Full Rights Granted to All Users of NSS Volume

  • 7022503
  • 28-Dec-2017
  • 06-Jul-2021


Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1


Users logging in via the client can see all files and folders on a NSS volume, not just those for which rights have been explicitly granted.


In this particular situation, [Root] had been made a trustee of the Tree object, and had been granted the Supervisor Entry Rights.  Removing the entry right resolved the problem.

To check this from iManager:
Rights | Modify Trustees | select the Tree object and press OK
If [Root] is displays as a trustee of the Tree object, select the Assigned rights link, check to see if [Root] has Supervisor Entry Rights, if it does, remove those rights.

Additional Information

A quick way to test whether this resolved the problem is to run the following command, from a ssh connection to the server against the volume (DATA is used here for the example), with a user that was able to see the entire volume but shouldn't have rights to:

rights -f /media/nss/DATA/ effective testuser.myOU.myO.myTree
testuser = a user that we're checking rights for
myOU = OU for testuser
myO = O for testuser
myTree = Tree for testuser
Note: this is dotted notation.

When the problem is happening, running that command against the user above will list full rights to the volume, after the problem has been resolved, running this command should show at most, limited rights.  Here's an example of a user that sees only what they're supposed to.

Effective Rights
File: /media/nss/DATA
User: testuser.myOU.myO.myTree