NFS and ACLs (Access Control Lists)

NFS and ACLs (Access Control Lists)

Post by Luca Pol » Fri, 27 Sep 1996 04:00:00



I have a number of file servers under Solaris 2.5/2.5.1, which serve several
PCs with PC-NFS.  I also have  a couple os PCs with  Warp Server which serve
other machines (mostly Warp Connect ones).

In  order  to simplify  the management of  users  accounts, backups, etc, we
would like to move everything under NFS,  but we also need  a mean to manage
access rights to some  resources (more precisely:  read access for the group
"X", but  some selected people in that  group must  have write access, too).
Now, under LAN Server ACLs   are the standard way,  but  in the Unix   world
user/group/other permissions are still the rule;  Solaris *has* ACLs, but my
questions are:

  If I have a file on  the server with  an ACL, and  I use a DOS/Win/OS2 NFS
  client, can I assume  that the ACL will be  honored  by the client,  or it
  all  depends  on the particular  brand/version  of  the client?

  How does behave IBM's NFS for OS/2 in this case?

  Are Solaris ACLs  trustworth ? (yes,  I know NFS  is *not* trustworth, but
  that's another issue...)

  Other suggestions of interest ? :-)

Thanks in advance,
Luca Polo.
--
+-----------------------------------------++---------------------------+

| (http://www.gest.unipd.it/~jake   for   || Ist. di Ing. Gestionale,  |
| address and phone numbers)              || Universita` di Padova.    |

 
 
 

NFS and ACLs (Access Control Lists)

Post by Bryan O'Sulliva » Fri, 27 Sep 1996 04:00:00


l> If I have a file on the server with an ACL, and I use a DOS/Win/OS2
l> NFS client, can I assume that the ACL will be honored by the
l> client, or it all depends on the particular brand/version of the
l> client?

It depends on the client.  ACLs haven't made it into many NFS
implementations just yet.

        <b

--
Let us pray:
What a Great System.
Please Do Not Crash.


 
 
 

NFS and ACLs (Access Control Lists)

Post by David Robins » Fri, 27 Sep 1996 04:00:00




Quote:>  If I have a file on  the server with  an ACL, and  I use a DOS/Win/OS2 NFS
>  client, can I assume  that the ACL will be  honored  by the client,  or it
>  all  depends  on the particular  brand/version  of  the client?

>  How does behave IBM's NFS for OS/2 in this case?

>  Are Solaris ACLs  trustworth ? (yes,  I know NFS  is *not* trustworth, but
>  that's another issue...)

>  Other suggestions of interest ? :-)

If the server supports ACLs, it should use the ACL to evaluate
whether any NFS request is allowed.  Regardless of what
type of client it is. You cannot rely on the client
to honor the ACL, it is the job of the server.  With NFS V3 the
client can use the ACCESS procedure to discover at open whether
the I/O will succeed.  However even with V2, the ACL will
be honored but the client application may receive errors at
unexpected places (eg. from a write() when expecting it at open())

All of this depends on the client sending the appropriate authentication,
AUTH_UNIX is known not to be a secure authentication but using
either AUTH_DES or AUTH_KERB will provide secure authentication.

        -David

 
 
 

NFS and ACLs (Access Control Lists)

Post by Eric Wer » Sat, 28 Sep 1996 04:00:00



>  If I have a file on  the server with  an ACL, and  I use a DOS/Win/OS2 NFS
>  client, can I assume  that the ACL will be  honored  by the client,  or it
>  all  depends  on the particular  brand/version  of  the client?
>  How does behave IBM's NFS for OS/2 in this case?

As David noted, the server will enforce the ACL checks.  If you want to
examine or change ACLs from OS/2, you're out of luck as far as I know.
There has been talk about a common ACL protocol, but all us principals
are busy.
--
  <>    Eric (Ric) Werme   <>  Why Government Doesn't Work!  For details   <>

 
 
 

1. Access Control Lists (ACLs) and other questions

Hello Everyone,

These questions are in reference to the HP 9000 series 700 (hp-ux ver.
9.0), however if anyone has any possible solutions - please let me know.

I've been reading over the "HP-UX System Security" book regarding ACLs
(Access Control Lists) and it hasn't been that clear (especially, when
it gets into long form ACLs versus short form, etc...).

1.  Does anyone know of any sources of information that would give clearer
examples of ACL creation?

2.  Additionally, does anyone know of any shells that make ACL entry "easier"
(or perhaps ftp sites to places that have such shell type examples)?

3.  From an overall security point of view has anyone come across any good
info sources (or applications) that enforce a particular DAC
(Discretionary Access Control) policy?

Thanks for any and all responses.

E.


2. NT Loader problems

3. Getting RID of Access Control Lists (ACLs)

4. Another crontab question.

5. Access Control List (acls) does Solaris have them??

6. A Solaris 8 (Bourne Shell) Scripting question, regarding a log rotation script

7. Need something like Domain/OS ACLs for BSD -- access control

8. New or Revised TAs on websco, 961207

9. Specific Permissinon Control//Access Control List for Linux?

10. ACL (access control list) howto list them?

11. ACLs over NFS: Necessary changes in the core NFS code

12. Access-control Lists?

13. Access Control Lists