Novell Doc: NW 6.5 SP8: File Systems Management Guide - Compatibility Issues for File System Rights on Linux

3.2 Compatibility Issues for File System Rights on Linux

This section discusses the following issues for controlling access to files on Linux:

3.2.1 Enforcing File System Rights on Linux

File and directory access rights are enforced on Linux systems in different ways, depending on the following:

User identity, such as Novell eDirectory™ users, Linux-enabled eDirectory users, and local-only users
Access method, such as NCP™ Server, other protocols, or core Linux utilities.

For information about core Linux utilities, see Core Linux Utilities.
File system access control, such as NSS file and directory attributes

Novell eDirectory Users

The following table describes how file system access rights are enforced on Linux systems for eDirectory users:

File System	Access via NCP Server for Linux	Access via Linux Protocols (such as NFS or Samba)	Access via Core Linux Utilities
NSS on Linux	NCP and NSS enforce access. For security reasons, soft links are not supported by NCP Server. Soft links are not accessible from NCP clients; users cannot see or access them.	NCP and NSS enforce access. eDirectory users must be Linux-enabled with Linux User Management.	NCP and NSS enforce access. eDirectory users must be Linux-enabled with Linux User Management. Linux services need to be enabled for pluggable authentication modules (PAM) when you configure Linux User Management.
NCP volumes on Linux POSIX file systems	NCP enforces access. For security reasons, soft links are not supported by NCP Server. Soft links are not accessible from NCP clients; users cannot see or access them.	NCP enforces access. eDirectory users must be Linux-enabled with Linux User Management.	NCP enforces access. eDirectory users must be Linux-enabled with Linux User Management. Linux services need to be enabled for pluggable authentication modules (PAM) when you configure Linux User Management.
Linux POSIX file systems	eDirectory users have no access to files via NCP.	Linux ACLs and POSIX permissions are used to enforce access.	Linux ACLs and POSIX permissions are used to enforce access.

File System

Access via NCP Server for Linux

Access via Linux Protocols (such as NFS or Samba)

Access via Core Linux Utilities

NSS on Linux

NCP and NSS enforce access.

For security reasons, soft links are not supported by NCP Server. Soft links are not accessible from NCP clients; users cannot see or access them.

NCP and NSS enforce access.

eDirectory users must be Linux-enabled with Linux User Management.

NCP and NSS enforce access.

eDirectory users must be Linux-enabled with Linux User Management.

Linux services need to be enabled for pluggable authentication modules (PAM) when you configure Linux User Management.

NCP volumes on Linux POSIX file systems

NCP enforces access.

For security reasons, soft links are not supported by NCP Server. Soft links are not accessible from NCP clients; users cannot see or access them.

NCP enforces access.

eDirectory users must be Linux-enabled with Linux User Management.

NCP enforces access.

eDirectory users must be Linux-enabled with Linux User Management.

Linux services need to be enabled for pluggable authentication modules (PAM) when you configure Linux User Management.

Linux POSIX file systems

eDirectory users have no access to files via NCP.

Linux ACLs and POSIX permissions are used to enforce access.

Local-Only Users

The following table describes how file system access rights are enforced on Linux systems for locally defined users:

File System	Access via NCP Server for Linux	Access via Other Protocols (such as NFS or Samba)	Access via Core Linux Utilities
NSS on Linux	Restricted to the root user.	Restricted to the root user.	Restricted to the root user.
NCP volumes on Linux POSIX	Restricted to the root user.	Restricted to the root user.	Restricted to the root user.
Linux POSIX file systems	Local users have no access to files via NCP. Linux ACLs and POSIX permissions are used to enforce access.	Linux ACLs and POSIX permissions are used to enforce access.	Linux ACLs and POSIX permissions are used to enforce access.

File System

Access via NCP Server for Linux

Access via Other Protocols (such as NFS or Samba)

Access via Core Linux Utilities

NSS on Linux

Restricted to the root user.

NCP volumes on Linux POSIX

Restricted to the root user.

Linux POSIX file systems

Local users have no access to files via NCP.

Linux ACLs and POSIX permissions are used to enforce access.

Core Linux Utilities

Core Linux utilities are standard file services used to access files.

IMPORTANT:To enable users of NSS volumes and NCP volumes to use the core Linux utilities, you must PAM-enable the utility with Linux User Management (LUM) and Linux-enable the users with LUM. For information, see OES 2 SP2: Novell Linux User Management Technology Guide.

Core Linux utilities include the following:

Shell login
Samba server
File transfer protocol (ftp)
Secure shell (ssh)
Substitute user (su), which opens runs a shell as root (or superuser)
Remote shell (rsh)
Remote login (rlogin)
X display manager (xdm)
Open Web-based enterprise management (openwbem)

3.2.2 Assigning File System Rights on Linux

The following table identifies the management tools to use to assign Novell trustee-based file system rights on Linux.

IMPORTANT:Only eDirectory users are eligible for file-system trustee rights.

Management Tool	NSS File System on Linux			Linux POSIX File Systems
Management Tool	NCP	NFS or Samba	Core Linux Utilities	NCP	NFS or Samba	Core Linux Utilities
NSS rights utility	Yes	Yes	Yes	Yes	Not applicable	Not applicable
Novell NetStorage	Yes	Yes	Yes, for NetStorage with SSH support	Not supported by NetStorage	Not applicable	Not applicable
Novell Client™ for Windows XP/2003 and for Windows Vista	Yes	Not applicable	Not applicable	Yes	Not applicable	Not applicable
Novell Client for Linux	Yes	Not applicable	Not applicable	Yes	Not applicable	Not applicable
ConsoleOne®	Yes	No	No	Yes	Not applicable	Not applicable

3.2.3 Key Considerations

If you use core Linux utilities—with, or instead of, NCP Server for Linux—to control file access for eDirectory users on Linux:

Make sure the core Linux utilities are PAM-enabled during Linux User Management (LUM) configuration.
eDirectory users must be Linux-enabled to use the core Linux utilities. A Linux-enabled user is defined as a local user and as an eDirectory user. (Linux-enabled is also referred to as LUM-enabled.)

Although NCP and NSS keep file system rights information separately, the information is synchronized between them.