This section discusses the following issues for controlling access to files on Linux:
File and directory access rights are enforced on Linux systems in different ways, depending on the following:
User identity, such as Novell eDirectory users, Linux-enabled eDirectory users, and local-only users
Access method, such as NCP Server, other protocols, or core Linux utilities
File system access control, such as NSS file and directory attributes
See the following sections for an overview of these issues:
The following table describes how file system access rights are enforced on Linux systems for eDirectory users:
|
File System |
Access via NCP Server for Linux |
Access via Linux Protocols (such as NFS or Samba) |
Access via Core Linux Utilities |
|---|---|---|---|
|
NSS on Linux |
NCP and NSS enforce access. For security reasons, soft links are not supported by NCP Server. Soft links are not accessible from NCP clients; users cannot see or access them. |
NCP and NSS enforce access. eDirectory users must be Linux-enabled with Linux User Management. |
NCP and NSS enforce access. eDirectory users must be Linux-enabled with Linux User Management. Linux services need to be enabled for pluggable authentication modules (PAM) when you configure Linux User Management. |
|
NCP volumes on Linux POSIX file systems |
NCP enforces access. For security reasons, soft links are not supported by NCP Server. Soft links are not accessible from NCP clients; users cannot see or access them. |
NCP enforces access. eDirectory users must be Linux-enabled with Linux User Management. |
NCP enforces access. eDirectory users must be Linux-enabled with Linux User Management. Linux services need to be enabled for pluggable authentication modules (PAM) when you configure Linux User Management. |
|
Linux POSIX file systems |
eDirectory users have no access to files via NCP. |
Linux ACLs and POSIX permissions are used to enforce access. |
Linux ACLs and POSIX permissions are used to enforce access. |
The following table describes how file system access rights are enforced on Linux systems for locally defined users: based on the access method:
|
File System |
NCP Server for Linux |
Other Protocols (such as NFS or Samba) |
Core Linux Utilities |
|---|---|---|---|
|
NSS on Linux |
Restricted to the root user. |
Restricted to the root user. |
Restricted to the root user. |
|
NCP volumes on Linux POSIX |
Restricted to the root user. |
Restricted to the root user. |
Restricted to the root user. |
|
Linux POSIX file systems |
Local users have no access to files via NCP. Linux ACLs and POSIX permissions are used to enforce access. |
Linux ACLs and POSIX permissions are used to enforce access. |
Linux ACLs and POSIX permissions are used to enforce access. |
Core Linux utilities are standard file services used to access files. They include:
Shell login
Samba server
File transfer protocol (ftp)
Secure shell (ssh)
Substitute user (su), which opens runs a shell as root (or superuser)
Remote shell (rsh)
Remote login (rlogin)
X display manager (xdm)
Open Web-based enterprise management (openwbem)
IMPORTANT:To enable users of NSS volumes and NCP volumes to use the core Linux utilities, you must PAM-enable the utility with Linux User Management (LUM) and Linux-enable the users with LUM. For information, see OES 2 SP3: Novell Linux User Management Administration Guide.
The following table identifies the management tools to use to assign Novell trustee-based file system rights on the NSS file system for Linux:
IMPORTANT:Only eDirectory users are eligible for file-system trustee rights.
|
Management Tool |
NSS File System on Linux |
||
|---|---|---|---|
|
NCP |
NFS or Samba |
Core Linux Utilities |
|
|
NSS rights utility |
Yes |
Yes |
Yes |
|
Novell NetStorage |
Yes |
Yes |
Yes, for NetStorage with SSH support |
|
Novell Client for Windows XP/2003 and for Windows Vista |
Yes |
Not applicable |
Not applicable |
|
Novell Client for Linux |
Yes |
Not applicable |
Not applicable |
|
ConsoleOne |
Yes |
No |
No |
The following table identifies the management tools to use to assign Novell trustee-based file system rights on Linux POSIX file systems:
|
Management Tool |
Linux POSIX File Systems |
||
|---|---|---|---|
|
NCP |
NFS or Samba |
Core Linux Utilities |
|
|
NSS rights utility |
Yes |
Not applicable |
Not applicable |
|
Novell NetStorage |
Not supported by NetStorage |
Not applicable |
Not applicable |
|
Novell Client for Windows XP/2003 and for Windows Vista |
Yes |
Not applicable |
Not applicable |
|
Novell Client for Linux |
Yes |
Not applicable |
Not applicable |
|
ConsoleOne |
Yes |
Not applicable |
Not applicable |
If you use core Linux utilities—with, or instead of, NCP Server for Linux—to control file access for eDirectory users on Linux:
Ensure that the core Linux utilities are PAM-enabled during Linux User Management (LUM) configuration.
eDirectory users must be Linux-enabled to use the core Linux utilities. A Linux-enabled user is defined as a local user and as an eDirectory user. (Linux-enabled is also referred to as LUM-enabled.)
Although NCP and NSS keep file system rights information separately, the information is synchronized between them.