[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Network Information Services (NIS and NIS+) Guide


Administering NIS+ Access Rights

This section assumes that you have a basic understanding of the NIS+ security system, especially of the role that access rights play in that system.

This section provides the following general information about access rights:

If you need to review authorization classes or access rights in general, see Chapter 4, NIS+ Namespace and Structure

Concatenation of Access Rights

Authorization classes are concatenated, in that the higher class usually belongs to the lower class and automatically gets the rights assigned to the lower class. Classes are defined as follows:

Owner Class
An object's owner may, or may not, belong to the object's group. If the owner does belong to the group, the owner gets whatever rights are assigned to the group. The object's owner automatically belongs to the world and nobody classes, so the owner automatically gets whatever rights that object assigns to those two classes.

Group Class
Members of the object's group automatically belong to the world and nobody classes, so the group members automatically get whatever rights that object assigns to world and nobody.

World Class
The world class automatically gets the same rights to an object that are given to the nobody class.

Nobody Class
The nobody class only gets those rights an object specifically assigns to the nobody class.

Access rights override the absence of access rights. In other words, a higher class can have more rights than a lower class, but not fewer rights. (The one exception to this rule is that if the owner is not a member of the group, it is possible to give rights to the group class that the owner does not have.)

How Access Rights Are Assigned and Changed

When you create an NIS+ object, NIS+ assigns that object a default set of access rights for the owner and group classes. By default, the owner is the NIS+ principal who creates the object. The default group is the group named in the NIS_GROUP environment variable. See Default Access Rights for details.

Specifying Different Default Rights

NIS+ provides two different ways to change the default rights that are automatically assigned to an NIS+ object when it is created.

Changing Access Rights to an Existing Object

When an NIS+ object is created, it comes into existence with a default set of access rights (from either the NIS_DEFAULTS environment variable or as specified with the -D option). These default rights can be changed with the nischmod command and, for table columns, the nistbladm command.

Access Rights and Table Security

NIS+ tables allow you to specify access rights on the table in three ways. You can specify access rights to the following:

A field is a single cell in the matrix or, in other words, the intersection between a column and an entry (row). All data values are entered in fields.

These column- and entry-level access rights allow you to specify additional access to individual rows and columns that override table level restrictions, but column- and entry-level rights cannot be more restrictive than the table as a whole:

Table
The base level. Access rights assigned at the table-level apply to every piece of data in the table unless specifically modified by a column or entry exception. Thus, the table-level rights should be the most restrictive. Remember that authorization classes concatenate. Higher class gets the rights assigned to the lower class. (See Concatenation of Access Rights.)

Column
Allows you to grant additional access rights on a column-by-column basis. For example, if a table level grants no access rights whatsoever to the world and nobody classes, no one in those two classes can read, modify, create, or destroy any data in the table. You can use column-level rights to override a table-level restriction, for example, to permit members of the world class the right to view data in a particular column.

On the other hand, if the table level grants table-wide read rights to the owner and group classes, you cannot use column-level rights to prevent the group class from having read rights to that column.

Keep in mind that a column's group does not have to be the same as the table's group or an entry's group. They can all have different groups.

Entry (row)
Allow you to grant additional access rights on a row-by-row basis. For example, this allows you to permit individual users to change entries that apply to them, but not entries that apply to anyone else.

Keep in mind that an entry's group does not have to be the same as the table's group or a column's group. They can all have different groups. This means that you can permit members of a particular group to work with one set of entries while preventing them from affecting entries belonging to other groups.

Column- or entry-level access rights can provide additional access in two ways: by extending the rights to additional principals or by providing additional rights to the same principals. These methods can be combined. Following are some examples.

In example 1 a table object granted read rights to the table's owner:

Example 1

 

Nobody Owner Group World
Table Access Rights:

----

r---

----

----

In Example 1, the table's owner can read the contents of the entire table but no one else can read anything. You can then specify that the table grant read rights to the group class, as shown in example 2:

Example 2

 

Nobody Owner Group World
Table Access Rights:

----

r---

----

----
Entry-2 Access Rights:

----

----

r---

----

Although only the owner can read all the contents of the table, any member of the table's group can read the contents of that particular entry. Now, assume that a particular column granted read rights to the world class, as shown in example 3:

Example 3

 

Nobody Owner Group World
Table Access Rights:

----

r---

----

----
Entry-2 Access Rights:

----

----

r---

----
Column-1 Access Rights:

----

----

----

r---

Members of the world class can now read that column for all entries in the table (see the following example). Members of the group class can read everything in Column-1 (because members of the group class are also members of the world class) and also all columns of Entry-2. Neither the world nor the group classes can read any cells marked in the following example as *NP* (for Not Permitted).

