6.9 Using the Rights Utility to Set Trustee Rights for the NSS File System

The NSS Rights Utility (rights) for Linux allows you to specify trustee rights for directories and files in the NSS file system. This utility does not provide support for trustees on Linux file systems. It is also not meant to be used to set trustees for NSS volumes on NetWare. The trustee information is saved in the file and directory metadata in the NSS volume and works seamlessly with NetWare if the volume is moved to a NetWare server.

6.9.1 Syntax

rights [OPTIONS]
rights [TOPTIONS] trustee username
rights [DOPTIONS] delete username
rights [IOPTIONS] irf
rights [EROPTIONS] effective username
rights [SOPTIONS] show

6.9.2 Options

ACTIONS

The first argument indicates the action to be taken.

Option

Description

trustee

Adds or modifies a trustee on a file or directory.

delete

Removes a trustee from a file or directory.

irf

Sets the inherited rights filter on a directory.

effective

Displays a user’s effective rights.

show

Displays the trustees and inherited rights filter.

OPTIONS

Option

Description

-v, --version 

Displays the program version information.

-h, --help 

Displays the help screen.

TOPTIONS

Option

Description

-r, --rights=MASK

Specifies the rights to be given to this trustee. For more information, see MASK.

If the No Rights (n) option is assigned, the trustee is removed.

If rights are not specified, the default assignment is Read and File Scan rights.

-f, --file=filename

Specifies the name of file or directory to assign trustees to. Filename is the path for the file or directory. For example:

-f /users/username/userfile.sxi
--file=/designs/topsecret

If a file or directory is not specified, the current directory is used.

-S, --softlink

Do not follow link option.

DOPTIONS

Option

Description

-f, --file=filename

Specifies the name of file or directory to delete trustees from. Filename is the path for the file or directory.

If a file or directory is not specified, the current directory is used.

-S, --softlink

Do not follow link option.

IOPTIONS

Option

Description

-r, --rights=MASK

Specifies the rights to be passed through the filter. For more information, see MASK.

If rights are not specified, the default assignment is All Rights.

-f, --file=filename

Specifies the name of the directory where the filter is to be applied. Filename is the path for the directory.

If a directory is not specified, the current directory is used.

-S, --softlink

Do not follow link option.

EROPTIONS

Option

Description

-f, --file=filename

Specifies the name of file or directory where effective rights are to be calculated. Filename is the path for the file or directory.

If a file or directory is not specified, the current directory is used.

-S, --softlink

Do not follow link option.

SOPTIONS

Option

Description

-f, --file=filename

Specifies the name of the file or directory to display a list of trustees for that file or directory.

If a file or directory is not specified, the current directory is used.

-S, --softlink

Do not follow link option.

USERNAME

The username parameter is the Fully Distinguished Name of a Novell eDirectory object, including the tree name. Use the username.context.treename format, such as

joe.engineer.acme_tree

If you use special characters in a user name, you must escape those special characters in the command line.

For example, the $ (dollar sign) is a special character reserved to the shell and must be escaped. For the bash shell, the command could be written in one of two ways on the command line:

rights -f /media/nss/DATA/stuff -r none \$j\$o\$e.engineer.acme_tree
rights -f /media/nss/DATA/stuff -r none '$j$o$e.engineer.acme_tree'

If you are using another shell, the special characters might need a different escape technique. In this case, please refer to the shell documentation for this information.

The user name can also be the [Public] trustee. NSS expects the [Public] trustee to be configured on directories that are accessed by daemons that run as the nobody user. For information, see Section 5.4, Configuring the [Public] Trustee Access Rights on NSS Volumes for Daemons Running as the Nobody User.

MASK

The mask is a string of characters, with each character representing certain rights. The following table lists the rights, the letter to use for each right, and what the right is used for.

Right

Letter

Description

Supervisor
s

Has all rights to the file or directory. Also can grant or revoke the Access Control right.

Read
r

Grants the right to open and read files in the directory.

Write
w 

Grants the right to open and write to files in the directory.

Create
c 

Grants the right to create files and subdirectories. The user can also salvage (undelete) deleted files.

Erase
e 

Grants the right to erase files and directories. The user can also purge deleted files.

Modify
m 

Grants the right to modify the content of files and directories, and change file attributes.

File Scan
f 

Grants the right to display and search on file and directory names in the file system structure.

Access Control
a 

Grants the right to add and remove trustees, and change trustee rights to files and directories.

No Rights
none

Revokes all rights.

All Rights
all 

Grants all rights except Supervisor (rwcemfa)

6.9.3 Example

The following command assigns Read, Write, File Scan, and Create rights to the /designs/topsecret directory for user Joe in the engineer context of the acme_tree eDirectory tree.

rights -f /designs/topsecret -r rwfc trustee joe.engineer.acme_tree

The following commands allow the rsync daemon, which run as the nobody user, to access the /media/nss/VOL1/rsync directory. It makes the [Public] user a trustee of the directory, and gives it the Read and File Scan access rights on that directory.

cd /media/nss/VOL1/rsync

rights trustee "[Public]" -r rf

6.9.4 See Also

For information about setting file system directory and file attributes, see Using the Attrib Utility to Set NSS File System Attributes.