Manualshelf

Open System Services NFS Management and Operations Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
51525354555657585960
File-Creation Control
The file-creation-control programs and databases are a part of either the Safeguard product or a
third-party product such as CA-Unicenter. Either product can authorize audit file-creation accesses
to volumes that are part of an exported OSS NFS fileset, using access lists of authorized users set
up for each volume, as:
Authorization: the access-control list is checked to determine whether this user has authority
to create a file on this volume.
Auditing: events of creating files in an exported OSS NFS fileset are logged. Auditing applies
only to the creation of files and does not extend to more general file accesses.
File-creation control can be applied only to volumes. Read, write, and execute operations cannot
be protected by this mechanism; instead, these operations are handled by file-access control,
described in “File-Access Control” (page 58).
File Permissions Required for OSS NFS Operations
This table describes the OSS file-access permissions needed by a user to perform certain OSS NFS
operations:
Required File Permission
1
OSS NFS Operation
CREATE authority on Safeguard access control list for the containing disk volume. Write
and execute permission on the containing directory.
CREATE
No required permissions.GETATTR
Write and execute permission on the link’s containing directory.LINK
Execute permission on the containing directory.LOOKUP
Write and execute permissions on the containing directory.MKDIR
Either read or execute permission on the specified file.READ
Read permission on the specified directory.READDIR
Execute permission on the containing directory.READLINK
Write and execute permission on the containing directory.REMOVE
Write permission on the containing directories of both the old and new names.RENAME
Write permission on the directory itself.RMDIR
For timestamps, either appropriate privileges, ownership, or write permission on the object
is required. For file modes, the chmod() policy must be satisfied. For an object’s owner
SETATTR
UID or GID, the chown() policy must be satisfied. If a file has one or more file privileges,
the NFS SETATTR operation is denied.
No required permissions.STATFS
Write and execute permission on the containing directory.SYMLINK
Write permission on the specified file. If a file has one or more file privileges, the NFS
WRITE operation is denied.
WRITE
1
The super ID does not have appropriate privileges to access files it does not own in a restricted-access fileset. However,
if the executable file started by the super ID has the PRIVSETID file privilege, the super ID can switch to another ID and
60 OSS NFS Security