Planning Access Rights to NIS+ Groups and Directories
After arranging your principals into groups, determine the kinds of access rights granted by the objects in the namespace to those groups, as well as to the other classes of principal (nobody, owner, group, and world). Planning these assignments ahead of time will help you establish a coherent security policy.
As shown in Table 3-1, NIS+ provides different default access rights for different namespace objects.
Table 3-1 Default Access Rights for NIS+ Objects|
Object |
Nobody |
Owner |
Group |
World |
|---|---|---|---|---|
|
Root-directory object |
r--- |
rmcd |
rmcd |
r--- |
|
Non-root directory object |
r--- |
rmcd |
rmcd |
r--- |
|
groups_dir directory objects |
r--- |
rmcd |
rmcd |
r--- |
|
org_dir directory objects |
r--- |
rmcd |
rmcd |
r--- |
|
NIS+ groups |
---- |
rmcd |
r--- |
r--- |
|
NIS+ tables |
varies |
varies |
varies |
varies |
You can use the default rights or assign your own. If you assign your own, you must consider how the objects in your namespace will be accessed. Keep in mind that the nobody class accepts all requests from NIS+ clients, whether authenticated or not. The world class comprises all authenticated requests from NIS+ clients. Therefore, if you don't want to provide namespace access to unauthenticated requests, don't assign any access rights to the nobody class; reserve them only for the world class. On the other hand, if you expect some clients--through applications, for instance--to make unauthenticated read requests, you should assign read rights to the nobody class. If you want to support NIS clients in NIS-compatibility mode, you must assign read rights to the nobody class.
Also consider the rights that each type of namespace object assigns to the NIS+ groups you specified earlier. Depending on how you plan to administer the namespace, you can assign all or some of the available access rights to the group. A good solution is to have the user root on the master server be the owner of the admin group. The admin group should have create and destroy rights on the objects in the root domain. If you want only one administrator to create and modify the root domain, then put just that administrator in the admin group. You can always add additional members to the group. If several administrators are involved in the setup process, put them all in the group and assign full rights to it. That is easier than switching ownership back and forth.
Finally, the owner of an object should have full rights, although this is not as important if the group does. A namespace is more secure if you give only the owner full rights, but it is easier to administer if you give the administrative group full rights.
- © 2010, Oracle Corporation and/or its affiliates