Manualshelf

Open System Services NFS Overview

ManualsBrandsHP ManualsServerHP NonStop G-Series
11121314151617181920
2 Security Mechanisms
OSS NFS provides several levels of security to protect its file systems:
At the highest level, the system manager can control which client hosts (systems running NFS client
software) can access subtrees of the OSS NFS file hierarchy. The system manager can specify the
pathname of a directory with a list of client hosts whose users are allowed to mount the directory
on their local system. This level of security is called export control.
The next level of security is based on the security restrictions for each file (or directory). Access to
a file managed by an NFS server is controlled by comparing the owner and mode associated with
the file when it was created or modified with the user ID of the person requesting access to the
file.
In addition to the security mechanisms provided by NFS, objects on a NonStop server can be
protected by:
Security mechanisms available in the Guardian environment, such as the Safeguard product
or other products such as CA-Unicenter. For more information about Guardian security and
Safeguard, see the Safeguard User's Guide and the Security Management Guide.
OSS ACLs in Version 3 catalog OSS filesets on servers running J-series RVUs, H06.08 and
later H-series RVUs, or G06.29 and later G-series RVUs. NFS Version 2 clients are denied
access to objects protected by optional OSS ACL entries unless allowed by the configuration
of OSS fileset NFSPERMMAP attribute on servers running J06.09 and later J-series RVUs or
H06.20 and later H-series RVUs. The NFSPERMMAP attribute value selects the algorithm used
to map the OSS ACL permissions for the object to the standard permissions (rwxrwxrwx)
expected for the object by NFS V2 clients. For information about the NFSPERMMAP attribute,
see the Open System Services Management and Operations Guide. For more information
about OSS ACLs, see the acl(5) reference page either online or in the Open System Services
System Calls Reference Manual.
Restricted-access OSS filesets. Version 3 catalog OSS filesets on J06.11 and later J-series
RVUs and H06.22 and later H-series RVUs can be configured as restricted-access filesets. To
facilitate the management of files in restricted-access filesets, the file privilege attribute was
introduced in J06.11 and H06.22. NFS clients are not permitted to write to any file that has
file privileges, even if the file permissions allow such access, and even if that file is in an
unrestricted fileset. For more information about restricted-access filesets and NFS, see the
Open System Services NFS Management and Operations Guide.
Beginning with the J06.15 and H06.26 RVUs, an OSS Security Event Exit Process (SEEP) is
supported and provides additional file-access authorization:
NFS mount of a directory that belongs to an OSS SEEP-protected fileset is rejected with
EPERM error.
If the fileset is made OSS SEEP-protected post-mount, the NFS operations that follow get
rejected with EPERM error.
For information about the SEEPPROTECTED attribute, see “OSS Fileset SEEPPROTECTED
Attribute” (page 17)
For more information about restricted-access OSS filesets, OSS SEEP, and file privileges, see
the Open System Services Management and Operations Guide.
User IDs
To use any OSS NFS server, you must be registered as a user of the OSS NFS subsystem. You are
registered by your system manager. The system manager creates OSS NFS USER objects that
define a mapped user ID on the NonStop operating system corresponding to your client effective
User IDs 15