Example Table

 

Col 1 Col 2 Col 3
Entry-1 contents *NP* *NP*
Entry-2 contents contents contents
Entry-3 contents *NP* *NP*
Entry-4 contents *NP* *NP*
Entry-5 contents *NP* *NP*

Access Rights at Different Levels

This section describes how the four different access rights (read, create, modify, and destroy) work at the four different access levels (directory, table, column, and entry).

The objects that these various rights and levels act on are summarized in the following table:

Access Rights and Levels and the Objects They Affect

 

Directory Table Column Entry
Read List directory contents View table contents View column contents View entry (row) contents
Create Create new directory or table objects Add new entries (rows) Enter new data values in a column Enter new data values in an entry (row)
Modify Move objects and change object names Change data values anywhere in table Change data values in a column Change data values in an entry (row)
Destroy Delete directory objects such as tables Delete entries (rows) Delete data values in a column Delete data values in an entry (row)

Read Rights

Directory
If you have read rights to a directory, you can list the contents of the directory.

Table
If you have read rights to a table, you can view all the data in that table.

Column
If you have read rights to a column, you can view all the data in that column.

Entry
If you have read rights to an entry, you can view all the data in that entry.

Create Rights

Directory
If you have create rights at the directory level, you can create new objects in the directory, such as new tables.

Table
If you have create rights at the table level, you can create new entries. (You cannot add new columns to an existing table regardless of what rights you have.)

Column
If you have create rights to a column, you can enter new data values in the fields of that column. You cannot create new columns.

Entry
If you have create rights to an entry, you can enter new data values in the fields of that row. (Entry-level create rights do not permit you to create new rows.)

Modify Rights

Directory
If you have modify rights at the directory level, you can move or rename directory objects.

 

Table
If you have modify rights at the table level, you can change any data values in the table. You can create (add) new rows, but you cannot create new columns. If an existing field is blank, you can enter new data in it.

Column
If you have modify rights to a column, you can change the data values in the fields of that column.

Entry
If you have modify rights to an entry, you can change the data values in the fields of that row.

Destroy Rights

Directory
If you have destroy rights at the directory level, you can destroy existing objects in the directory, such as tables.

Table
If you have destroy rights at the table level, you can destroy existing entries (rows) in the table, but not columns. You cannot destroy existing columns in a table: you can only destroy entries.

Column
If you have destroy rights to a column, you can destroy existing data values in the fields of that column.

Entry
If you have destroy rights to an entry, you can destroy existing data values in the fields of that row.

Where Access Rights Are Stored

An object's access rights are specified and stored as part of the object's definition. This information is not stored in an NIS+ table.

Viewing an NIS+ Object's Access Rights

The access rights can be viewed by using the niscat command.

niscat -o objectname

Where objectname is the name of the object whose access rights you want to view.

This command returns the following information about an NIS+ object:

Owner
The single NIS+ principal who has ownership rights. This is usually the person who created the object, but it could be someone to whom the original owner transferred ownership rights.

Group
The object's NIS+ group.

Access rights
The rights granted to the following classes:

Nobody
The access rights granted to everyone, whether or not they are authenticated (have a valid DES credential).

Owner
The access rights granted to the object's owner.

Group
The access rights granted to the principals in the object's group.

World
The access rights granted to all authenticated NIS+ principals.

 

Access rights for the four authorization classes are displayed as a string of 16 characters, such as:

r---rmcdr---r---

Each character represents a type of access right:

r
Read rights

m
Modify rights

d
Destroy rights

c
Create rights

-
No access rights

The first four characters represent the access rights granted to nobody, the next four to the owner, the next four to the group, and the last four to the world.

Figure 6-4. Classes and Access Rights. This illustration shows the characters rmcdrmcdrmcdrmcd graphically separated into types of access rights. The first rmcd set is labeled for Nobody access rights; the second set for Owner; the third, Group; and the fourth, World.



Figure access_rights not displayed.

Note: Unlike typical operating system file systems, the first set of rights is for nobody, not for the owner.

Default Access Rights

When you create an object, NIS+ assigns the object a default owner and group, and a default set of access rights for all four classes. The default owner is the NIS+ principal who creates the object. The default group is the group named in the NIS_GROUP environment variable. Initially, the default access rights are as shown in the following table.


Default Access Rights
Nobody Owner Group World

-
read read read

-
modify

-

-

-
create

-

-

-
destroy

-

-

If you have the NIS_DEFAULTS environment variable set, the values specified in NIS_DEFAULTS determine the defaults that are applied to new objects. When you create an object from the command line, you can use the -D flag to specify values other than the default values.

