Technical data

ManualsBrandsCompaq ManualsComputer equipmentCompaq TCP/IP Services for OpenVMS

371

372

373

374

375

376

377

378

379

380

NFS Server

20.1 Key Concepts

20.1.5 Mapping the Default User

In a trusted environment, you may want the server to grant restricted access even

if the incoming UID does not map to an OpenVMS account. This is accomplished

by adding a proxy entry for the default user. The NFS server deﬁnes the default

user at startup with the following attributes:

•

noproxy_uid

•

noproxy_gid

You can initialize these attributes using the SYSCONFIG command, which is

deﬁned by the SYS$MANAGER:TCPIP$DEFINE_COMMANDS.COM procedure.

For example:

$ @SYS$MANAGER:TCPIP$DEFINE_COMMANDS

$ SYSCONFIG -r nfs_server noproxy_uid=-2 noproxy_gid=-2

If the server ﬁnds a proxy entry for the default user, it grants access to OpenVMS

ﬁles as the OpenVMS user associated with ‘‘nobody’’ in the proxy record. TCP/IP

Services normally uses the UNIX user ‘‘nobody’’ (–2/–2) as the default user.

To temporarily modify run-time values for the default user, use the /UID_

DEFAULT and /GID_DEFAULT qualiﬁers to the SET NFS_SERVER command.

To permanently modify these values, edit the SYS$STARTUP:TCPIP$NFS_

SYSTARTUP.COM ﬁle with the commands to deﬁne new values for the UID and

GID logical names. See Section 20.12 for instructions on modifying SYSCONFIG

variables to change the default values.

If you require tighter restrictions, you can disable the default user mapping and

set additional security controls by setting the attribute

noproxy_enabled

. See

Section 20.11 for more information.

Note

The conﬁguration procedure for the NFS client creates a nonprivileged

account with the user name TCPIP$NOBODY. You may want to add

a proxy record for the default user that maps to the TCPIP$NOBODY

account.

20.1.6 Mapping a Remote Superuser

When a remote UNIX client does a mount, it is often performed by the superuser.

(In some UNIX implementations, this can be performed only by the superuser.)

A superuser (root) on a remote client does not automatically become a privileged

user on the server. Instead, the superuser (UID=0) is mapped to the default

user deﬁned with the attributes

noproxy_uid

and

noproxy_gid

. (By default, user

‘‘nobody’’ (–2/–2) is used.)

You may have remote clients that use the superuser to mount ﬁle systems. If you

want to grant normal root permissions, add a proxy record with UID=0/GID=1

and map this to an appropriate OpenVMS account. The ability of the remote

superuser to mount and access ﬁles on the server is controlled by the privileges

you grant for this OpenVMS account.

NFS Server 20–5