Open System Services NFS Management and Operations Guide
then access files in restricted-access filesets as that ID. See “NFS Clients, Restricted-Access Filesets, and File Privileges”
(page 61).
NFS Clients, Restricted-Access Filesets, and File Privileges
Version 3 catalog OSS filesets on J06.11 and later J-series RVUs, and H06.22 and later H-series
RVUs can be configured as restricted-access filesets. A fileset is a restricted-access fileset if the
RESTRICTEDACCESS OSS fileset attribute is set to ENABLED or LOCAL.
When accessing a file in a restricted-access fileset, the super ID (255,255 in the Guardian
environment, 65535 in the OSS environment) is restricted by the same file permissions and owner
privileges as any other user ID: It has no special privileges unless the executable file started by the
super ID has the PRIVSETID file privilege. In this case, the process started by the super ID can switch
to another ID and then access files in restricted-access filesets as that ID.
NFS clients that access a restricted-access fileset do not have Safeguard
SECURITY-OSS-ADMINISTRATOR (SOA) privileges or Safeguard SECURITY-PRV-ADMINISTRATOR
(SPA) privileges, even if their user ID is mapped to a NonStop user ID that is a member of those
groups.
If a file has one or more file privileges (such as PRIV_SETID or PRIV_SOARFOPEN), NFS clients
are not permitted to write to that file even if the file permissions allow it and even if the file is in
an unrestricted fileset.
If a directory belongs to a SEEP-protected fileset (SEEPPROTECTED), NFS clients are not permitted
to mount or perform other NFS operations (if the fileset is made SEEPPROTECTED post-mounting
of the fileset). The operation fails with an EPERM error. For J06.15 and later J-series RVUs and
H06.26 and later H-series RVUs.
For more information about restricted-access OSS filesets, OSS SEEP, and file privileges, see the
Open System Services Management and Operations Guide.
NFS Clients and OSS ACLs
Version 3 catalog OSS filesets on J-series RVUs, on H06.08 and later H-series RVUs, and G06.29
and later G-series RVUs support access control lists (ACLs), in addition to basic file security, for
directories, regular files, FIFO special files, and bound AF_UNIX sockets. OSS ACLs allow a
process whose effective user ID matches the file owner, super ID, or a member of the Safeguard
SECURITY-OSS-ADMINISTRATOR security group to permit or deny access to a list of specific users
and groups.
OSS ACLs:
• Are not supported by the OSS Network File System (NFS) for G-series RVUs, H06.19 and
earlier H-series RVUs, or J06.08 and earlier J-series RVUs. All attempts by NFS clients to access
OSS objects protected by OSS ACLs that contain optional ACL entries are denied.
• Are supported by the OSS NFS for J06.09 and later J-series RVUs and H06.20 and later
H-series RVUs as follows:
◦ Access by the OSS Network File System (NFS) to OSS objects protected by OSS ACLs
that contain optional ACL entries can be allowed, depending upon the NFSPERMMAP
attribute value for the OSS fileset that contains the object.
◦ The NFSPERMMAP attribute value selects the algorithm used to map the OSS ACL
permissions for the object to the standard permissions (rwxrwxrwx) expected for the object
by NFS V2 clients.
◦ The default value for the NFSPERMMAP attribute, DISABLED, specifies that all attempts
by NFS clients to access OSS objects protected by OSS ACLs that contain optional ACL
entries are denied. This behavior matches the behavior for G-series RVUs, H06.19 and
earlier H-series RVUs, and J06.08 and earlier J-series RVUs.
File Permissions Required for OSS NFS Operations 61