Certification Objective 11.04The NIS Security

Previous page
Table of content
Next page

Certification Objective 11.04—The NIS+ Security

Exam Objective 5.4: Explain NIS and NIS security including NIS namespace information, domains, processes, securenets, and password.adjunct.

The NIS+ naming service provides security. Actually, the NIS+ security is such an integral part of the NIS+ namespace that you cannot set up security and the namespace independently. The security features of NIS+ are designed to protect both the information in the namespace and the structure of the namespace from unauthorized access. NIS+ security basically does two things: it authenticates the client, and, after successful authentication, it lets the client have appropriate access to NIS+ service entities such as tables of information.

Before exploring the NIS+ security process, let's take a look at the NIS+ security concepts.

NIS+ Security Concepts

The main NIS+ security concepts are described in the following:

  • NIS+ object. NIS+ objects are the NIS+ entities (things) that are secured—for example, the server itself, the NIS+ table, the table entries, and so forth. The access rights (permissions) are set on an object, meaning who can do what to this object.

  • NIS+ principal. An NIS+ principal is an entity that seeks access to an NIS+ object. In other words, all requests for NIS+ services will come from NIS+ principals. Note that a principal does not always have to be a user. For example, a request made by an ordinary user on a client machine would come from the client user, whereas a request made by the root user on a client machine would come from the client machine itself. NIS objects do not grant permissions to principals directly. To have access to an object, a principal must be a member of an authorization class.

  • Permission matrix. A permission matrix is a set of permissions set on the objects and granted to principals. Once a principal has been properly authenticated to NIS+, its ability to read, modify, create, or destroy the NIS+ objects is determined by the applicable permission matrix.

  • Authorization class. An authorization class is a type of principal to whom the permissions on an object are granted. There are four classes of principals:

    • Owner. A principal who is also the owner of the object gets the permissions set on the object for the owner class.

    • Group. A group is a collection of principals. Each NIS+ object has one group associated with it. You, the administrator, specify the principals for a given group, and each principal in the group enjoys the access permissions set on the object for the group class. Note that NIS+ groups are not the same as UNIX groups.

    • World. The world class is a collection of all principals that the server can authenticate. Any principal that belongs neither to the owner class nor to the group class but can be authenticated, belongs to the world class.

    • Nobody. Any principal that cannot be authenticated belongs to the nobody class.

When an NIS+ request from a principal is received, the system determines which class the requesting principal belongs to; the principal is then given the access rights belonging to that class. You, the administrator, can set on an object any combination of access rights for each of these classes—the permission matrix. Typically, however, a higher class (the owner class being the highest and the nobody class being the lowest) is assigned the same rights as all the lower classes, plus possible additional rights. For example, you could set on an object read access for the nobody class and the world class, read and modify access for the group class, and read, modify, create, and destroy access for the owner class.

How does a client go through the NIS+ security process?

NIS+ Security Process

NIS+ security is mainly a two-stage process:

  1. Authentication. Authentication is the process to verify that a client is actually what the client claims to be. After a request (to access an NIS+ object) from a client is received, the client's identity and secure RPC password is verified. After the client's identity is validated, the authorization kicks in.

  2. Authorization. Once a client's identity has been validated by the authentication process, NIS+ determines the class for the client. What a client (user or a machine) can do with a given NIS+ object depends on which class the client belongs to.

The entire security process can be broken down into the following steps:

  1. A client (principal) requests access to an NIS+ object.

  2. The server authenticates the client's identity by examining the client's credentials.

  3. If the client is authenticated (credentials are validated), the client falls into the world class; otherwise, it falls into the nobody class.

  4. The server looks into the target object's definition to make a final determination of the class that will be associated with the client (principal).

  5. The client will get the permissions associated with the class of principal assigned to the client.

In any network service, caching is used to improve service performance.



Previous page
Table of content
Next page
Sun Certified System Administrator for Solaris 10 Study Guide Exams 310-XXX & 310-XXX
Sun Certified System Administrator for Solaris 10 Study Guide Exams 310-XXX & 310-XXX
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 168
BUY ON AMAZON
SQL Hacks
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
An Introduction to Design Patterns in C++ with Qt 4
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy