Using UnixWare only for file access control

When UNIX is selected as the mode for file access control, the UnixWare permission bits are used to calculate effective NetWare rights to a file or directory. Each NetWare Services user has a UID and a GID and these are compared with the file or directory's UID and GID. The UID and GID are established by default or through the hybrid user feature.

``UnixWare file access control checks'' illustrates this process.

UnixWare file access control checks

NetWare Services users can have a match on more than one UID. The UID matches under the following conditions:

• The NetWare user's hybrid UID matches the file's (or directory's) UID.

• The file's (or directory's) UID is nwuser and the user is logged in.

• The file's (or directory's) UID is nwroot and the user is logged in to the NetWare server as the network administrator.

The GIDs match under the following conditions:

• The NetWare user's hybrid GID matches the file's (or directory's) GID. Although UnixWare allows a user to belong to more than one group, currently only the UnixWare user's primary group is used, the GID obtained with the getpwnam(3C). function. All other group GIDs are ignored.

• The file's (or directory's) GID is nwgroup and the user is logged in.

Two NetWare rights, Supervisor and Access Control, are never granted, since granting them would imply that the user can use NetWare trustee assignments to control access. With UNIX as the mode for file access, access control changes must occur from UnixWare.

The following table shows how UnixWare rights are translated to NetWare rights.

Translating UnixWare permissions to NetWare rights

UnixWare permissions		NetWare effective rights
Parent Directory	File or Directory	File	Directory
---	Any	No Rights	No Rights
r	Any	No Rights	No Rights
rw	Any	No Rights	No Rights
wx	Any	No Rights	No Rights
x	Any	No Rights	No Rights
w	Any	No Rights	No Rights
wx	Any	No Rights	No Rights
rwx	---	CEF	No Rights
rwx	r	RCEF	No Rights
rwx	rw	RWCEF	RWCEF
rwx	rwx	RWCEF	REF
rwx	rx	RCEF	No Rights
rwx	w	WCEF	No Rights
rwx	wx	WCEF	No Rights
rwx	x	CEF	No Rights
rx	---	F	No Rights
rx	r	RF	No Rights
rx	rw	RWF	No Rights
rx	rwx	RWF	RWCF
rx	rx	RF	RF
rx	w	WF	No Rights
rx	wx	WF	No Rights
rx	x	F	No Rights

         UnixWare permissions           NetWare effective rights
 Parent Directory   File or Directory   File           Directory
 ---                Any                 No Rights      No Rights
 r                  Any                 No Rights      No Rights
 rw                 Any                 No Rights      No Rights
 wx                 Any                 No Rights      No Rights
 x                  Any                 No Rights      No Rights
 w                  Any                 No Rights      No Rights
 wx                 Any                 No Rights      No Rights
 rwx                ---                 CEF            No Rights
 rwx                r                   RCEF           No Rights
 rwx                rw                  RWCEF          RWCEF
 rwx                rwx                 RWCEF          REF
 rwx                rx                  RCEF           No Rights
 rwx                w                   WCEF           No Rights
 rwx                wx                  WCEF           No Rights
 rwx                x                   CEF            No Rights
 rx                 ---                 F              No Rights
 rx                 r                   RF             No Rights
 rx                 rw                  RWF            No Rights
 rx                 rwx                 RWF            RWCF
 rx                 rx                  RF             RF
 rx                 w                   WF             No Rights
 rx                 wx                  WF             No Rights
 rx                 x                   F              No Rights

• The File Scan right is given only if the directory has r and x permissions. In the parent directory, a user must have the x permission to access a subdirectory and r and x permissions to have any NetWare rights.

• The Modify right is given only if the user is the owner of the file and the parent directory has the Create right (UnixWare permission bits rwx are set in the parent directory).

• The Supervisor and Access Control rights are never granted.

• The Erase right is removed if the user is not the owner of the file or directory and the parent directory has the UnixWare sticky permission bit.

Additional rules

In addition to mapping UID and GIDs and converting UnixWare permissions into NetWare rights, the following rules are used to determine UnixWare access to a file or directory:

• Attached NetWare users always have Read and Execute rights to the files in the SYS:LOGIN directory and any subdirectories.

• The path from the volume mount point is used to calculate access to a file or directory. UnixWare permissions above the volume mount point are ignored.

• To access a file or directory, a user must have the x permission in all directories from the volume mount point to the current directory in question.

  For the user to access a file in the current directory, the user must have r and x permissions to the current directory, as well as some file permissions.

Volume, file, and directory attributes

NetWare Services has one volume attribute, Read-Only. It overrides any UnixWare permissions that would allow NetWare users to write to or create files in the volume.

NetWare has a number of file and directory attributes: Delete-Inhibit, Read-Only, Rename-Inhibit, and so on) which are enforced for NetWare users.

Hybrid variables

The hybrid variables affect the UnixWare enforcement of the permission bits.

Hybrid users are granted rights to files and directories that match with their hybrid UID and GID as well as to all files and directories owned by nwuser or nwgroup.

Since NetWare users who are not hybrid users use nwuser and nwgroup as their default UID and GID, all files and directories that these users create are accessible to all hybrid users.

If this is a security problem, you can set the ``Hybrid Allow Default User'' variable in NetWare Setup to ``No''. This forces every NetWare user to be a hybrid user in order to log in to the NetWare server. But it also allows all the UnixWare files and directories created from NetWare to be owned by the UnixWare user who created them.

If the NetWare volumes are NFS-mounted, set the ``Allow Processes to Assume Hybrid User IDs?'' variable in NetWare Setup to ``Yes''.

Forcing all NetWare users to be hybrid users is the best method of enforcing security with the ``UNIX'' mode for file access. In this mode, all NetWare users should have sufficient rights to the files and directories that they create to control access from UnixWare.

File access control utilities

Since neither the Supervisor or the Access Control right is ever granted on volumes with UnixWare-made access control, all the NetWare utilities (FILER, NetWare Administrator, NETADMIN, and RIGHTS) that allow users to make trustee assignments will return with an insufficient rights error. Therefore, even the NetWare administrator has insufficient rights to make trustee assignments.

Changes to NetWare rights must be done from UnixWare using UnixWare utilities. Hybrid users on DOS workstations can use NVT2 (Novell Virtual Terminal 2) through Host Presenter to access the UnixWare side of the NetWare Services server and change permissions.

OS/2 clients can use NVT2 from a DOS session. For more information, see Terminal Emulators for DOS/Windows.

The NetWare utilities that display a user's rights should accurately display the user's effective rights as they have been translated from the UnixWare permissions.