16.4 Aligning NCP and POSIX File Access Rights

NetWare administrators have certain expectations regarding directory and file security. For example, they expect that home directories are private and that only the directory owner can see a directory’s contents. However, because of the differences in the NetWare Core Protocol (NCP) and POSIX file security models (see Section 19.2.1, Comparing the Linux and the OES Trustee File Security Models) that is not the case by default on POSIX file systems.

Fortunately, when you install Linux User Management (LUM) in OES, there is an option to make home directories private. This option automatically provides the privacy that NetWare administrators are used to seeing. Unfortunately, the option only applies to newly created home directories, so there is more to understand and do if aligning access rights is an issue for you.

Use the information in this section to understand how you can configure POSIX directories to more closely align with the NCP model.

16.4.1 Managing Access Rights

NCP directories are, by default, private. When you assign a user or a group as a trustee of a directory or file, those trustees can automatically navigate to the assigned area and exercise whatever access privileges you have assigned at that level and below. You can assign as many trustees with different access privileges as you need.

On the other hand, Linux POSIX directories can be accessed through three sets of permissions defined for each file object on a Linux system. These sets include the read (r), write (w), and execute (x) permissions for each of three types of users: the file owner, the group, and other users. The Linux kernel in OES also supports access control lists (ACLs) to expand this capability. However, ACLs are outside the scope of this discussion. For more information on ACLs, see Access Control Lists in Linux in the SLES Security Guide.

The Linux chown command lets you change the file owner and/or group to a LUM user or a LUM-enabled group. For example, chown -R user1 /home/user1 changes the owner of the user1 home directory and all its subdirectories and files to user1. For more information, see the chown man page on your OES server.

The Linux chmod command provides a very simple and fast way of adjusting directory and file access privileges for the three user types: owner, group, and other (all users). In its simplest form, the command uses three numbers, ranging from 0 through 7, to represent the rights for each of the three user types. The first number sets the rights for the owner, the second number sets the rights for the group, and the third number sets the rights for all others. Each number represents a single grouping of rights, as follows:

Number

Setting

Binary Representation

0

- - -

0 0 0

1

- - x

0 0 1

2

- w -

0 1 0

3

- w x

0 1 1

4

r - -

1 0 0

5

r - x

1 0 1

6

r w -

1 1 0

7

r w x

1 1 1

Those familiar with the binary number system find this method an easy way to remember what each number represents.

For example, the command chmod 777 /home would grant read, write and execute rights (7) to owner, group, and other for the /home directory, while chmod 700 /home would grant the three rights to only the directory owner, with group and other having no rights. chmod 750 /home would grant rwx rights to the owner, r-x rights to the group, and no rights to other users.

For more information about the chmod command, see the chmod man page on your OES server.

16.4.2 Providing a Private Work Directory

To make an NCP directory private, you assign a single user as the trustee and make sure that no unexpected users or groups have trustee rights in any of the parent directories.

To provide a private work area on a Linux POSIX volume:

  1. Make a LUM-enabled user the directory owner. For example, you could use the chown command to change the owner (user),

    chown -R user /path/user_dir

    where user is the eDirectory user, path is the file path to the work directory, and user_dir is the work directory name. The -R option applies the command recursively to all subdirectories and files.

  2. Grant only the LUM-enabled user read, write, and execute rights (rwx --- ---) to the directory. For example, you could use the chmod command as follows,

    chmod -R 700 /path/user_dir

    where path is the file path to the work directory, and user_dir is the work directory name.

  3. Check each parent directory in the path up to the root (/) directory, making sure that all users (referred to as other users in Linux) have read and execute rights (r-x) in each directory as shown by the third group of permissions (. . . . . . r-x). (Owner and group permissions are represented by dots because their settings are irrelevant.)

    The reason for checking directories is that in the parent directories the directory owners are “other” users and they need to be able to see the path down to their own private directories.

    Because r-x is the default for most directories on Linux, you probably won’t need to change the permissions.

16.4.3 Providing a Group Work Area

On an NCP volume, you can provide a group work area by assigning users to a LUM-enabled group and then granting the group trustee rights to the directory. As an alternative, if users need different levels of access within the work area, you can assign each user as a trustee and grant only the rights needed.

To provide a group work area on a Linux POSIX volume:

  1. Use the chown command to set group ownership for the directory. For example, you could enter

    chown -R :group /path/group_dir

    where group is the LUM-enabled group name, path is the file path to the work area, and group_dir is the group work directory. The -R option applies the action to all subdirectories and files in group_dir.

  2. Grant the LUM-enabled group read, write, and execute rights (. . . rwx . . .). (Owner and other permissions are represented by dots because their settings are irrelevant.)

    For example, you could enter

    chmod -R 770 /path/group_dir

    where path is the file path to the work area, and group_dir is the group work directory. The second 7 grants rwx to the group. (The example assumes that the owner of the directory should also retain all rights. Therefore, the first number is also 7.)

  3. Check each parent directory in the path up to the root (/)directory, making sure that the group has read and execute rights (r-x) in each directory as shown by the second group of permissions ( . . . r-x . . .).

    Use the chmod command to adjust this where necessary by specifying the number 5 for the group permission. For more information, see Section 16.4.1, Managing Access Rights.

16.4.4 Providing a Public Work Area

On an NCP volume, you can provide a public work area by assigning [Public] as a trustee and then granting the required trustee rights to the directory.

For the work area itself, you would set permissions for the owner, group, and all others to read, write, and execute rights (rwx rwx rwx) (chmod 777).

All others must also have read and execute rights on the system in each parent directory in the path all the way to the root of the Linux system. This means that you set permissions for all parent directories to rwx --- r-x.

To provide a public work area on a Linux POSIX volume:

  1. Use the chown command to assign all rights (rwx) to other (all users). For example, you could enter

    chmod -R 707 /path/group_dir

    where path is the file path to the work area, and group_dir is the group work directory. The third 7 grants rwx to the group. (The example assumes that the owner of the directory should also retain all rights and that the group setting is irrelevant.)

  2. Check each parent directory in the path up to the root (/)directory, making sure that all users (other) have read and execute rights (r-x) in each directory as shown by the third group of permissions (. . . . . . rwx). (Owner and group permissions are represented by dots because their settings are irrelevant.)

    Use the chmod command to adjust this where necessary by specifying the number 5 for the other permission. For more information, see Managing Access Rights at the beginning of this section.

16.4.5 Setting Up Rights Inheritance

The final step in aligning POSIX rights to the NCP model is setting the Inherit POSIX Permissions volume flag in the NCP configuration file so that all files and subdirectories created in these areas inherit the same permissions as their parent directory. For instructions, see Configuring Inherit POSIX Permissions for an NCP Volume in the NCP Server for Linux Administration Guide.