Title: HandsOn Novell Open Enterprise Server for NetWare and Linux
1Hands-On Novell Open Enterprise Server for
NetWare and Linux
- Chapter 6
- Working with NetWare File System Security
2Objectives
- After reading this chapter and completing the
activities, - you will be able to
- Describe NetWare file system security components
(trustee rights, effective rights, and
inheritance), make trustee assignments, and
determine a users effective rights - Explain concepts of file system security
- Describe file and directory attributes and use
NetWare utilities and commands to view and set
attributes
3File System Security Components
- NetWare file system security consists of two
levels - Access rights security
- Attribute security
- Access rights
- Ensure that users can work with data only in
certain files and directories - Attributes
- Flags attached to files and directories
- Limit functions that can be performed in those
files or directories
4NetWare Access Rights
- File system security
- Based on the concept of making an eDirectory
object a trustee of a file or directory - With certain assigned access rights
- Consists of a single group of eight access rights
- Controls the operations a trustee can perform in
the file system - Directory entry table (DET)
- Contains information about a file or directory
- Including its name and the access control list
(ACL)
5NetWare Access Rights (continued)
6NetWare Access Rights (continued)
7Trustee Assignments
- Give users, groups, or containers rights to
access and maintain the file system - Directory trustee
- User, group, or container object that has been
granted access rights to a directory - File trustee
- User or group that has been granted access rights
to a file - Effective rights
- Define access rights a user has in a specific
directory or file
8Trustee Assignments (continued)
- Making user trustee assignments
- Trustee assignment
- Process of granting a user a direct trustee
assignment - With specific rights to directories and files
- Users default effective rights
- Are always equal to his or her trustee assignment
- Access rights are usually indicated with the
first letter of each right enclosed in brackets - R, C, F means Read, Create, and File Scan
rights - By default, a new user gets RW C E M FA rights
to his or her home directory
9Trustee Assignments (continued)
10Trustee Assignments (continued)
- Viewing effective rights
- Use Windows Explorer or Remote Manager
- To view your effective rights
- Use ConsoleOne or NetWare Administrator
- To verify effective rights in the file system
11Trustee Assignments (continued)
12Trustee Assignments (continued)
- Group trustee assignments
- When a group is made a trustee of a directory or
file - All members of that group are considered trustees
- Group members effective rights
- Combination of any personal trustee assignments
plus any rights they have from being group
members - You can use Remote Manager to make trustee
assignments
13Trustee Assignments (continued)
14Trustee Assignments (continued)
15Trustee Assignments (continued)
- Container trustee assignments
- When a container is made a trustee of a directory
or file - All users in container and subcontainer objects
share the same rights - Use Remote Manager to make trustee assignments
16Inherited Rights
- Allows effective rights to a directory to flow
down into files and other subdirectories - Inheritance
- Essential concept in making file system security
efficient - By eliminating an excessive number of trustee
assignments
17Inherited Rights (continued)
18Inherited Rights (continued)
- The Inherited Rights Filter (IRF)
- Can prevent a subdirectory from inheriting rights
- Acts as a block to keep selected rights from
passing into a subdirectory structure or files - IRF cannot be used to block the Supervisor right
- Supervisor access right cant be removed from an
IRF
19Inherited Rights (continued)
20Combining Trustee Assignment and Inherited Rights
- Reduce number of rights granted to a user
- By taking group or container rights into
consideration
21Combining Trustee Assignment and Inherited Rights
(continued)
22Calculating Effective Rights
- NetWare tracks inherited rights separately for
each type of object - User objects inherited rights in a directory are
kept separate from inherited rights for
containers or groups - At the directory or subdirectory level
- Users effective rights are calculated by
combining - Effective rights with the effective rights of any
groups or containers to which they belong - Making a new trustee assignment to a user, group,
or container - Overrides the inherited rights for that object
23Calculating Effective Rights (continued)
24Working with Supervisor Rights
- New trustee assignments made to subdirectories or
files - Do not override the inherited Supervisor right
- Supervisor right cannot be changed or blocked in
one of the subdirectories - It can be changed only at the point of origin
- User with Supervisor right can manage an entire
directory structure - Without being blocked by another user or an
incorrect trustee assignment
25Working with Supervisor Rights (continued)
26Using the RIGHTS Command
- Documenting user trustee assignments
- Important task in managing a network file system
- RIGHTS command
- Another method of displaying and printing trustee
assignments in a directory structure - Convenient for making trustee assignments from
