Managing Permission on NFS share
Unix style permission is bit different from Windows style permission. Files and directories are owned by a user unlike Windows where it can be owned by a group also.
Permissions on Unix-like systems are managed in three distinct classes. These classes are known as user, group, and others. Users who are not the owner, nor a member of the group, comprise a file's others class. Distinct permissions apply to others.
The effective permissions are determined based on the user's class. For example, the user who is the owner of the file will have the permissions given to the owner class regardless of the permissions assigned to the group class or others class.
r if the read bit is set, - if it is not.
w if the write bit is set, - if it is not.
x if the execute bit is set, - if it is not.
Octal representation:
0 --- no permission
1 --x execute
2 -w- write
3 -wx write and execute
4 r-- read
5 r-x read and execute
6 rw- read and write
7 rwx read, write and execute
Now consider a scenario where Windows is hosting NFS share and Unix is the NFS client. One would like to manage the permission on the share is such a way that the subfolder within the parent folders have access to different users.
Example:
User Name mapping is configured and we have mapped the following user:
In this case, we are using ‘passwd’ and ‘group’ file for username mapping.
In Windows it’s all about the NTFS permission. Now we have created a NFS share on Windows side, the permission looks as below
Parent folder (‘Administrator’ is owner and ‘Everyone’ has read access which applies to the parent folder only)
Two subfolder: (‘folder a’ which has read access to User1 and ‘folder b’ has read access to User2)
From the UNIX side, we mount the share as root user. The permission looks like:
[root@unix/]# mount -t nfs 172.23.96.137:/nfs1 /nfstest
[root@unix/]# ls -ld /nfstest
drwxr-xr-x 2 root 4294967294 64 Dec 28 2010 /nfstest
[root@unix/]# cd /nfstest
[root@unixnfstest]# ls -l
total 1
drwx------ 2 root 4294967294 64 Dec 28 2010 folder a
drwx------ 2 root 4294967294 64 Dec 28 2010 folder b
Then we do a su as user3 in Unix and try to go to the “folder a”. Based on the Unix style permission, since user3 is not the owner of the folder or part of the group. It will get the permission which ‘others’ have.
Permission given to “Everyone” in Windows flows to others in Unix. Since in this scenario, “Everyone” permission is restricted to parent folder only and does not apply to “folder a”. Hence other is Unix will have no permission.
[root@unixnfstest]# su - user3
[user3@unix~]$ cd /nfstest
[user3@unixnfstest]$ ls -l
total 1
drwx------ 2 root 4294967294 64 Dec 28 2010 folder a
drwx------ 2 root 4294967294 64 Dec 28 2010 folder b
As a result, user3 gets an error message as permission denied.
Now we enable the registry settings below, this will force the Unix clients to honor the NTFS style of permission, rather than Unix style permission.
HKEY_LOCAL_MACHINE\Software\Microsoft\Server for NFS\CurrentVersion\Mapping\KeepInheritance to “1”
And now when user3 tries to access the “folder a” (user1 has read permission to this folder); he would be able to access the folder.
[user3@abhi-rhel51 nfstest]$ cd "folder a"
[user3@abhi-rhel51 folder a]$
[user3@abhi-rhel51 folder a]$ id -a
uid=10006(user3) gid=10006(user3) groups=10006(user3)
[user3@abhi-rhel51 folder a]$ cd ..
But ‘user3’ will get permission denied when he tries to access “folder b” (user2 has read permission and not user1)
[user3@abhi-rhel51 nfstest]$ cd "folder b"
-bash: cd: folder b: Permission denied
[user3@abhi-rhel51 nfstest]$
So, the customer achieved in restricting access to users to all folders by managing the NTFS permission on the Windows style.