NFS Gateway for NetWare 6.5: Clarifying the two layers of security

  • Document ID:7004886
  • Creation Date:18-Nov-2009
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      NetWare
      NFS Protocol

Environment

Novell NetWare 6.5
Novell NFS Gateway for NetWare 6.5

Situation

When giving NetWare users access to the file system on an NFS Gateway volume, there are 2 layers of security which file system requests must pass through.  This document attempts to clarify the way this works.

Resolution

When an NCP client or a NetWare process requests access to a NFS Gateway volume, that request has to pass through both NetWare access control (Novell Trustee Rights) and the file system access control on the remote NFS Server (usually a Unix or Linux device, with POSIX ownership / permissions.  If either of these access control methods denies the request, it will fail.
 
More specifically, the following evaluation / sequence occurs:
 
1.  Does the user have sufficient trustee rights to accomplish this task?
   a.  NO  --> Deny Access.  STOP.
   b.  YES --> Continue to step 2.
 
2.  The NetWare NFS Gateway system builds a request to send to the remote NFS Server.  This request must contain some credentials, so the remote NFS Server can evaluate whether to allow or deny the request.  Credentials include a User ID (UID), a Primary Group ID (GID) and optionally, up to 16 "supplemental" GIDs.  These credential are determined as follows:
   a.  Is "-forceAnonUidGid" set for this NFS Gateway Volume?
      i.  Yes.  -->  Skip to 2c
      ii.  No.  -->  Continue to 2b
   b.  Does the user have a Linux Profile?
      i.  Yes.  --> Use the UID and Primary GID from the Linux Profile.  Also use the GIDs of up to 16 other NetWare groups of which the user is a member, to build a list of supplementary GIDs.  Skip to 3.
      ii.  No.  -->  Continue to 2c.
   c.  Use the AnonUid and AnonGid set for this volume.  The defaults are both 55555.
 
3.  The NFS request formed in step 2 is sent to the remote NFS Server.  It then evaluates whether or not to allow or deny the request, based on the credentials it has received and the access controls set in it's own file system.  Typically, the access controls in it's own file system will specify what UID and GID own the file or directory, and will show three sets of permissions on the file or directory:  One set of permissions for that UID; one set of permissions for that GID; and one set of permissions for everyone else.  Evaluation will be as follows:
   a.  Do the credentials supplied in the request contain the matching UID owner?
      i.  Yes.  --> Evaluate the request based on the UID owner permissions.  END.
      ii.  No.  -->  Continue to 3b.
   b.  Do the credentials supplied in the request contain a match for the GID owner?
      i.  Yes.  -->  Evaluate the request based on the GID owner permissions.  END.
      ii.  No.  -->  Evaluate the request based on the permissions for "everyone else."  END.
 
NOTE:  There are a few other twists that can occur if the requests are being made as UID 0 (root).  In that case, the NFS Server may, according to it's own configuration, treat that user as a true root user; or as "nobody" (UID -2), which would fall into the category of "everyone else"; or as a total nonentity with no access at all.  Similarly, if the request was directly made as "nobody", the system could decide whether to treat it as "nobody" or to treat it as a nonentity with no access.