NetWare | Upgrading and Repairing Networks (5th Edition)

When a user logs in to a NetWare 4.x or 5.x, a three-level tiered mechanism is at work to decide how access of resources is to be granted. The first level of security is logon security. The user must be authenticated against a user object in the NDS tree. The second level of security is NDS security, in which access can be controlled by granting or denying the user access to an object or its properties. The third level of security is NetWare file systems security, which involves the permissions on files and directories contained in the NetWare file system. Four types or categories of rights are used in Novell Networking. Versions prior to NetWare 4 and 5 used only the first two of these:

File system directory rights
File system file rights
NDS object rights
NDS property rights

The first two rights are those you normally would associate with an operating system and its file system. These are rights that control access to directories and files in those directories on the disks for which the operating system (or network operating system) is responsible. The last two of these categories are used for rights that apply to accessing objects that reside in the Novell Directory Services (NDS) database.

Chapter 33, "Overview of the Novell Bindery and Novell Directory Services," is recommended reading if you want to understand how NDS can be used to implement security in a NetWare environment.

Trustees

In NetWare networks, a user or group of users who have a right granted to them for a file or a directory are called a trustee of the directory. These rights sometimes are referred to as trustee assignments . A trustee assignment includes all the applicable rights, including a No Rights declaration. For NetWare 4.x and 5.x, other NDS leaf objects and container objects also can be granted a trustee assignment.

Trustee rights can be granted by an administrator using a program such as RIGHTS or FILER. You also can grant trustee rights using the NetWare Administrator. These trustee rights relationships also can be inherited. When discussing how rights are granted in a NetWare environment, remember that when a user or group is made a trustee of a file or directory, the user or group has been granted some kind of access permission right.

File-System Rights

File-system rights are those that control how a user can list the contents of a directory, add to a directory, or remove files or directories from a file system. Table 43.1 lists the terms used for the rights permissions that can be placed on files and directories, along with a short description of their functions.

Table 43.1. NetWare File and Directory Rights

Right	Description
Read	Grants the trustee the right to read the contents of files existing in a directory and to execute applications.
Write	Enables the trustee to add to or modify the contents of existing files.
Create	Allows the trustee to create a file or a subdirectory.
Erase	Gives the right to erase a file or directory.
Access Control	Enables a user holding this right to grant rights to the directory or files to other users, and to modify the Inherited Rights Filter (IRF). Similar to the Active Directory, a NetWare trustee inherits rights granted to container objects that are farther up the directory tree. Yet you can also deny specific rights that would be inherited, by modifying the IRF.
Modify	Enables the trustee to rename a file or directory and gives him the right to change attributes of the file or directory.
File Scan	Enables the user to list the files that are contained in a directory.
Supervisor	Gives the holder all other rights to this directory and to its subdirectories ”this is the most powerful right.

Creators/ owners of files and directories usually have the access control right over files they create. This means that they can assign permissions to other users on the system who might need to access their files. The user who has Supervisor access can do as much or more than the owner of a file or directory can do. The File Scan right gives the user the capability to scan the directory and see its contents when searching for a file.

Object and Property Rights

The NDS database is a hierarchical tree structure. Rights in this tree flow from top to bottom, such that an object in the directory can possibly inherit the rights values from all parent objects above it in the tree. Two basic kinds of rights are associated with NDS: Object rights and Property rights. The first, Object rights, defines the kinds of actions a trustee can perform on an object in the NDS tree. These rights do not necessarily give the trustee access to any of the information stored in the object's properties, just access to the mechanisms used to manipulate objects.

Property rights define access to the information stored in the properties of an object. These rights apply to the properties of an object and not to the object itself. For example, an administrator might choose to grant users the ability to change certain properties of their own user object in the directory. This would allow users to change their own telephone-number properties, email account properties, and so on, relieving the administrator or another resource of this chore.

Table 43.2 shows the object rights and Table 43.3 shows the property rights, along with descriptions of their use.

Table 43.2. NDS Object Rights

Right	Description
Supervisor	The most powerful object right grants the trustee all rights to the object as well as its properties. Note that in the case of the other object rights, only the Supervisor right can also grant access to property values.
Browse	Enables the user to see the object in the NDS tree and to search for it based on the base class of the object or the relative distinguished name (RDN) of the object.
Create	Applies to container objects, and gives the trustee the right to create a new object in the NDS tree. This right cannot be assigned to leaf objects, because by definition they cannot contain any other objects. This right can be granted only to container objects and gives the trustee the right to create new objects in the container.
Delete	Gives the right to delete an object in the NDS tree. Note that a container object can be deleted only if there are no other objects beneath it. If there are, you must first delete any existing objects within the container before you can delete the container. The Write right (property right) for all properties is also needed to delete an object.
Rename	Gives the right to change the name (RDN) of an object.
Inheritable	Is used to specify whether the rights assignment for the object is inherited by the trustee to subordinate objects in the NDS tree, and this right can be assigned only to a container object.

Table 43.3. NDS Property Rights

Property Right	Description
Add Self	Enables you to add or remove yourself as a value of a property. You cannot use this right to change other property values, however. This right applies only to properties that contain a list of other object names , such as a membership list.
Compare	Gives the right to make a comparison of a value to the value of a property. This right does not enable you to see the actual value of the property. Instead, the compare operation returns a value of true or false.
Read	Is the right needed to see the value of the property of an object. This right includes the Compare right.
Supervisor	Gives you all rights to the property. This right can, however, be blocked by an Inherited Rights Filter.
Write	Gives the right to add, change, or delete values of a property. This right includes the Add Self right.
Inheritable	Specifies whether the rights assignment will be inherited by the trustee for objects subordinate to this one in the NDS tree. This right can be used only on container objects.

