SUPER v2.0 (Dec 93)
Title : SUPER.EXE: switch SUPERVISOR equivalence on/off
Keywords: SUPERVISOR EQUIVALENCE RIGHTS SECURITY UTILITY
SUPER.EXE allows to switch SV equivalence on/off when needed. Do
your daily work as normal user, and be SV only when needed. Includes
DOS and Windows version. No security gap, since you have to be SV
equivalence to initialize SUPER for you.
Uploaded by author: Wolfgang Schreiber
Program history / New Features
v1.0 Aug 92: - Allow to run SUPER against another user's account.
Sep 92: - Allow to run BATCH files and internal DOS commands
- Output redirectable with DOS pipes
v2.0 Dec 93: - Adapt to NetWare v3.12 (and a little to v4.0x)
SUPER.EXE (DOS version)
Syntax: SUPER [option] [User=<name>]
If no user name is added SUPER will affect the current user
Available options:
? Display this help screen
<none> Display current security status
- Remove supervisor equivalence, enable SUPER
+ Make user equivalent to supervisor
# Remove supervisor equivalence and disable SUPER
* Grant supervisor equivalence and disable SUPER
<cmd> Execute any command as supervisor (NW 386 only)
Examples: SUPER - Remove SV equivalence and make it switchable.
SUPER + Add SV equivalence and leave it switchable.
SUPER + User=Admin Make user ADMIN SV equivalence; make switchable.
SUPER SYSCON Execute SYSCON as supervisor.
SUPER.EXE (Windows version)
The Windows versions displays the SUPER status of up to 8 servers at
a single glance.
Advantage: * Nice icon
* Up to 8 servers at one glance
* Point and Click
Limitations: * Not applicable to other users
* No commands executable with temp SV rights.
Background:
SUPER allows a user who in Supervisor equivalent to do the
daily work as normal user, while Supervisor equivalence is
available when needed. This reduces the risk of accidental
damage to files caused by carelessness, unattended
workstations, or viruses.
"SUPER -" will modify the security byte of your bindery
property SECURITY_EQUALS to 0x22 (read/write object). This
allows the user to change his/her own security equivalences.
Then the Supervisor equivalence is removed.
Since the user may change the equivalences now, he/she can
later add Supervisor equivalence with "SUPER +" when needed.
"SUPER <command>" will first add Supervisor equivalence,
then execute the command, and finally remove Supervisor
equivalence.
NetWare v3.12 considerations:
This NetWare version does not allow to set the bindery
property SECURITY_EQUALS to 0x22. On NetWare v3.12 SUPER
will make the user manager of self and SUPERVISOR. Again,
this is mot a security breach, since s/he was SUPERVISOR
equivalence anyway.
NetWare v4.x considerations:
SUPER affects only objects in the current bindery context.
The 'Switchable' flag cannot be set, however.
SUPER will try to make you equivalent to SUPERVISOR and (if
available in the bindery context) to ADMIN.
Hints, Internals, Security and Warnings:
SECURITY.EXE brings a warning:
'Has incorrect access security on the SECURITY_EQUALS property'.
BINDFIX warns:
'Warning: Object <name> property SECURITY_EQUALS has incorrect
security flags.'
Basically, for each user there is a standard property in the bindery
associated with the user called SECURITY_EQUALS, which contains a
list of users and groups to which that user has security equivalence.
When a user is created, the rights to this property are Supervisor
Write (meaning that only a supervisor equivalent can grant or change
equivalences) and User Read (meaning that a user can read their own
equivalences). The supervisor also has the ability to change the
rights mask to this property.
This is what SUPER.EXE does ... it changes the rights mask for a
user (can only be done by somebody with supervisor equivalence) so
that the user then can add their own security equivalences.
"SUPER -" will modify the security byte of your bindery property
SECURITY_EQUALS to 0x22 (read/write object). This allows the user
to change his/her own security equivalences.
SUPER allows a user who is Supervisor equivalent to do the daily
work as normal user, while Supervisor equivalence is available when
needed. This reduces the risk of accidental damage to files caused
by carelessness, unattended workstations, or viruses.
SOLUTION
The warnings are expected and desired in combination with SUPER
since a supervisor should be informed about the existence of other
supervisors - even the 'hidden ones' with a non-standard security
access flags.
If the users that were highlighted in SECURITY or BINDFIX did NOT
use SUPER there might be a severe security gap, because these users
have received their rights from ther sources. You can use SUPER
(DOS) to correct this, however.
SUPER has parameters that allow resetting the bindery flag to it's
original state - obviously this will prevent these users from
receiving SV equivalence with SUPER.
This program was written by Wolfgang Schreiber in Borland's Turbo Pascal.
�
