6.2 Security Issues

6.2.1 POSIX Permissions on the NSS File System

NSS users access the volumes with their eDirectory user names, not a local Linux identity. Access is granted by using the Novell trustee model of trustees, trustee rights, and inherited rights filters. The server’s root user is the only local user who has local access to the NSS file system.

NSS maps the file system settings for trustee rights to the POSIX file system, but it is not a one-to-one mapping. Many security features available in the Novell trustee model are not available in POSIX, so POSIX settings cannot be viewed in the same way that they might be for a non-NSS Linux file system. For information about how NSS maps file system rights and attributes, see Viewing Key NSS Directory and File Attributes as Linux POSIX Permissions in the OES 2015 SP1: File Systems Management Guide.

6.2.2 POSIX Permissions on Linux File Systems

For NCP volumes on Linux POSIX file systems, make sure that the Inherit POSIX Permissions option is disabled (the default setting). When this setting is disabled, the local Linux environment access is restricted to the root user and the file owner or creator, which is the most secure configuration. For information, see Section 10.8, Configuring Inherit POSIX Permissions for an NCP Volume.

Inherit POSIX Permissions is not allowed to be set on an NSS volume. There is an explicit check for this, and if it is an NSS volume, an Error 22 is returned. NSS has its own handling of POSIX permissions. For information, see Section 6.2.1, POSIX Permissions on the NSS File System.