35.4 Aligning NCP and POSIX File Access Rights

NetWare administrators have certain expectations regarding directory and file security. For example, they expect that home directories are private—that only the directory owners can see directory contents. However, becuase of the differences in the NetWare Core Protocol (NCP) and POSIX file security models (see Section 30.5, Comparing the Linux and the NetWare Core Protocol (NCP) File Security Models) that is not the case by default on POSIX file systems.

Use the information in this section to understand how you can configure POSIX directories to more closely align with the NCP model.

35.4.1 A Brief Explanation of Managing Access Rights

NCP directories are, by default, private. When you assign a user or a group as a trustee of a directory or file, those trustees can automatically navigate to the assigned area and exercise whatever access privileges you have assigned at that level and below. You can assign as many trustees with different access privileges as suits your purposes.

On the other hand, traditional Linux (POSIX) directories can be accessed through three sets of permissions defined for each file object on a Linux system. These sets include the read (r), write (w), and execute (x) permissions for each of three types of users: the file owner, the group, and other users. The Linux kernel in OES also supports access control lists (ACLs) to expand this capability. However, ACLs are outside the scope of this discussion. For more information on ACLs, see Access Control Lists in Linux in the SUSE LINUX Enterprise Server 9 Administration Guide .

The Linux shell chown command lets you change the file owner and/or group to a LUM user or a LUM-enabled group. For example, chown -R user1 /home/user1 would change the owner of the user1 home directory and all its subdirectories and files to user1. For more information, see the chown man page on your OES Linux server.

The Linux shell chmod command provides a very simple and fast way of adjusting directory and file access privileges for the three user types: owner, group, and other (all users). In its simplest form, the command uses three numbers, ranging from 0 through 7, to represent the rights for each of the three user types. The first number sets the rights for the owner, the second number for the group, and the third number for all others. Each number represents a single grouping of rights, as follows:

Number

Setting

Binary Representation

0

- - -

0 0 0

1

- - x

0 0 1

2

- w -

0 1 0

3

- w x

0 1 1

4

r - -

1 0 0

5

r - x

1 0 1

6

r w -

1 1 0

7

r w x

1 1 1

Those familiar with the binary number system find this method an easy way to remember what each number represents.

For example, the command chmod 777 /home would grant read, write and execute rights (7) to owner, group, and other for the /home directory, while chmod 700 /home would grant the three rights to only the directory owner, with group and other having no rights. chmod 750 /home would grant rwx rights to the owner, r-x rights to the group, and no rights to other users.

For more information about the chmod command, see the chmod man page on your OES Linux server.

35.4.2 Providing a Private Work Directory

To make an NCP directory private, you assign a single user as the trustee and make sure that no unexpected users or groups have trustee rights in any of the parent directories.

To provide a private work area on a traditional Linux volume:

  1. Make the user is the directory owner. For example, you could use the chown command to change the owner (user),

    chown -R user: / path/ user_dir

    where user is the eDirectory user, path is the file path to the work directory, and user_dir is the work directory name. The -R option applies the command recursively to all subdirectories and files.

  2. Grant only the user read, write, and execute rights (rwx --- ---) to the directory. For example, you could use the chmod command as follows,

    chmod -R 700 / path/ user_dir

    where path is the file path to the work directory, and user_dir is the work directory name.

  3. Check each parent directory in the path up to the root (/) directory, making sure that all users (referred to as other users in Linux) have read and execute rights (r-x) in each directory as shown by the third group of permissions ( . . . . . . r-x). (Owner and group permissions are represented by dots (.) because their settings are irrelevant.)

    The reason for this is that, in the parent directories the directory owners are “other” users and needs to be able to see the path down to their private directory.

    Because r-x is the default for most directories on Linux, you probably won’t need to change the permissions.

35.4.3 Providing a Group Work Area

On an NCP volume, you can provide a group work area by assigning users to a group and then granting the group trustee rights to the directory. As an alternative, if users need different levels of access within the work area, you can assign each user as a trustee and grant only the rights needed.

To provide a group work area on a traditional Linux volume:

  1. Set group ownership for the directory using the chown command. For example, you could enter

    chown -R : group / path/ group_dir

    where group is the group name, path is the file path to the work area, and group_dir is the group work directory. The -R option applies the action to all subdirectories and files in group_dir.

  2. Grant the group read, write, and execute rights (. . . rwx . . .). (Owner and other permissions are represented by dots (.) because their settings are irrelevant.)

    For example, you could enter

    chmod -R 770 / path/ group_dir

    where path is the file path to the work area, and group_dir is the group work directory. The second 7 grants rwx to the group. (The example assumes that the owner of the directory should also retain all rights. Therefore, the first number is also 7.)

  3. Check each parent directory in the path up to the root (/)directory, making sure that the group has read and execute rights (r-x) in each directory as shown by the second group of permissions ( . . . r-x . . .).

    Use the chmod command to adjust this where necessary by specifying the number 5 for the group permission. For more information, see A Brief Explanation of Managing Access Rights at the beginning of this section.

35.4.4 Providing a Public Work Area

On an NCP volume, you can provide a public work area by assigning [Public] as a trustee and then granting the required trustee rights to the directory.

For the work area itself, you would set permissions for the owner, group, and all others to read, write, and execute rights (rwx rwx rwx) ( chmod 777).

All others must also have read and execute rights on the system in each parent directory in the path all the way to the root of the Linux system. This means that you set permissions for all parent directories to rwx --- r-x.

To provide a public work area on a traditional Linux volume:

  1. Assign all rights (rwx) to other (all users) using the chmod command. For example, you could enter

    chmod -R 707 / path/ group_dir

    where path is the file path to the work area, and group_dir is the group work directory. The third 7 grants rwx to the group. (The example assumes that the owner of the directory should also retain all rights and that the group setting is irrelevant.)

  2. Check each parent directory in the path up to the root (/)directory, making sure that all users (other) have read and execute rights (r-x) in each directory as shown by the third group of permissions ( . . . . . . rwx). (Owner and group permissions are represented by dots (.) because their settings are irrelevant.)

    Use the chmod command to adjust this where necessary by specifying the number 5 for the other permission. For more information, see A Brief Explanation of Managing Access Rights at the beginning of this section.

35.4.5 Setting Up Rights Inheritance

The final step in aligning POSIX rights to the NCP model is setting the Inherit POSIX Permissions volume flag in the NCP configuration file so that all files and subdirectories created in these areas inherit the same permissions as their parent directory. For instructions, see Setting Volume Definition Flags in the . NCP Server for Linux Administration Guide .