Novell Documentation: Novell Native File Access Pack for NetWare 5.1

Converting NetWare Attributes to NFS

When you convert NetWare directories and files to NFS, NetWare file attributes and UNIX permissions interact and specific NetWare attributes affect UNIX permission settings. You can control this interaction by setting the Access Control mode.

NetWare Attributes Control

NetWare confines a user's access to directories and files with equivalent rights derived from trustee rights and the Inherited Rights Mask. To further protect certain directories and files, NetWare uses attributes such as Delete Inhibit. These attributes determine what you can do to a file or directory. These attributes take precedence over NetWare user rights, even the inherent rights of an administrator.

NFS permissions map satisfactorily to trustee rights. Attributes, however, do not correspond directly to NFS permissions. It is not certain whether the setting of an NFS permission will change a NetWare attribute. Also, a security-safe conversion of some attributes can be too restrictive on the NFS file. For example, some attributes imply that users cannot remove the file. Implementing this on the NFS side requires revoking the write permission at the directory level.

Because of these mapping ambiguities, Novell Native File Access for UNIX gives you a choice, allowing you to trade security for flexibility. For a given file system, you can determine whether the assignment of NFS permissions should affect a NetWare file attribute and whether in some situations NFS can override protections implied by attributes. You make the choice by setting the access control mode.

When you select NetWare Mode and NetWare-NFS Mode, setting permissions from NFS does not affect the settings of the NetWare attributes. However, the NetWare Read-only attribute affects the permissions presented to the NFS user by revoking write permission from a file. This mode enforces the complete protection implied by NetWare attributes.

When you select the NFS-NetWare Mode, the attributes of a file do not result in changes to directory ownership or directory permission. In some cases, changes to permissions from NFS result in changes to the attributes of a file. NFS-NetWare Mode is the easiest method for sharing files between NetWare clients with the least effect on security.

The following sections describe how specific NetWare attributes are converted, depending upon the setting of the access mode, first for files and then for directories.

Converting File Attributes

The NetWare NFS Server maps file attributes according to the access mode as follows.

When you select NetWare Mode or NetWare-NFS Mode, the NetWare NFS Server converts NetWare file attributes.

Table 10. NetWare and NetWare-NFS Mode File Attribute Conversion

NetWare Attribute	NFS Conversion	Notes
Delete Inhibit	The permissions and owner of the file and the parent directory remain unaffected. If UNIX user tries to delete this file, the operation will fail, indicating that permission is denied.	If the file system allows root access, the Superuser on the client system can delete any file or directory in the parent directory except the ones with the Delete Inhibit attribute.
Read-only	The file's permission changes to r-r-r-. Owner will remain unaffected. Write operation will fail, indicating that permission is denied.
Rename Inhibit	Functions the same as Delete Inhibit.
Transactional	The chmod operation will fail.

When you select NFS-NetWare Mode (default mode), the NetWare NFS Server converts the NetWare file attributes.

Table 11. NFS-NetWare Mode File Attribute Conversion

NetWare Attribute	NFS Conversion
Delete Inhibit	Makes no change to permissions. UNIX user can delete the file.
Read-only	Makes the file unwritable. Resetting the write permission on the file with the chmod command removes the Read-only attribute. When the NFS permission is set to read only for Owner, Group, and Others, the Read-only attribute is set on the NetWare file. This setting results in the file being seen as read-only from DOS and locked from a Macintosh* client.
Rename Inhibit	Functions the same as Delete Inhibit.

NetWare Attribute

NFS Conversion

Delete Inhibit

Makes no change to permissions. UNIX user can delete the file.

Read-only

Makes the file unwritable. Resetting the write permission on the file with the chmod command removes the Read-only attribute.

When the NFS permission is set to read only for Owner, Group, and Others, the Read-only attribute is set on the NetWare file. This setting results in the file being seen as read-only from DOS and locked from a Macintosh* client.

Rename Inhibit

Functions the same as Delete Inhibit.

When you select the NFS Mode, NFS permissions do not affect NetWare attributes and NetWare attributes do not affect NFS permissions.

Converting Directory Attributes

When you select NetWare Mode or NetWare-NFS Mode, the NetWare NFS Server converts the NetWare directory attributes.

Table 12. NetWare and NetWare-NFS Mode Directory Attribute Conversion

NetWare Attribute	NFS Conversion
Delete Inhibit	Changes the UID of the parent directory's owner to 0 when viewed from NFS. Revokes write permission for the parent directory for User, Group, and Other. This is similar to Delete Inhibit for files.

NetWare Attribute

NFS Conversion

Delete Inhibit

Changes the UID of the parent directory's owner to 0 when viewed from NFS.

Revokes write permission for the parent directory for User, Group, and Other. This is similar to Delete Inhibit for files.

When you select NFS-NetWare Mode, the NetWare NFS Server converts the NetWare directory attributes.

Table 13. NFS-NetWare Mode Directory Attribute Conversion

NetWare Attribute	NFS Conversion
Delete Inhibit	Makes no change to permissions. Resetting the write permission of the parent directory with the chmod command removes the Delete Inhibit attribute from all files within the parent directory.

When you select NFS Mode, NFS permissions do not affect NetWare attributes and Other Characteristic Translation.

Other NetWare file characteristics translate to NFS as follows.

NetWare Attribute	NFS Conversion
Owner ID	The NetWare login name changes to the NFS UID according to the setting in the user list. An exception occurs whenever the dos_attributes parameter is set to nomodify and the NetWare file attributes Read-only and Delete Inhibit are associated with the file or directory. Specifically, the owner of a file or directory translates to 0 when the following associations exist: The file has the Read-only attribute. A file below the owner's directory has the Delete Inhibit attribute. The file's owner does not have the Access Control right.
File Size	The file size is maintained in bytes.
Create Date and Time	The date and time are maintained as in DOS. NFS specifies time in number of seconds since January 1, 1970. NetWare converts Create Date and Time to NFS format for the NFS ctime attribute.
Last Update Date and Time	Last update date and time are converted to NFS format for the NFS mtime attribute (similar to Create Date and Time).
Last Access Date	Last Access Date is converted to NFS format and uses 12:00 a.m. as the approximate last access time. NetWare keeps track of the date of last access only. The NFS atime attribute requires date as well as time.