New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom AD group for UnSafePath #5
Comments
I'm not sure what you're trying to do. Does the KnownAdmins.ps1 customization option not address this? |
OK, I think I understand now. You want to allow a specific user/group to be able to execute whitelisted files in an unsafe directory, but not allow any other non-admins to do so. Is that correct? |
Unfortunately DB Admins very frequently made Oracle installation directory writable to all users You’re right on what I’m trying achieving: giving access non-admin users access to Oracle (or other apps installed in non standard paths) Giving custom execution permission inside those folders is complicated and not sure it is commonly needed. Same for custom folders, but I’m trying automate this instead creating static files Thanks :) |
So, Oracle locks it down and then DB admins open it back up again? I think the admins of these systems need to decide whether security matters and how to implement it. Re the components with modify rights - I assume those are only data files. Are they in separate subdirectories? If so, open the permissions on those, not on the entire C:\Oracle directory. Does that work? |
As far as I know, Oracle client installs in C:\Oracle\client clint folder contains exe and dlls |
OK. I downloaded Oracle client software for Windows x64 (18c / 18.3) from here: |
Oracle DB Client not needs another rights then Read and Execute for normal users. I have experience with Oracle DB Client 12.2.0 in environment with 800 users and real cca 400-500 users. |
So if Oracle's installer doesn't set the permissions correctly, you must do it as a post-installation step? |
right.
I dont know, typically use in corporate environment is about make own package. installation path is historical, and maybe is for compatibility with old solution (some starting from 1995 in Pascal and with BDE). I have experience with one company with cca 15+ applications using Oracle Client. Oracle client had hybrid installation partly in CMD script with support binary files and partly in Java. First phase is due to compatibility with other platforms (MacOS, *nix). But finally, setting of permissions is task for admin creating deployment task/package. :) |
No. No, it's not. This is a long-standing bug in Oracle's installer. |
yes, from application point of view, yes. but final configuration of anything in SW deploy package is responsibility for package developer (of target customer). |
I'm playing around with AppLocker for a while now.
AaronLocker makes my life easy.
Normally, EXEs and DLLs in UnSafePath are restricted to a specific AD Group. As number of generate rules can be massive (for example Oracle installed in C:\Oracle), and manually reviewing all related rules very boring... if there is an option to specify a custom AD group SID for them wuold be great.
Something like:
@{
label = "Oracle";
paths = "C:\Oracle";
customUserorGroupSid = "S-1-5-21-4163178468-2177354522-4168272174-26602"
}
Other option is using Static rules, but is painfull to keep updated...
Thanks,
David
The text was updated successfully, but these errors were encountered: