10.8 Configuring Inherit POSIX Permissions for an NCP Volume

For NCP volumes on Linux, the ability to inherit POSIX permissions (Group ID and mode bits) from a parent directory is disabled by default. This ensures that local access to data (that is, local access in the Linux environment, not via NetIQ eDirectory) is available only to the root user. Only authorized eDirectory users can access the data. As with NetWare volumes, NCP Server controls access to data by using the Novell trustee model of file system trustees and trustee rights.

If the Inherit POSIX Permissions option is enabled, it allows the POSIX permissions (GID and mode bits) to be inherited from the parent directory. This lets shared areas be more easily created and managed for local Linux users. However, it makes the volume less secure.

IMPORTANT:The disabled setting for the Inherit POSIX Permissions option is a more secure management method for NCP volumes.

Inherit POSIX Permissions is disabled by default and is not allowed to be set on an NSS volume. There is an explicit check for this, and if the volume is an NSS volume, an error 22 is returned. NSS has its own handling of POSIX permissions. For information, see Section 6.2.1, POSIX Permissions on the NSS File System.

Inherit POSIX Permissions is disabled by default on clustered NCP volumes in OES 2 SP1 Linux and earlier releases. You cannot use the methods described in this section to set the Inherit POSIX Permissions option for a clustered NCP volume because it does not have an entry in the ncpserv.conf file. The clustered NCP volume is defined in the mount command line in its cluster resource load script and removed in its unload script.

Use any of the following methods to configure the Inherit POSIX Permissions setting for unclustered NCP volumes:

10.8.1 Configuring the Inherit POSIX Permissions for a New NCP Volume

You can enable or disable the Inherit POSIX Permissions option when you create an NCP volume on a Linux POSIX file system in Novell Remote Manager. The option is disabled by default. For information about creating an NCP volume, see Section 10.2.1, Using Novell Remote Manager to Create an NCP Volume on a Linux File System.

10.8.2 Configuring the Inherit POSIX Permissions Setting for an Existing NCP Volume

Using Novell Remote Manager to Configure Permissions

  1. In a Web browser, open Novell Remote Manager for Linux for the server you want to manage, then log in as the root user.

  2. Select Manage NCP Services > Manage Shares.

  3. On the NCP Shares page, locate the volume’s share name in the Active Shares area.

  4. If the volume is mounted, click Unmount next to its share name.

  5. Click the Information icon next to the volume’s share name.

  6. On the Share Information page, click Attributes.

  7. On the Modify Volume Properties page, enable or disable the Inherit_POSIX_Permissions parameter by selecting or deselecting its check box, then click Update.

  8. On the NCP Shares page, mount the volume by clicking Mount next to its share name.

    Novell Remote Manage for Linux automatically restarts the NetIQ eDirectory daemon to make the changed setting take effect.

Using NCPCON to Configure Permissions

  1. Open a terminal console, then log in as the root user.

  2. Start NCPCON by entering the following at the terminal console prompt:

    ncpcon
    
  3. Display the current volume settings by entering the following at the NCPCON prompt:

    change volume ncp_volumename
    

    Replace ncp_volumename with the name of the NCP volume you want to manage.

  4. Dismount the volume by entering the following at the NCPCON prompt:

    dismount ncp_volumename
    

    Replace ncp_volumename with the name of the volume you want to manage.

  5. Enable or disable the Inherit_POSIX_Permissions (set the parameter to On or Off), by entering one the following commands:

    change volume ncp_volumename Inherit_POSIX_Permissions on
    
    change volume ncp_volumename Inherit_POSIX_Permissions off
    
  6. Mount the volume by entering the following at the NCPCON prompt:

    mount ncp_volumename
    
  7. Display the volume settings again to verify the change you made to the Inherit_POSIX_Permissions setting. At the NCPCON prompt, enter

    change volume ncp_volumename
    
  8. Exit NCPCON by entering

    exit
    

Using ncpserv.conf to Configure Permissions

You can enable or disable the Inherit POSIX Permissions parameter for an existing NCP volume by adding the Inherit_POSIX_Permissions flag to the VOLUME definition for that volume in the NCP Server configuration file (/etc/opt/novell/ncpserv.conf). Remove the flag from a volume definition to disable it.

  1. Dismount the NCP volume where you want to change the setting.

    1. Open a terminal console, then log in as the root user.

    2. At the terminal console prompt, enter

      ncpcon dismount ncp_volumename
      

      Replace ncp_volumename with the name of the volume you want to manage.

  2. Modify the setting for the volume in the /etc/opt/novell/ncpserv.conf file.

    1. Open the /etc/opt/novell/ncpserv.conf file in text editor.

    2. Do one of the following:

      • Enable: Add the Inherit_POSIX_Permissions flag to the end of the VOLUME definition line for the NCP volume where you want to enable it:

        For example:

        VOLUME TEST1 /usr/Novell/TEST1 Inherit_POSIX_Permissions
        
      • Disable: Remove the Inherit_POSIX_Permissions flag from the VOLUME definition line for the NCP volume where you want to disable it. This is the default setting.

        For example:

        VOLUME TEST1 /usr/Novell/TEST1
        
    3. Save the file.

      The changes do not go into effect until you restart ndsd.

  3. Restart the NetIQ eDirectory (ndsd) daemon to make the changes to ncpserv.conf go into effect.

    Use the following steps to stop and start ndsd when a single instance is running. For information about stopping and starting ndsd when you are running multiple instances of it on the same server, see Using Multiple Instances in the NetIQ eDirectory 8.8 SP7 What’s New Guide.

    1. Use the following commands to stop ndsd:

      rcndsd stop
      
    2. Use the following commands to start ndsd:

      rcndsd start
      
  4. Mount the NCP volume:

    1. Open a terminal console, then log in as the root user.

    2. At the terminal console prompt, enter

      ncpcon mount ncp_volumename
      

      Replace ncp_volumename with the name of the volume that you modified.

10.8.3 Configuring Inherit POSIX Permissions for a Clustered NCP Volume

To set the Inherit POSIX Permissions option for a clustered volume, add "/OPT=Inherit_POSIX_Permissions" to the mount command. Place the option before the volume name; otherwise, the mount fails.

The syntax for the mount command line in the cluster load script is:

exit_on_error ncpcon mount /OPT=Inherit_POSIX_Permissions <NCPvolumename>=VOL_ID,PATH=<volumeMountPoint>