the command prompt - Or creating a batch file or script to assign
rights automatically
27Planning File System Security
- NetWare file system security
- Sophisticated, complex system with many options
for ensuring access to network data - Plan security system to keep trustee assignments
and IRFs to a minimum
28File System Security Guidelines
- Identify rights needed for each user
- Analyze each users processing needs
- Determine and document access rights each
directory needs - To meet processing requirements
- Proper directory structure design
- Directories requiring the most security should be
near the top of the structure - Do not limit trustee assignment for other users
- Including directories that limit access rights
- Use IRFs to protect high-security directories
29File System Security Guidelines (continued)
- Reduce use of IRFs
- Avoid placing a directory needing more security
within a general-purpose directory - Use explicit trustee assignments for reducing a
user or groups effective rights - Minimize trustee assignments
- Make assignments in the following order
- Assign rights to containers
- Assign rights to departmental groups
- Assign rights to Organizational Role objects
- Assign rights to individual users
30File System Security Guidelines (continued)
31File System Security Guidelines (continued)
32File System Security Guidelines (continued)
- Avoid complex combinations
- Avoid combinations of assignments to groups,
containers, and individual users - Within the same directory structure
- Do not rely on users inheriting certain rights
- Make users explicit trustees of a directory or
file - With just the rights needed for access
33Universal AeroSpace File System Security
- Planning file system security steps
- Define processing functions each user needs to
perform - Review the directory structure
- Plan trustee assignments
- Minimize the number of trustee assignments
34Universal AeroSpace File System Security
(continued)
35Universal AeroSpace File System Security
(continued)
36Universal AeroSpace File System Security
(continued)
37Attribute Security
- Attributes
- Flags or codes you can associate with files and
directories - Determine what type of processing can be carried
out - Set attributes on directories and files as
additional protection - Against accidental change or deletion or to
specify special processing
38File and Directory Attributes
- Attributes set on files and directories
- Override users effective rights in that file or
directory - File attributes
- Archive Needed (A)
- Controls which files are copied to a backup disk
- Copy Inhibit (Ci)
- Prevents Macintosh users from copying specified
files - Delete Inhibit (Di)
- Dont Compress (Dc)
- Dont Suballocate (Ds)
- Dont Migrate (Dm)
39File and Directory Attributes (continued)
- File attributes
- Execute Only (X)
- Protects software files from being copied
illegally - Hidden (H)
- Immediate Compress (Ic)
- Migrated (M)
- Purge
- NetWare server reuses file space immediately
after its deleted - Read Only (Ro)
- Rename Inhibit (Ri)
40File and Directory Attributes (continued)
- File attributes
- Sharable (Sh)
- Allows file to be opened by more than one user at
a time - System (Sy)
- Transactional (T)
- File is protected by Transaction Tracking System
(TTS) - Either all transactions are completed or file is
left in its original state - Directory attributes
- Normal (N)
- Removes all directory attributes
41File and Directory Attributes (continued)
42File and Directory Attributes (continued)
43Planning Directory Attribute Use at Universal
AeroSpace
- Without adequate planning
- Renaming directories
- Could cause problems with directory map commands
- Could prevent applications from finding data in a
predefined path - Directory attributes
- Protect directory structure from name changes and
accidental deletion
44(No Transcript)
45Planning File Attribute Use at Universal AeroSpace
- Most commonly used file attributes
- Read Only
- Shared
- Read Only attribute
- Prevents the software from being changed or
deleted - Protects against virus infection
46Planning File Attribute Use at Universal
AeroSpace (continued)
47Implementing Directory and File Attributes
- To set directory and file attributes, use
- NetWare utilities
- Remote Manager
- ConsoleOne
- Windows
48Implementing Directory and File Attributes
(continued)
49Implementing Directory and File Attributes
(continued)
50The FLAG Command
- Useful for documenting and setting directory and
file attributes - Setting and documenting directory attributes
- FLAG uses the /DO parameter to set and view
directory attributes - Example
- FLAG path /- attribute_list /DO
51Summary
- NetWare file system must be secured
- By using trustee assignments
- Access Control right
- Allows users to assign other rights to other
users - Except Supervisor
- Trustee assignments
- Used to grant rights to users or groups for a
directory - Inherited Rights Filter (IRF)
- Controls which rights a file or directory
inherits from higher-level directories
52Summary (continued)
- To set and view trustee assignments, use
- ConsoleOne, Remote Manager, Windows Explorer, or
the RIGHTS command - Attributes
- Play a vital role in file system security
- Enable you to protect files and directories from
certain operations - To set attributes on files and directories, use
- Remote Manager, ConsoleOne, and the FLAG command