First of all: this question is about the IA-32 (x86) architecture.
I have a question about legacy (non-PSE, non-PAE) paging. In legacy paging, we have a page directory with 1024 entries, each one pointing to a page table. Each page tables contains 1024 entries (these are the pages), each one pointing to a 4096-byte aligned physical address.
Meanwhile, every single page directory entry and page table entry hold some flags, and both of them has an 'U' flag (bit #2): if this flag is set, then the page may be accessed by both user (ring3) and supervisor (ring0); if this flag is not set, however, only the supervisor (ring0) can access it. This flag is often called the "User/Supervisor bit".
The question: What should I do if I want to have both ring0 and ring3 pages in the same page table? I can set up the entries in the page table with the appropriate privileges, but what privilege should the corresponding page directory entry specify?
For example: I set up the first page table (virtual address range: 0x00000000 - 0x003FFFFF) to map physical address range 0x00000000 - 0x003FFFFF (this covers 4 megabytes). The first megabyte (0x00000000 - 0x000FFFFF) should be only accessible by the supervisor (ring0), therefore, the "User/Supervisor bit" is cleared. The following three megabytes (0x00100000 - 0x003FFFFF) should be accessible by both user (ring3) and supervisor (ring0), therefore, the "User/Supervisor bit" is set.
This page table is pointed to by the first page directory entry. But the "User/Supervisor bit" for that page directory entry should be cleared (only supervisor) or set (both user and supervisor)? What is the difference?
The CPU will use the most restrictive privilege in either the Page Directory Entry (PDE) or the Page Table Entries (PTE). If a PDE has Supervisor privilege then all the page tables below it will have Supervisor privilege no matter what individual PTEs use. If a PDE has User privilege level then the protection level of the PTE determines the final privilege level.
This behaviour is defined in the Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 3A.
4.11.4 Combining Protection of Both Levels of Page Tables
For any one page, the protection attributes of its page-directory entry (first-level
page table) may differ from those of its page-table entry (second-level page table).
The processor checks the protection for a page in both its page-directory and the
page-table entries. Table 4-3 shows the protection provided by the possible combinations of protection attributes when the WP flag is clear.
Table 4-3 appears as:
Answer to the question: If you want to have a mix of pages with User and Supervisor privilege under a particular PDE then set the PDE to User privilege and the PTEs accordingly (User or Supervisor).
Related
I have a weird situation with my MS Access 2016 split database.
The back-end is a Azure SQL server DB, the front-end are distributed accde files.
I have a form bound to a linked table with several sub-forms in it.
The form is used to edit single records of the main table.
With some records all works fine ("good") but with some other records ("bad") the text boxes freeze, not allowing any edits.
No error messages, they just seem to be locked but the locked property of the text boxes control is set to false. (I've checked this in runtime)
What I've tried so far:
I can edit all records directly in the linked table
The properties of the form and controls in both "good" records and
"bad" records are the same
I can change the values of check and combo boxes and update the "bad"
records
The BIT column has a default value of 0 and nulls are not allowed (no
NULLS in the table for this field)
I'm running out of ideas. Any help will be much appreciated.
I've figured it out, so i'll leave the solution in case someone hits the same issue.
I have a subform with a browser control. All i had to do was to add the following line at the end of the main form loading sequence:
Me.SF_WEB_BROWSER.SetFocus
I'm building a multilingual site in Kentico where I want a user to have limited access to the languages that they can create in the Pages application. I can specify which languages the user can edit using the Languages tab in the user properties as shown in the User management page in the Kentico documentation.
The result of this is that if my user tries to view a language that they have not been assigned to and has no page created yet is that they receive a permission error/warning:
You are not allowed to create this culture version.
What I want to do is limit the drop-down list in the Pages application so that I can only select languages that I have permission to change. I can't find any settings that might limit the drop-down to assigned languages only.
Ideally, the user should only be able to see pages that they can edit in the Pages application for my use case as there are in excess of 30 languages.
How can you limit the UI language drop-down to show only languages that the user is allowed to see?
The language drop-down in the pages application is ultimately provided by the LanguageMenu control (which you can find in CMSModules\Content\Controls\LanguageMenu.ascx). You need to make a copy of this and modify the Page_Load method in order to limit the languages base upon the set cultures (if any).
A very quick example is to add the following code before the loop that builds the list items:
var userCultureIDs = new List<Int32>();
var userCulturesSet = false;
if (CurrentUser.Bindings.CollectionNames.Contains("UserCultures") && CurrentUser.Bindings["UserCultures"].Count > 0)
{
foreach (var userCulture in CurrentUser.Bindings["UserCultures"])
{
userCultureIDs.Add((Int32)userCulture["CultureID"]);
userCulturesSet = true;
}
}
and then inside that loop, make the first line:
if (userCulturesSet && !userCultureIDs.Contains(culture.CultureID) && !CurrentUser.CheckPrivilegeLevel(UserPrivilegeLevelEnum.GlobalAdmin)) continue;
This ensures that if you're Global Admin, you get everything and that - if no languages are set - you get the default list.
As is usual with best practice, you're better off making duplicates of these controls before you modify them to make sure that you don't cause any unintended side-effects. Keeping that in mind, be aware of the control chain:
CMSModules\Content\CMSDesk\Default.aspx
CMSModules\Content\Controls\ContentNavigation.aspx
CMSModules\Content\Controls\TreeLanguageMenu.ascx
CMSModules\Content\Controls\LanguageMenu.ascx
In our LDAP directory, we have users, who are mapped to groups. Those groups may be mapped to other groups. For example:
cn=group1,cn=groups,dc=example,dc=com
uniquemember cn=user1,cn=user,dc=example,dc=com
cn=group2,cn=groups,dc=example,dc=com
uniquemember cn=user2,cn=user,dc=example,dc=com
uniquemember cn=group1,cn=user,dc=example,dc=com
So User1 belongs to Group1, but User2 belongs to Group2, which in turn belongs to Group1
Within Grails, User1 has authority to Group1, but User2 only has authority to Group2. From what I've seen, there is no way to cause it to recursively look at the tree. Realistically, I probably only need a 2 level hierarchy, but even that doesn't seem to work.
