| |
This section contains the following topics:
When a user accesses a file on a mounted file system, the request can pass through a NetWare security check, an NFS security check, or both depending on the access mode selected. Each of these security checks function independently. If the access mode specifies security checks on both sides, the Gateway first checks the user's NetWare access rights. Then, if the Gateway accepts the user's request, the request passes to the remote NFS server, and NFS does its check. This arrangement lets the administrator on the NetWare side impose greater restrictions on access control than those set on NFS.
When the Gateway translates NetWare rights to NFS permissions or permissions to rights, as dictated by the access mode, the conversion is nearly equivalent, but a direct one-to-one match is not possible. NetWare file security is more complex and powerful than NFS file security. The method of translating permissions to rights will, if necessary, adjust toward greater restriction rather than lesser in order to preserve the degree of NFS restrictions.
For example, suppose a NetWare administrator grants a Gateway user more rights than the user is permitted on the NFS file. In this case, the permissions on the NFS side do not change to allow more access. Even if the Gateway passes the user's request on to the NFS Server, the NFS Server would still deny access to the file.
The following tables show how NetWare rights and UNIX permissions translate.
IMPORTANT: Where more than one right or permission is shown for a given condition in the following tables, those rights or permissions work in combination. For example, it is the combination of the NetWare rights of Create, Erase, and Write on a directory that translate to the write permission on the NFS side.
Table 14 shows how NetWare rights translate to NFS permissions. These conversions happen when you add or delete trustees using NetWare utilities such as FILER.
Translation occurs only when specified by the access mode.
Table 14. How NetWare Rights Translate to NFS Permissions
| NetWare Rights | NFS Permissions |
|---|---|
Directory |
Directory |
File Scan + Read |
Read + Execute |
Create + Erase + Write |
Write |
File |
File |
Read |
Read |
Write |
Write |
Table 15shows how NetWare attributes translate to NFS permissions. These conversions happen when you modify a directory entry using NetWare utilities such as FILER and FLAG.
Table 15. How NetWare Attributes Translate to NFS Permissions
| NetWare Attributes | NFS Permissions |
|---|---|
File |
File |
Read-Only |
Removes Write from owner, group, and world |
Read/Write |
Restores NFS mode that existed prior to NetWare change and adds Read and Write for owner |
Table 16 shows how NFS permissions translate to NetWare attributes.
These conversions happen when you create a directory or a file, or when you reference a directory or a file for the first time.
Table 16. How NFS Permissions Translate to NetWare Attributes
Table 17 shows how NFS permissions translate to NetWare rights.
Table 17. How NFS Permissions Translate to NetWare Rights
| NFS Permissions | NetWare RIghts |
|---|---|
Directory |
Directory |
read + execute |
Read + File Scan |
write |
Create + Erase + Write + File Scan |
File |
File |
read |
Read + File Scan |
write |
Write + File Scan |
When the NFS Server file sharing service maps NFS permissions to NetWare rights, the original NFS permissions are still retained on the NFS system. This approach is necessary for NFS file and directory access and to simplify reverse mapping. Original information about a user's permissions is retained on the NFS system in cases where the NFS permissions do not have equivalent NetWare rights, such as the execute permission on files.
The NFS Server translates NFS access permissions as follows:
You can enforce UNIX-style NFS permissions by creating corresponding NetWare trustee rights. In UNIX, every file and directory is assigned an explicit set of permission bits. In NetWare, explicitly setting NetWare trustee rights for each file is not necessary and generally is not done. Trustee rights propagate down the directory structure until they are reset by another trustee right. Consequently, you must choose between administering rights in a way that seems natural from NetWare and emulating UNIX access control.
Whether trustee rights are set through NFS is determined by the access mode. The default mode is NFS-NetWare Mode.
When the chosen access mode does not specify that trustee rights reflect the actions of NFS, permissions cannot be changed by the actions of NFS clients. For example, if the selected mode is the NetWare Mode and a UNIX user attempts to use the chmod command to change the permissions on a file, the command fails silently and no error is returned. However, applications continue to run, because the file sharing service does not return errors for the now ineffective operations on permissions.
Table 18. Translating NFS File Permissions to NetWare
Table 19. Translating NFS Directory Permissions to NetWare
In addition to direct translation of these listed permissions, the owner of a file is also assigned the NetWare Access Control right because this right is inherent to ownership of an NFS file. Conversely, denial of the Access Control right from the NetWare side revokes ownership as viewed from NFS.
When the UNIX Superuser uses the chown command to change the NFS ownership of a file, the equivalent NetWare user is granted Access Control to the file.
Trustee rights assigned to a particular user or group for a directory are propagated to all the files within that directory. The only exception is if the file has assigned the same trustee, then that trustee rights overrides the inherited rights.
| |