How a Server Grants Access Rights to Tables

This section discusses how a server grants access to table objects, entries, and columns during read, modify, destroy, and create operations.

Note: At security level 0, a server enforces no NIS+ access rights and all clients are granted full access rights to the table object. Security level 0 is only for administrator setup and testing purposes. Do not use level 0 in any environment in which users are performing their normal work.

A server evaluates four factors when deciding whether to grant access:

After authenticating the principal making the request by making sure the principal has a valid DES credential, an NIS+ server determines the type of operation and the object of the request.

Directory
If the object is a directory or group, the server examines the object's definition to see what rights are granted to the four authorization classes, determines which class the principal belongs to, and then grants or denies the request based on the principal's class and the rights assigned to that class.

Table
If the object is a table, the server examines the table's definition to see what table level rights are granted to the four authorization classes, and determines which class the principal belongs to. If the class to which the principal belongs does not have table-level rights to perform the requested operation, the server then determines which row or column the operation concerns and determines if there are corresponding row- or column-level access rights permitting the principal to perform the requested operation.

Specifying Access Rights in Commands

The following paragraphs describe how to specify access rights, as well as owner, group owner, and object, when using any of the commands described in this section. (This section assumes an NIS+ environment running at security level 2, the default.)

Class, Operator, and Rights Syntax

Access rights, whether specified in an environment variable or a command, are identified with three types of arguments: class, operator, and right.

Class
Refers to the type of NIS+ principal (authorization class) to which the rights will apply.

n
Nobody: all unauthenticated requests

o
Owner of the object or table entry

g
Group owner of the object or table entry

w
World: all authenticated principals

a
All: owner, group, and world (the default)

 

Operator
Indicates the kind of operation that will be performed with the rights.

+
Adds the access rights specified by right

-
Revokes the access rights specified by right

=
Explicitly changes the access rights specified by right; in other words, revokes all existing rights and replaces them with the new access rights.

 

Rights
Are the access rights themselves. The accepted values for each are listed below.

r
Reads the object definition or table entry

m
Modifies the object definition or table entry

c
Creates a table entry or column

d
Destroys a table entry or column

 

You can combine operations on a single command line by separating each operation from the next with a comma (,).

Class, Operator, and Rights Syntax--Examples
Operations Syntax
Add read access rights to the owner class

o+r
Change owner, group, and world classes' access rights to modify only from whatever they had been previously

a=m
Add read and modify rights to the world and nobody classes

wn+m
Remove all four rights from the group, world, and nobody classes

gwn-rmcd
Add create and destroy rights to the owner class, and add read and modify rights to the world and nobody classes

o+cd,wn+rm

Syntax for Owner and Group

To specify an owner, use an NIS+ principal name. For example:

principalname

To specify an NIS+ group, use an NIS+ group name with the domain name appended. Remember that, by definition, principal names are fully qualified (principalname.domainname). For example:

groupname.domainname

Syntax for Objects and Table Entries

Objects and table entries use different syntaxes, as follows:

The following table shows examples.

Object and Table Entry--Examples
Type Example
Object hosts.org_dir.sales.wiz.com.
Table entry '[uid=33555],passwd.org_dir.Eng.wiz.com.'
Two-value table entry '[name=sales,gid=2],group.org_dir.wiz.com.'

Columns use a special version of indexed names. Because you can only work on columns with the nistbladm command, see its command description for more information.

Displaying NIS+ Defaults

The nisdefaults command displays the default values currently active in the namespace. These default values are either preset values supplied by the NIS+ software or the defaults specified in the NIS_DEFAULTS environment variable (if you have NIS_DEFAULTS values set).

Any object that you create on a machine automatically acquires the NIS_DEFAULTS default values unless you override them with the -D option of the command you are using to create the object.

Default Values and nisdefaults Options
Default Option From Description
Domain -d /bin/domainname Displays the home domain of the workstation from which the command was entered.
Group -g NIS_GROUP environment variable Displays the group that would be assigned to the next object created from this shell.
Host -h uname -n Displays the workstation's host name.
Principal -p gethostbyname() Displays the fully qualified user name or host name of the NIS+ principal who entered the nisdefaults command.
Access Rights -r NIS_DEFAULTS environment variable Displays the access rights that will be assigned to the next object or entry created from this shell. Format:

----rmcdr---r---
Search path -s NIS_PATH environment variable Displays the syntax of the search path, which indicates the domains that NIS+ will search through when looking for information. Displays the value of the NIS_PATH environment variable if it is set.
Time-to-live -t NIS_DEFAULTS environment variable Displays the time-to-live (TTL) value that is assigned to the next object created from this shell. The default is 12 hours.
All (terse) -a   Displays all defaults in terse format.
Verbose -v   Display specified values in verbose mode.

