Every file and directory has an owner. The owner controls how permissions are set on the file or directory and can grant permissions to others.
When a file or directory is created, the person creating the file or directory automatically becomes its owner. It is expected that administrators will create most files on network servers, such as when they install applications on the server. Therefore, most files on a server will be owned by administrators, except for data files created by users and files in users' home directories.
Ownership can be transferred in the following ways:
The current owner can grant an implied ownership ability to other users by setting Write permission on the files or directories for Group or Others. This enables other people to copy the file, and "inherit" ownership of the duplicate.
An administrator can take ownership of any file on the computer at any time. For example, if an employee leaves the company suddenly, the administrator can take control of the employee's files, no matter what permissions have been set.
Although an administrator can take ownership, the administrator cannot transfer ownership to others. This restriction keeps the administrator accountable.
The administrator also can take file ownership by using the net perms command. For more information, type net help perms at the SunLink Server command prompt.
In addition to files and directories, computer processes also have an owner. A computer process is initiated whenever an executable program is run, and the process is known to the system by a unique identifier. In the Solaris environment, this is called a Process Identifier, or PID.
Unlike file or directory ownership, however, process "ownership" changes whenever the program is executed. While an executable program--a spreadsheet, for example--is originally owned by the person who installed it on the network, its User and Group PID ownership changes when a person runs it. The spreadsheet process owned by root at installation will now be owned by the user and the user's group at execution. Because this change in process ownership has security implications, the SunLink Server program enables you to regulate it.
File-locking is also an important security concern, particularly in your heterogeneous environment of Windows NT and Solaris. While SunLink Server software accords the same file-locking security on network-based files and directories as Windows NT does, locked files may still be accessible directly from a Solaris computer account. SunLink Server software enables you to preclude that from happening, though it is not set by default as it may degrade overall system performance. If your network includes users who will access files from both Windows NT and Solaris network client machines, you should change this setting to honor Windows NT file-locking from Solaris accounts. See "How to Set Solaris File System Integration Policies".
During SunLink Server installation, users and groups who will be associated with the SunLink Server program were added to the system's local password and group files. If your site uses a Solaris name service such as NIS or NIS+ in the Solaris environment, you should put the group information into the name service maps. When creating files from a Windows NT Workstation and writing to a directory on the Solaris system, the owner is the user who creates the file and the default group is DOS---. While the user information is, in fact, retrieved from the name service maps, the group information is correctly displayed only if the listing of the file is performed on the SunLink Server system itself (default lookup: files nis). If these files are being viewed from another Solaris system, the group id will not be resolved correctly. By putting the group information into the name service maps, you allow the files to be consistent between the local system files and the maps.