Novell Home

My Favorites

Close

Please to see your favorites.

Security Vulnerability - DSfW non-administrative domain users have all rights to new Group Policy Objects

This document (7009567) is provided subject to the disclaimer at the end of this document.

Environment

Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3
Domain Services for Windows

Situation

- A DSfW domain hosted by one or more OES2 SP3 domain controllers

- Non-default Group Policy Objects created

- Non-administrative domain user  (member of Domain Users Group) logged in to OES2 SP3 DSfW domain from a Windows Vista/XP workstation OR non-Administrative domain user  (member of Domain Users Group) logged in to OES2 SP3 DSfW domain controller directly via the console or via SSH

- User can browse to the Policies folder under Sysvol and can create new files or delete and edit existing ones under the respective GPO folders OR User can go to the sysvol directory on the domain controller and can create new files or delete and edit existing ones. For instance, with a domain name of 'rdm.nts.com' the GPO directories would be found under  ' /var/opt/novell/xad/sysvol/sysvol/rdm.nts.com/Policies/ ' and identified by their respective RIDs

- No changes under the Default Domain Policy are allowed

- Same problem is not seen if users are logged into domain controllers running OES2 SP2

Resolution

With OES2 SP3, the default directory mask for the sysvol was changed to 770 allowing all rights to the group. Since the files under the respective GPO directories are owned by the "Domain Users" group, this change essentially allows all members of Domain Users group to create new files as well as delete and edit existing ones.

To resolve this problem for existing GPO's, please remove the Write rights for the group using the 'setfacl' command.  Please take a backup of the 'Policies' directory before making the changes below.

For instance, with a domain name of 'rdm.nts.com', the command is the following

setfacl -R -m g::r-x  /var/opt/novell/xad/sysvol/sysvol/rdm.nts.com/Policies/

Note that this command needs to be run on the PDC as well as all the ADCs.


To prevent this problem from happening on any newly created GPO objects, please follow the steps listed below on the Primary Domain Controller. Please take a backup of the 'smb.conf' file before making the changes below.

- Edit the /etc/samba/smb.conf file and change the directory mask permissions to 750 in the section 'sysvol'. Also remove the line with the 'create mask'.

Original smb.conf

[sysvol]
.............................
create mask = 770
directory mask = 770

Fixed smb.conf

[sysvol]
.............................
directory mask = 750

- xadcntrl reload OR rcsmb restart


To prevent this problem from happening on any newly created GPO objects, please follow the steps listed below on all Additional Domain Controllers. Please take a backup of the 'smb.conf' file before making the changes below.

- Edit the /etc/samba/smb.conf file and change the directory mask permissions to 750 in the section 'sysvol'. Also remove the line with the 'create mask'.

Original smb.conf

[sysvol]
.............................
create mask = 770
directory mask = 770

[sysvol-msdfs]
.............................
create mask = 770
directory mask = 770


Fixed smb.conf

[sysvol]
.............................
directory mask = 750

[sysvol-msdfs]
.............................
directory mask = 750


- xadcntrl reload or rcsmb restart


Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7009567
  • Creation Date:14-OCT-11
  • Modified Date:27-APR-12
    • NovellOpen Enterprise Server

Did this document solve your problem? Provide Feedback