System Administration Guide: Naming and Directory Services (FNS and NIS+)

Introduction to Authorization and Access Rights

See NIS+ Authorization and Access—Introduction for a description of how authorization and access rights work with NIS+ credentials and authentication to provide security for the NIS+ namespace.

Authorization Classes—Review

As described more fully in Authorization Classes, NIS+ access rights are assigned on a class basis. There are four different NIS+ classes:

Access Rights—Review

As described more fully in NIS+ Access Rights, there are four types of NIS+ access rights:

Keep in mind that these rights logically evolve down from directory to table to table column and entry levels. For example, to create a new table, you must have create rights for the NIS+ directory object where the table will be stored. When you create that table, you become its default owner. As owner, you can assign yourself create rights to the table which allows you to create new entries in the table. If you create new entries in a table, you become the default owner of those entries. As table owner, you can also grant table level create rights to others. For example, you can give your table's group class table level create rights. In that case, any member of the table's group can create new entries in the table. The individual member of the group who creates a new table entry becomes the default owner of that entry.

Concatenation of Access Rights

Authorization classes are concatenated. In other words, the higher class usually belongs to the lower class and automatically gets the rights assigned to the lower class. It works like this:

The basic principle that governs this is that access rights override the absence of access rights. In other words, a higher class can have more rights than a lower class, but not fewer rights. (The one exception to this rule is that if the owner is not a member of the group, it is possible to give rights to the group class that the owner does not have.)

How Access Rights Are Assigned and Changed

When you create an NIS+ object, NIS+ assigns that object a default set of access rights for the owner and group classes. By default, the owner is the NIS+ principal who creates the object. The default group is the group named in the NIS_GROUP environment variable.

Specifying Different Default Rights

NIS+ provides two different ways to change the default rights that are automatically assigned to an NIS+ object when it is created.

Changing Access Rights to an Existing Object

When an NIS+ object is created, it comes into existence with a default set of access rights (from either the NIS_DEFAULTS environment variable or as specified with the -D option). These default rights can be changed with the

Table, Column, and Entry Security

NIS+ tables allow you to specify access rights on the table three ways:

A field is the intersection between a column and an entry (row). All data values are entered in fields.

These column- and entry level access rights allow you to specify additional access to individual rows and columns that override table level restrictions, but column and entry level rights cannot be more restrictive than the table as a whole:

Table, Column, Entry Example

Column- or entry level access rights can provide additional access in two ways: by extending the rights to additional principals or by providing additional rights to the same principals. Of course, both ways can be combined. Following are some examples.

Assume a table object granted read rights to the table's owner:

Table 15–1 Table, Column, Entry Example 1

 

Nobody 

Owner 

Group 

World 

Table Access Rights: 

----

r---

----

----

This means that the table's owner could read the contents of the entire table but no one else could read anything. You could then specify that Entry-2 of the table grant read rights to the group class:

Table 15–2 Table, Column, Entry Example 2

 

Nobody 

Owner 

Group 

World 

Table Access Rights: 

----

r---

----

----

Entry-2 Access Rights: 

----

----

r---

----

Although only the owner could read all the contents of the table, any member of the table's group could read the contents of that particular entry. Now, assume that a particular column granted read rights to the world class:

Table 15–3 Table, Column, Entry Example 3

 

Nobody 

Owner 

Group 

World 

Table Access Rights: 

----

r---

----

----

Entry-2 Access Rights: 

----

----

r---

----

Column-1 Access Rights: 

----

----

----

r---

Members of the world class could now read that column for all entries in the table . Members of the group class could read everything in Column-1 (because members of the group class are also members of the world class) and also all columns of Entry-2. Neither the world nor the group classes could read any cells marked *NP* (for Nor Permitted).

Table 15–4 Table, Column, Entry Example 4

 

Col 1 

Col 2 

Col 2 

Entry-1 

contents 

*NP*

*NP*

Entry-2 

contents 

contents 

contents 

Entry-3 

contents 

*NP*

*NP*

Entry-4 

contents 

*NP*

*NP*

Entry-5 

contents 

*NP*

*NP*

Rights at Different Levels

This section describes how the four different access rights (read, create, modify, and destroy) work at the four different access levels (directory, table, column, and entry).

The objects that these various rights and levels act on are summarized in Table 15–5:

Table 15–5 Access Rights and Levels and the Objects They Act Upon

 

Directory 

Table 

Column 

Entry 

Read 

List directory contents 

View table contents 

View column contents 

View entry (row) contents 

Create 

Create new directory or table objects 

Add new entries (rows) 

Enter new data values in a column 

Enter new data values in an entry (row) 

Modify 

Move objects and change object names 

Change data values anywhere in table 

Change data values in a column 

Change data values in an entry (row) 

Destroy 

Delete directory objects such as tables 

Delete entries (rows) 

Delete data values in a column 

Delete data values in an entry (row) 

Read Rights

Create Rights

Modify Rights

Destroy Rights

Where Access Rights Are Stored

An object's access rights are specified and stored as part of the object's definition. This information is not stored in an NIS+ table.

Viewing an NIS+ Object's Access Rights

The access rights can be viewed by using the niscat command:


niscat -o objectname

Where objectname is the name of the object whose access rights you want to view.

This command returns the following information about an NIS+ object:

Access rights for the four authorization classes are displayed as a list of 16 characters, like this:


	r---rmcdr---r---

Each character represents a type of access right:

The first four characters represent the access rights granted to nobody, the next four to the owner, the next four to the group, and the last four to the world:

Figure 15–1 Access Rights Display

Diagram shows order of access rights, starting with nobody


Note –

Unlike UNIX file systems, the first set of rights is for nobody, not for the owner.


Default Access Rights

When you create an object, NIS+ assigns the object a default owner and group, and a default set of access rights for all four classes. The default owner is the NIS+ principal who creates the object. The default group is the group named in the NIS_GROUP environment variable. Table 15–6, shows the default access rights.

Table 15–6 Default Access Rights

Nobody 

Owner 

Group 

World 

read 

read 

read 

modify 

create 

destroy 

If you have the NIS_DEFAULTS environment variable set, the values specified in NIS_DEFAULTS will determine the defaults that are applied to new objects. When you create an object from the command line, you can use the -D flag to specify values other than the default values.

How a Server Grants Access Rights to Tables

This section discusses how a server grants access to tables objects, entries, and columns during each type of operation: read, modify, destroy, and create.


Note –

At security level 0, a server enforces no NIS+ access rights and all clients are granted full access rights to the table object. Security level 0 is only for administrator setup and testing purposes. Do not use level 0 in any environment where ordinary users are performing their normal work.


The four factors that a server must consider when deciding whether to grant access are:

After authenticating the principal making the request by making sure the principal has a valid DES credential, an NIS+ server determines the type of operation and the object of the request.