The NetWare (NSS/NCP) and Linux (POSIX) security models are quite different, as presented in Table 30-1.
Table 30-1 POSIX Vs. NSS/NCP File Security Models
|
Feature |
POSIX / Linux |
NSS/NCP on OES Linux |
|---|---|---|
|
Administrative principles |
Permissions are controlled and managed for each file and subdirectory individually. Because of the nature of the POSIX security model, users usually have read rights to most of the system. To make directories and files private, permissions must be removed. For more information on creating private directories, see
For more information on making existing directories private, see Section 35.4.2, Providing a Private Work Directory. |
Trustee assignments are made to directories and files and flow down from directories to everything below unless specifically reassigned. |
|
Default accessibility |
Users have permissions to see most of the file system. The contents of a few directories, such as the /root home directory, can only be viewed by the root user. Some system configuration files can be read by everyone, but the most critical files, such as /etc/fstab, can only be read and modified by root. |
Users can see only the directories and files for which they are trustees (or members of a group that is a trustee). |
|
Home directories—an example of default accessibility |
By default, all users can see the names of directories and files in home directories. To make directories and files private, permissions must be removed For more information on creating private home directories, see
For more information on making existing home directories private, see Section 35.4.2, Providing a Private Work Directory. |
By default, only the system administrator and the home directory owner can see a home directory. Files in the directory are secure. If users want to share files with others, they can grant trustee assignments to the individual files, or they can create a shared subdirectory and assign trustees to it. |
|
Inheritance from parents |
Nothing is inherited. Granting permission to a directory or file affects only the directory or file. |
Rights are inherited in all child subdirectories and files unless specifically reassigned. A trustee assignment can potentially give a user rights to a large number of subdirectories and files. |
|
Privacy |
Because users have permissions to see most of the file system for reasons stated above, most directories and files are only private when you make them private. |
Directories and files are private by default. |
|
Subdirectory and file visibility |
Permissions granted to a file or directory apply to only the file or directory. Users can't see parent directories along the path up to the root unless permissions are granted (by setting the UID, GID, and mode bits) for each parent. After permissions are granted, users can see the entire contents (subdirectories and files) of each directory in the path. |
When users are given a trustee assignment to a file or directory, they can automatically see each parent directory along the path up to the root. However, users can’t see the contents of those directories, just the path to where they have rights. |
When an NCP volume is created on a traditional Linux or NSS volume, some of the behavior described above is modified. For more information, see the
NCP Server for Linux Administration Guide
, particularly the
NCP on Linux Security
section.