how to script out database users and permissions in all user databases in the instance

Can anyone help please?

I would like to use Steve Kusen’s script at https://www.sqlservercentral.com/forums/topic/script-db-level-permissions/page/4/#post-1954202

to loop through all the user databases automatically, using Aaron Bertrand’s sp_ineachdb. Has anyone got this to work? Kindly advise on how to do it please.

Thank you

Plugin to manage user permissions that saves settings to file instead of database [closed]

I want to manage user roles and permissions/capabilities through a plugin. Most plugins save their settings to the database. Since we’re running multiple environments with seperate databases, saving to the database is inconvenient. After every deploy we’d have to update the settings on the other environment.

What I’m looking for is a plugin which persists its settings to a file, much like ACF does with the acf-json folder. This way I don’t have to remember to update the settings after every deploy. Is there any plugin which does this?

I’m aware there are plugins with manual backup/restore functionality. While this does alleviate the problem, it’s not the solution I’m looking for

How to structure MySQL database tables for users and how to handle adding/removing permissions?

I am making a database structure for users, who can become part of a group, and within that group the admin of the group can assign as many permissions to a user as they would like.
This part seems easy. I have 4 tables:

 USERS           GROUPS             PERMISSIONS      PERMISSIONS_GROUPS -------  ---------------------    --------------    ------------------- | UID |  | GID | UID(creator) |   | PID | NAME |    | UID | GID | PID | 

I think this is the best way to handle this. I have a few questions about how to handle permissions for the creator of the group, and how to handle permissions if I were to delete a permission or add a permission.
For instance, when a user makes a group. Do I query all of the permissions and in a while loop insert a PERMISSIONS_GROUPS record for every row in the permissions table? If I add a new permission, do I have to query every UID from the GROUPS table and run a while loop to insert the new permission into PERMISSIONS_GROUPS? I just want to make sure I am not missing something simple here. For structure/scripting I am using MySQL and PHP.

Unusual file permissions on WordPress websites

I’ve been asked by a customer of mine, to manage a few hundred WordPress sites.

Doing an initial security assessment, I’ve found that every site (350 sites) has unusual file permissions on every php file (755) that means executable bit on all groups (user, group and other)… Trying to investigate further, I’ve checked umask settings and it seems ok: 0002 (that means 775 for newly created directories and 664 for files) which is the default on Linux systems.

Asking my customer about this unusual permissions, he confirmed that he wasn’t aware of this issue…

Which could be the security implications of such a setting? Can this be exploited somehow by a remote user?

Thanks for any help!

How to List All Permissions for SQL Server Fixed Database and Server Roles

I am trying to list all current permissions for db_owner and sysadmin for SQL Server 2012. I found these SPs:

EXEC sp_srvrolepermission 'securityadmin' EXEC sp_dbfixedrolepermission 'db_owner' 

However, these are deprecated and only accurate as of SQL Server 2000. Is there an equivalent mechanism to accomplish the same thing today?

reading a file with other read permissions set

For this question assume a file with 604 perms in a directory with 700 permissions. Assume this file exists: /test/file

A non-root user can techincally read that file but in practice to read it the process must be given the pathname to the file, and the kernel will check that the directory /test has the executable bit set. Because it is not set, the read will fail.

If the one does a chmod o+x /test, then a non-root user can do a cat /test/file and read the file. Is there a way to read the file without setting the execute bit on the directory /test.?

Setting user permissions per post

I am trying to assign privileges on posts on a per post basis.

Essentially, I have a custom post type which have authors. They can edit their own posts.

I then have another role, which should be able to edit a subset of those posts bases on a custom field or taxonomy.

I can filter out the posts that appear in the backend using pre_get_posts, and applying a query based on the custom field. However I need to limit specifically edit privileges for each post.

Does anyone know if it’s possible to apply an “editable” filter per post rather than a blanket privilege based on the role?

Thanks!

Applying “principle of least privilege” when it comes to execs and owners of the company – should they automatically get all permissions if requested?

As an administrator of certain systems in a company I understand and adhere to the “principle of least privilege” — which I’m assuming I don’t need to repeat its definition here, so let’s just say people here get given access to systems only in accordance with what they need for their role and no more. I follow that principle and check carefully whether they can have read-only access in order to carry out the role and if so I give read access only, etc.

I had a request from an executive-level (C-suite) person (“Jack”, let’s say) who is actually one of the five co-owners of the company, to get blanket “sysadmin” level access to a particular system. (I am confident the request has come from Jack himself and isn’t a hacking or phishing attempt, as I verified it with Jack directly.)

Jack is far too important and involved with strategic stuff to need to carry out any day-to-day work with this system, especially anything that would need sysadmin level access, but occasionally wants to get involved in “poking around” in there, as he is technical by background.

I get the sense that he doesn’t like the idea that he is “walled off” from some system although he owns part of the company.

I’m not asking about the interpersonal aspects about this, just the info-sec ones.

Is it accepted info-sec practice to give an owner of the company “sysadmin” access and by doing bypass the “principle of least privilege”? — since, after all, Jack (partly) owns the company so it’s all his stuff anyway!

Or should that still apply, and even the CEO shouldn’t have write-access to a system when they don’t need it as part of their job function?

Aspect Permissions and combat

This question and this other question have excellent answers describing the concept of “aspect permissions”. To summarize my understanding of the answers, they explain that aspects shift the boundaries of what’s trivial and what’s impossible for a character, moving actions in and out of what you should roll for. So if the Strongest Man in the World wants to kick down a door they probably don’t need to roll for that, but a character without that aspect probably would. The Strongest Man in the World can lift a heavy gate with a roll, but a character without that aspect couldn’t do it at all. And the aspect doesn’t have to be on a character; asking directions from an NPC probably doesn’t require a roll; asking directions from an NPC that’s part of an Angry Mob at least requires a roll and might be impossible.

So far so good. My question is how this interacts with combat, where rolls are opposed, particularly in games where aspects might significantly influence approach to combat.

Say you have a superhero game, and we have two characters:

  • Alice, who is Precognitive, and has Fight at +2. Game discussion has established that Alice uses her precognition to be a frighteningly effective fighter, but without it she’s only a Fair fighter.
  • Bob, who is Clairvoyant, and has Fight at +2. Game discussion has established that Bob uses his clairvoyance to help the team’s situational awareness, etc., and it doesn’t have a direct combat use.

When Alice and Bob are in combat, without invoking aspects, they’re equally effective at Fighting. But that seems a bit odd; Alice’s aspect should have very strong applicability to combat, but Bob’s doesn’t. That does mean that Alice can probably invoke her Precognitive aspect in combat more often, but now she has to pay a limited resource to make use of something that’s narratively always there, and if Bob can find things to invoke he’s still just as effective. This feels a little odd.

Is this how this is meant to work? Should Alice have assigned skills so that she has a higher Fight to represent her precognition’s assistance? (but then how would you mechanically handle a Power Nullifier?). If aspects with this significant an effect on combat are going to be involved should some kind of extra system be built up around them, like a Powers skill that can be used for anything you use your power to do?

Is it possible to use WeChat (Weixin) more safely in recent versions of Android by using permissions?

I assume that anything written or read on WeChat is read by the government of the People’s Republic of China. I understand the risks of that.

However, I would like to understand the implications of using WeChat for other data on my device. With earlier versions of Android, you had to grant all an app’s permission requests in order to use it, and WeChat demanded every possible permission. More recent versions of the OS allow users to grant or deny permissions in groups. Is there a combination of permissions which would allow WeChat to function as a chat/messenger app, but prevent it from reading other data on my device?