Differences Between NDS and File-System and Directory Rights

NDS rights are used to assign access capabilities to objects and their properties that are contained in the NDS directory database. File-system rights are used to assign access capabilities to directories and files stored in the file system. The first difference you will notice between the two is that the NDS rights consist of two other kinds of rights: Object and Property rights. This concept does not exist in the file-system rights.

Finally, trustee assignments in NetWare 3.x could be made only for a user account or a user group. In NetWare 4.x and 5.x, the trustee can be any NDS object, leaf, or container, anywhere in the NDS tree. Because the NDS tree is a distributed database, objects located on different servers can be made trustees to files on other servers.

Inheritance of Rights

Inheritance of rights in the NDS tree is the process by which an object acquires some of the rights granted to objects superior to it in the tree. Rights are inherited starting at the top of the tree, where objects underneath the [root] object inherit some of the rights granted to [root]. The two methods used to block an object from inheriting rights from a superior object are the inherited rights filter (IRF) and direct trustee assignments by an administrator. Direct trustee assignments made anywhere in the path from the [root] object to the object in question can change the rights flowing down the tree.

The Inherited Rights Filter

The Inherited Rights Filter (IRF) can be used to stop one or more rights from being acquired in this fashion. The filter is used to block an object from receiving selected kinds of trustee assignments that it would otherwise inherit. When displaying the IRF, you will see a string of characters enclosed in square brackets. Each letter is the first letter of one of the rights that can be inherited by the object or potentially blocked by the filter. The values for directory and file rights can be read, write, create, erase, modify, file scan, and access control.

To make modifications to an IRF, you can use the utilities RIGHTS, FILER, NetAdmin, or NWADMIN.

Note that an IRF can block the Supervisor right from being inherited in the NDS tree to block access to an object in the tree. However, an IRF cannot block inheritance of the Supervisor right for file-system rights inheritance. Also, if a right is blocked by an IRF at a higher level, you can always grant the right to a child object specifically . The IRF only blocks rights from being inherited from above, and does not block a right at the level which it is assigned.

Security Equivalence

Security equivalence is another method of granting trustee access rights in NetWare. Using this method, one User object is made equivalent to another object and thus takes on the same trustee assignments. Security equivalence is a property of the User object. Trustee rights gained by this equivalence method are in addition to any other rights the User object might possess. Also, a user might be granted rights that are granted to a group of which the user is a member.

This concept is helpful when it becomes necessary to allow one user to have access to objects in a manner similar to another user ”for example, when a user is temporarily out of work and another is brought in to fill in.

Tip

It is not a good idea to grant a user the right to change the Security Equivalent property of their own User object. If the user also has the Write property right to the ACL property of an Admin User object, the user could potentially acquire all the rights associated with the Admin User object.

Effective Rights

When looking at the various means that are used to grant trustee rights to an object in NetWare, it quickly becomes apparent that trying to figure out the actual rights a user possesses might become confusing. The actual rights that a user will end up with are called the effective rights to the object. A few simple rules can be used to deduce effective rights:

If no trustee rights are granted to the directory, the effective rights are computed by a logical AND operation of the parent directory's effective rights and the Inherited Rights Filter.
An explicit assignment of trustee rights to a directory overrides an Inherited Rights Filter.
If the Supervisor right is granted to a directory, the trustee will have all rights for all files and subdirectories underneath the directory. Remember that an IRF cannot block the Supervisor right in the file system.

Rights are additive in this computation. Inherited rights are masked by the Inherited Rights Filter, and any rights not masked out are added to any direct assignments made to the object, as well as any rights acquired by security equivalence. If the access granted from one source is less than that granted by another source, the higher-level right is used.

The Everyone Group and the [Public] Group

In NetWare 3.x a group called Everyone was usually assigned the Read and the File Scan right to SYS:PUBLIC. This user group allowed the administrator to assign rights to all users in a convenient method. The Everyone group consists of all users on a NetWare 3.x server. In NetWare 4.x and 5.x, there is no Everyone group, by default.

Note

By default, NetWare 4.x and 5.x do not contain an Everyone group. However, the migration process from NetWare 3.x to NetWare 4.x or 5.x can cause the Everyone group to be migrated as a user group.

Novell Directory Services allows for the creation of user groups. The hierarchical nature of the NDS database enables you to place user objects into container objects. Using this method, you can group users who share the same level of access permissions, for example, so that you have to modify the permissions only at the container level instead of at the individual user object level. However, a user object (or any object in the NDS tree) can be associated with only one container object. Of course, the container object itself can be encompassed by another container object, but it is not possible to just take a single user object and place it into multiple containers at the same time. Instead, you can create a Group object. This kind of object has a property that lists members of the group, which consists of user objects that reside elsewhere in the NDS tree.

The implicit group [Public] exists by default and is made up of all users who have a network connection. This includes users who have not been authenticated by NDS. This means that you can effectively assign rights to objects in the database for workstations that do not have to use a username/password to connect to the database. This enables you to assign the Browse right to all users, by creating a trustee assignment for the [Public] group on the root object in the tree. Sometimes, though, letting unauthenticated users even see (browse) the database can be a security problem. In this case you would not want to grant this right to [Public], or you might want to consider removing the browse right using an IRF for sections of the tree.