22.5 Controlling Access to the _admin Volume and Files.cmd (NetWare)

On your NetWare server, the _admin:\manage_nss\files.cmd file enables applications, such as NetStorage and other end-user browser-based tools, to communicate with the file server. The files.cmd file is a virtual file; it generates dynamic information that lets users see and modify their files through a browser.

Every user on the file server has access to the _admin:\manage_nss\files.cmd and thus inherits the following default file system trustee rights: Read, Write, and Scan. These rights make the _admin: volume visible to end users. This behavior differs from NetWare 6.0 and earlier servers, where the files.cmd file is not visible to end users. Although end users can see the files.cmd file, they cannot delete this file or modify its properties.

To restrict access to the _admin:\manage_nss\files.cmd file or the _admin volume, you must modify a configuration file called trustees.xml. For more information, see Section 22.5.1, Assigning Volume Rights with Trustees.xml (NetWare).

For information about creating software applications and scripts to manage NSS volumes and services on Linux and NetWare, see the NDK: Virtual File Services in the Novell Developer Kit Documentation Web site.

22.5.1 Assigning Volume Rights with Trustees.xml (NetWare)

Use the sys:\etc\trustees.xml file to assign file system trustee rights to the root of an NSS volume on NetWare. Trustees.xml is executed every time the server boots.

The sys:\etc\trustees.xml file is useful for assigning rights to non-persistent files or directories, such as the Admin volume or a CD that you have activated as an NSS volume.

Refer to the following table for information about sys:\etc\trustees.xml tags:

XML Tags

Explanation

<name>

Enter the full context and username of the user. You can enter the information in slash-separated format or Novell dot format.

NOTE:This tag cannot contain multiple usernames.

For example, if John Smith existed in the novell context in the aurora_tree, you would enter one of the following:

\aurora_tree\novell\jsmith 

or

jsmith.novell.aurora_tree
<filename>

Enter the name of volume, directory, and file that you are assigning rights to.

For example, if you are assigning rights to the hosts file in the etc directory located on the sys: volume, you would enter the following into the brackets

<filename>sys:\etc\hosts</filename>
<rights>

The child elements to the Rights tag include the following tags for file system rights:

  • <accesscontrol/> for the Access Control right

  • <create/> for the Create right

  • <erase/> for the Erase right

  • <filescan/> for the File Scan right

  • <modify/> for the Modify Metadata right

  • <read/> for the Read right

  • <supervisor/> for the Supervisor right

  • <write/> for the Write right

The follow is a sample of the trustees.xml code:

<specialTrustees>
   <addTrustee>
      <name>admin.novell.kona_tree</name>
  <fileName>sys:\etc\group</fileName>
      <rights>
         <read/>
         <write/>
         <filescan/>
         <erase/>
      </rights>
   </addTrustee>

   <addTrustee>
      <name>xxxx.novell.kona_tree</name>
      <fileName>sys:\etc\group</fileName>
      <rights>
         <read/>
         <write/>
         <filescan/>
      </rights>
   </addTrustee>

   <addTrustee>
      <name>fred.novell.kona_tree</name>
      <fileName>sys:\etc\group</fileName>
      <rights>
         <read/>
         <write/>
         <filescan/>
      </rights>
   </addTrustee>
   <addTrustee>
      <name>[public]</name>
      <fileName>_admin:manage_nss\files.cmd</fileName>
      <rights>
         <read/>
         <write/>
         <filescan/>
      </rights>
      <background/>
   </addTrustee>
   <addTrustee>
      <name>fred.novell.kona_tree</name>
      <fileName>sys:\etc\hosts</fileName>
      <rights>
         <read/>
         <write/>
         <filescan/>
      </rights>
   </addTrustee>
</specialTrustees>

22.5.2 Restricting Access to Files.cmd (NetWare)

If you want to restrict access to the _admin:\manage_nss\files.cmd, you must do so by modifying the <addTrustee> tag in the sys:\etc\trustees.xml file.

Look for this code sample in the .xml file and modify [public] to reflect the user who needs restricted access to the _admin:\manage_nss\files.cmd file:

   <addTrustee>
      <name>[public]</name>
      <fileName>_admin:manage_nss\files.cmd</fileName>
      <rights>
        <read/>
        <write/>
        <filescan/>
      </rights>
     <background/>
   </addTrustee>

For example, if you want John Smith, a contract employee, to have only file scan rights to this file, you would enter the following:

   <addTrustee>
      <name>jsmith.novell.kona_tree</name>
      <fileName>_admin:manage_nss\files.cmd</fileName>
  <rights>
         <filescan/>
      </rights>
      <background/>
   </addTrustee>

For further explanation of the XML tags, see Section 22.5.1, Assigning Volume Rights with Trustees.xml (NetWare).