenuBlockPage callback. The function getAdminBlock (core/modules/system/src/SystemManager.php) builds the menu and has a $element->access->isAllowed function,but this keep returning 1. And so its still printed on the overview page.

Any suggestions for fixing this issue?

linux – WSL (Ubuntu 20.04) – unstable permissions

I’m new to WSL and trying to use rsync for snapshot backups. Everything seems to be working as intended… except that rsync refuses to copy some files, citing a permission error with send_files.

So I tried to change globally the permissions for all files and folders, to make them all readable. Again, failure with certain files. I then went to look at these specific directories and found this, for example:

m17awl@M17A:/mnt/d/My Documents/software projects/operative/LuceneIndexer_3/3.0.12/lib$ ls -lsa
total 48332
   0 drwxrwxrwx 1 m17awl m17awl     512 Jan 21  2020 .
   0 drwxrwxrwx 1 m17awl m17awl     512 Jan 21  2020 ..
  52 ---------- 1 m17awl m17awl   51141 Jan 23  2020 LuceneIndexer_3-3.0.12.jar
   4 ---------- 1 m17awl m17awl    3482 Jan 23  2020 animal-sniffer-annotations-1.14.jar
2020 ---------- 1 m17awl m17awl 2067867 Jan 23  2020 ant-1.9.13.jar

hmmm… no permissions. OK, I try to change these, seemingly successfully:

m17awl@M17A:/mnt/d/My Documents/software projects/operative/LuceneIndexer_3/3.0.12/lib$ sudo chmod -R +r .
(sudo) password for m17awl:
m17awl@M17A:/mnt/d/My Documents/software projects/operative/LuceneIndexer_3/3.0.12/lib$ ls -lsa
total 48332
   0 drwxrwxrwx 1 m17awl m17awl     512 Jan 21  2020 .
   0 drwxrwxrwx 1 m17awl m17awl     512 Jan 21  2020 ..
  52 -r-xr-xr-x 1 m17awl m17awl   51141 Jan 23  2020 LuceneIndexer_3-3.0.12.jar
   4 -r-xr-xr-x 1 m17awl m17awl    3482 Jan 23  2020 animal-sniffer-annotations-1.14.jar
2020 -r-xr-xr-x 1 m17awl m17awl 2067867 Jan 23  2020 ant-1.9.13.jar

I run rsync again… and get the same permission failures, including with these files in this particular directory:

m17awl@M17A:/mnt/d/My Documents$ rsync --progress --update --recursive --times --link-dest=/mnt/f/Backups/rsync/My Documents/snapshot2021-02-21T203900/ /mnt/d/My Documents/ /mnt/f/Backups/rsync/My Documents/snapshot2021-02-22T071700/
sending incremental file list
...
rsync: send_files failed to open "/mnt/d/My Documents/software projects/operative/LuceneIndexer_3/3.0.12/bin/LuceneIndexer_3": Permission denied (13)
rsync: send_files failed to open "/mnt/d/My Documents/software projects/operative/LuceneIndexer_3/3.0.12/lib/LuceneIndexer_3-3.0.12.jar": Permission denied (13)
rsync: send_files failed to open "/mnt/d/My Documents/software projects/operative/LuceneIndexer_3/3.0.12/lib/animal-sniffer-annotations-1.14.jar": Permission denied (13)
rsync: send_files failed to open "/mnt/d/My Documents/software projects/operative/LuceneIndexer_3/3.0.12/lib/ant-1.9.13.jar": Permission denied (13)

… and when I go back and look at the directory again I find the permissions on these files have been “destroyed” (i.e. again set to ----------).

Anyone got any idea what’s going here… any solutions?

Can a Script distinguish IMPORTRANGE N/As due to non-existent Tabs from N/As due to not having access permissions?

I’m creating a sheet that will import and process data from other Sheets. On a daily basis, the user will be given a new document to process with it. I have cell B1 reserved for them to enter the URL of the new document, and a test cell where they will be able to click the “Allow access” button.

This cell contains this simple formula:

    =IMPORTRANGE(B1,"ImaginarySheet!A1")

It produces an N/A error before the user connects the documents, but of course it also produces an N/A error afterwards, because there is no such Tab as ImaginarySheet. If only I could predict with certainty what any of the Tabs in the document will be named, I would use that Tab name instead, but unfortunately I can not, due to a sheer lack of a naming convention on the other end, which I can not even communicate about.

I can clearly see the difference between the pop-up errors before when/if the documents are successfully connected and afterwards, but the user is not the most tech-savvy person, and I would greatly prefer if the document could communicate more clearly whether or not they have successfully granted permissions.

Wrapping the formula in an IFNA or IFERROR won’t work because the formula result is N/A regardless of whether the documents are connected. I need some way to distinguish between “docs are not connected/you don’t have permissions to connect them” and “docs are connected but there is no such Tab as ImaginaryTab in the import doc.” There doesn’t seem to be any way to differentiate between the cause of the N/A on the formula level, but I wonder, might there be some way a Script could distinguish between the two, and return a specific result once the docs are connected?

Thanks for any ideas.