15-Mar-2012

Security standardisation

This site has an issue that I've seen at a number of sites previously. When a previous systems admin has decided to implement identifiers and ACLs, they've forgotten to co-ordinate the values of the identifiers between the production and QA clusters.

Identifiers are key/value pairs stored in RIGHTSLIST.DAT, and of course the file system does not store the ASCII key, but rather the value when creating an ACL. If you move a file from one cluster to another, and the value of the identifiers in an associated ACL don't match, you end up with unexpected access control list entries with values in them instead of the proper ASCII key. Usually this causes protection problems for the developers.

Unsurprisingly, this problem existed here. I've just done the analysis to sort it all out and have implemented a standardised protection scheme on the QA application and data directories. After a little soak to check for errors, we will roll this out to production.

Posted at March 15, 2012 1:00 PM
Tag Set:

Comments are closed