I'm attempting to work through the Custom UserDetailsContextManager to see if I can iterate over the initial results and re-query LDAP by group, but I thought I'd see if there was an easier/better way.
You probably already saw this, but this is from the documentation:
// If you don't want to support group membership recursion (groups in groups), then use the following setting
// grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = 'member={0}' // Active Directory specific
// If you wish to support groups with group as members (recursive groups), use the following
grails.plugins.springsecurity.ldap.authorities.groupSearchFilter = '(member:1.2.840.113556.1.4.1941:={0})' // Active Directory specific
http://grails-plugins.github.com/grails-spring-security-ldap/docs/manual/guide/2.%20Usage.html
Oracle OID has a product-specific extension for traversing the hierarchy, known as CONNECT_BY, which has LDAP OID 2.16.840.1.113894.1.8.3 . You can add this as a request control to ask the server to connect/follow hierarchies according to an attribute you specify. This can be done using both a Java LDAP client program, or using something like OpenLDAP ldapsearch, although the set-up is a little tricky.
If you want to use Java to follow the hierarchy, this page contains a sample program which shows how to setup the required javax.naming.ldap.Control implementation class, in this case named ConnectByControl.
You can also perform this sort of hierarchical search using ldapsearch, but it requires some preparation and implied understanding of the required control value, as the value is concatenated then base64-encoded. The value is in two-parts - the follow-me depth (0=unlimited), followed by the connect-by attribute name (in this case, uniquemember is the desired name). Set the baseDN in your query to the entry where you want to start the hierarchical search.
ldapsearch -H ldap://myoidserver.mycompany.com:389 -e 2.16.840.1.113894.1.8.3=MBECAQAEDHVuaXF1ZW1lbWJlcg== -b cn=some_group_containing_groups_nested_by_uniquemember,cn=some_groups,dc=mycompany,dc=com "(objectClass=*)" dn uniquemember
The -e 2.16.840.1.113894.1.8.3= adds the CONNECT_BY request control. The value, MBECAQAEDHVuaXF1ZW1lbWJlcg==, is ASN.1 BER-encoded then base64-encoded value 0uniquemember, for the depth and attribute-name mentioned above. This will print first the dn for cn=some_group_containing_groups_nested_by_uniquemember,... and its direct (user) uniquemembers, then each uniquemember will be "connected" or followed. If that entry itself has a set of uniquemember, i.e. it is a nested group, the process will continue until leaf/user entries are reached that have no nested uniquemembers.
I am using Ruby on Rails 3.2.2 and I would like to "handle" / "generate" the proper front-end content so to follow a "common" way of managing menu items mostly based on the current user "equality". That is, I would like to display different menu items based on
the current browsed page;
the current user that is accessing that page (the page could be related to a user that is not the current user).
Where (for example, in controller, view or model files) and how (for example, stating checks related to the current user in controller, view or model files) I should "state" / "put" those "conditional statements"?
At this time I think (mostly for matters relating to the current browsed page) I could handle this matter directly in controllers by using helper methods...
I tend to put this into the View files with simple or static cases coded into the View file and more complex cases which would require more than just one line of coding into the helpers.
But in order not to bloat the view file, I suggest to use partials to offload blocks of code from the view file.
One of the reasons why I use the views is that I will do certain user based formatting anyways, e.g. if I list all the orders, then the normal user will see certain columns displayed, whereas if the admin logs in, he will see a couple of additional columns. This is typically done with something like
<%if #curreny_user_type == 'admin'%><td> ...... </td><%end%>
Thus before I now start splitting up some of the user based logic into the controller and others into the views, I'ld rather have them always at the same place.
I have a site with these sections in the top nav:
About Us
News
Staff
Become a Member
Within each top nav item, is X amount of sub sections. eg:
About Us
Who We Are
Industry Stats
Annual Report
Then, within each one of those has X amount of sub pages:
About Us
Who We Are
Overview
Our History
Our Objectives
The root level top nav items (About Us) will always require the same custom fields.
The middle and bottom level pages will generally have the same content, and but will be much different to that of the root level, and so requires a different set of custom fields.
I have set the structure up so that the root items are the channels, the middle are categories, and the lower levels are just 'entries'.
My problem now, is that using a 'channel field group' on the root channel obviously filters through all categories and entries associated. So when I go to edit or publish a category landing or entry page - i am stuck by being shown the custom field group for the root landing page.
I would like it so that the end user (my client) doesnt have to see a lot of custom fields when they edit or publish a page that isnt at root channel level.
How to I set this site up, so that I can pick and choose different field groups on different pages that are within the same channel?
While you can use custom Publish Page Layouts per channel and per member group, as far I'm aware you can't present 'pages' or entries with varying Publish Layouts.
If you're using different templates for levels in your navigation, Blueprints, may be what you're looking for.
Blueprints lets you take control of your Publish Layouts [...] It is designed let you create Publish Layouts based on templates.
The taxonomy in how way you've architected your navigation and 'pages' is interesting, but not one as a client I would like to maintain or understand. For example, something as simple adding a new top-level section or page of the site should be easy, but with your methodology would require setting up an entirely new channel!
Some ExpressionEngine add-ons that may be better suited for your site and still allow you to achieve the customization you desire would be Structure, NavEE or Taxonomy — of course theres always the the native Pages Module as well.