You can use these options to display all default values or any subset of them:

Setting Default Security Values

This section describes how to perform tasks related to the nisdefaults command, the NIS_DEFAULTS environment variable, and the -D option. The NIS_DEFAULTS environment variable specifies the following default values:

The values that you set in the NIS_DEFAULTS environment variable are the default values applied to all NIS+ objects that you create using that shell (unless overridden by using the -D option with the command that creates the object).

You can specify the default values (owner, group, access rights, and time-to-live) specified with the NIS_DEFAULTS environment variable. Once you set the value of NIS_DEFAULTS, every object you create from that shell will acquire those defaults, unless you override them by using the -D option when you invoke a command.

Displaying the Value of NIS_DEFAULTS

You can check the setting of an environment variable by using the echo command, as shown below:

client% echo $NIS_DEFAULTS
owner=butler:group=gamblers:access=o+rmcd

You can also display a general list of the NIS+ defaults active in the namespace by using the nisdefaults command.

Changing Defaults

You can change the default access rights, owner, and group, by changing the value of the NIS_DEFAULTS environment variable. Use the environment command that is appropriate for your shell with the following arguments:

You can combine two or more arguments into one line, separated by colons:

owner=principal-name:group=group-name


Changing Defaults--Examples
Tasks Examples
Grant owner read access as the default access right.

export NIS_DEFAULTS="access=o+r"
Set the default owner to be the user abe, whose home domain is wiz.com.

export NIS_DEFAULTS="owner=abe.wiz.com."
Combine the first two examples on one code line.

export NIS_DEFAULTS="access=o+r:owner=abe.wiz.com."

All objects and entries created from the shell in which you changed the defaults will have the new values you specified. You cannot specify default settings for a table column or entry; the columns and entries simply inherit the defaults of the table.

Resetting the Value of NIS_DEFAULTS

You can reset the NIS_DEFAULTS variable to its original values, by typing the name of the variable without arguments, using the following format:

NIS_DEFAULTS=; export NIS_DEFAULTS

Specifying Nondefault Security Values

You can specify different (that is, nondefault) access rights, another owner, and another group whenever you create an NIS+ object or table entry with any of the following NIS+ commands:

nismkdir
Creates NIS+ directory objects

nisaddent
Transfers entries into an NIS+ table

nistbladm
Creates entries in an NIS+ table

To specify security values other than the default values, insert the -D option into the syntax of those commands, as described in Specifying Access Rights in Commands.

As when setting defaults, you can combine two or more arguments into one line. Remember that column and entry's owner and group are always the same as the table, so you cannot override them.

For example, you can use the nismkdir command to create a sales.wiz.com directory, override the defaults, and grant the owner read rights only by entering the following command:

nismkdir -D access=o+r sales.wiz.com

Changing Object and Entry Access Rights

The nischmod command operates on the access rights of an NIS+ object or table entry. It does not operate on the access rights of a table column. For columns, use the nistbladm command with the -D option. For all nischmod operations, you must already have modify rights to the object or entry.

Specifying Column Access Rights

The nistbladm command performs a variety of operations on NIS+ tables. However, two of its options, -c and -u, enable you to perform some security-related tasks:

-c
Allows you to specify initial column access rights when creating a table with the nistbladm command.

-u
Allows you to change column access rights with the nistbladm command.

Setting Column Rights When Creating a Table

When a table is created, its columns are assigned the same rights as the table object. These table level, rights are derived from the NIS_DEFAULTS environment variable, or are specified as part of the command that creates the table. You can also use the nistbladm -c option to specify initial column access rights when creating a table with nistbladm. To use this option you must have create rights to the directory in which you will be creating the table. To set column rights when creating a table, use:

nistbladm -c type 'columname=[flags] [,access]... tablename'

Where:

type
Is a user-defined character string that identifies the kind of table.

columnname
Is the name of the column.

flags
Is the type of column. Valid flags are:

S
searchable

I
case insensitive

C
encrypted

B
binary data

X
XDR encoded data

 

access
Are the access rights for this column that you specify using the syntax described in Specifying Access Rights in Commands.

...
Indicates that you can specify multiple columns, each with its own type and set of rights.

tablename
Is the fully qualified name of the table you are creating.

To assign a column its own set of rights at table creation time, append access rights to each column's equal sign after the column type and a comma. Separate the columns with a space, as shown in the following example:

column=type,rights column=type,rights column=type,rights

The example below creates a table named depts in the Wiz.com directory, of type div, with three columns (Name, Site, and Manager), and adds modify rights for the group to the second and third columns:

nistbladm -c div Name=S Site=S,g+m Manager=S,g+m depts.wiz.com.

For more information about the nistbladm command and the -c option, see Administering NIS+ Tables.

Adding Rights to an Existing Table Column

The -u option allows you to add additional column access rights to an existing table column with the nistbladm command. To use this option, you must have modify rights to the table column. To add additional column rights, use:

nistbladm -u [column=access,...],tablename

Where:

column
Is the name of the column.

access
Are the access rights for this column that you specify using the syntax described in Specifying Access Rights in Commands.

...
Indicates that you can specify rights for multiple columns.

tablename
Is the fully qualified name of the table you are creating.

Use one column=access pair for each column whose rights you want to update. To update multiple columns, separate them with commas and enclose the entire set with square brackets, as shown in the following example:

[column=access,column=access,column=access]

The full syntax of this option is described in the nistbladm command description.

The example below adds read and modify rights to the group for the name and addr columns in the hosts.org_dir.wiz.com. table.

client% nistbladm -u '[name=g+rm,addr=g+rm],hosts.org_dir.wiz.com.'

Removing Rights to a Table Column

To remove access rights to a column in an NIS+ table, use the -u option as described in the previous section, except that you subtract rights with a minus sign (rather than adding them with a plus sign).

The example below removes group's read and modify rights to the host name column in the hosts.org_dir.wiz.com. table.

nistbladm -u 'name=g-rm,hosts.org_dir.wiz.com.'

Changing Ownership of Objects and Entries

To change the owner of one or more objects or entries, use the nischown command. (You must have modify rights to the object or entry.) The nischown command cannot change the owner of a column, because a table's columns belong the table's owner. To change a column's owner, you must change the table's owner.

To change an object's owner, use the following syntax:

nischown new-owner object

Where:

new-owner
Is the fully qualified user ID of the object's new owner.

object
Is the fully qualified name of the object.

Be sure to append the domain name to both the object name and new owner name.

The example below changes the owner of the hosts table in the Wiz.com. domain to the user named lincoln whose home domain is Wiz.com.:

nischown lincoln.wiz.com. hosts.org_dir.wiz.com.

The syntax for changing a table entry's owner uses an indexed entry to identify the entry, as shown below:

nischown new-owner [column=value,...],tablename

Where:

new-owner
Is the fully qualified user ID of the object's new owner.

column
Is the name of the column whose value will identify the particular entry (row) whose owner is to be changed.

value
Is the data value that identified the particular entry (row) whose owner is to be changed.

...
Indicates that you can specify ownership changes for multiple entries.

tablename
Is the fully qualified name of the tables containing the entry whose owner is to be changed.

Be sure to append the domain name to both the new owner name and the table name.

The example below changes the owner of an entry in the Hosts table of the Wiz.com. domain to takeda whose home domain is Wiz.com. The entry is the one whose value in the name column is virginia.

nischown takeda.wiz.com. '[name=virginia],hosts.org_dir.wiz.com.'

Changing an Object or Entry's Group

The nischgrp command changes the group of one or more objects or table entries. To use the nischgrp command, you must have modify rights to the object or entry. The nischgrp command cannot change the group of a column, because the group assigned to a table's columns is the same as the group assigned to the table. To change a column's group owner, you must change the table's group owner.

To change an object's group, use the following syntax:

nischgrp group object

Where:

group
Is the fully qualified name of the object's new group.

object
Is the fully qualified name of the object.

Be sure to append the domain name to both the object name and new group name.

The example below changes the group of the hosts table in the Wiz.com. domain to admins.wiz.com.:

nischgrp admins.wiz.com. hosts.org_dir.wiz.com. 

The syntax for changing a table entry's group uses an indexed entry to identify the entry. In the following example, from column through tablename represents the indexed entry.

nischgrp new-group [column=value,...],tablename

Where:

new-group
Is the fully qualified name of the object's new group.

column
Is the name of the column whose value will identify the particular entry (row) whose group is to be changed.

value
Is the data value that identified the particular entry (row) whose group is to be changed.

tablename
Is the fully qualified name of the tables containing the entry whose group is to be changed.

...
Indicates that you can specify group changes for multiple entries.

Be sure to append the domain name to both the new group name and the table name.

The example below changes the group of an entry in the Hosts table of the Wiz.com. domain to sales.wiz.com.. The entry is the one whose value in the host name column is virginia.

nischgrp sales.wiz.com. '[name=virginia],hosts.org_dir.wiz.com.'


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]