Restricting User Access - HP NetStorage 6000 Manual

2.2 Restricting User Access

All users on UNIX systems must perform a logon sequence before gaining access to the system. The logon
involves entering an appropriate name and password at the logon prompt. Once the logon data is entered, the
system searches the local passwd file for a matching entry. If a match is found, then the user is granted access,
and is assigned two 16 bit numeric identifiers that are associated with the user. These identifiers are referred to
as the UID (user ID), to specifically identify the user, and the GID (group ID) to specifically identify the group that
the user belongs to.
The UID and GID of a user governs all access to files and directories available to the user, including remote file
systems that the user mounts for access via the NFS protocol. All files and directories on UNIX style file systems
contain a small amount of metadata that identify who has access rights to the file. This metadata that is
associated with file security is defined as follows:
UID
GID
Permission bits
For example, a typical UNIX file permission might appear as follows in a directory listing:
-rwxr-x--x 1 Wilson
In this case 'Wilson' is the UNIX account that the file belongs to. Even though the metadata of the file stores the
UID of the owner, the Operating System was able to map the UID to the user name 'Wilson' in the passwd file
for display. The file also belongs to the group 'Engineering'. The first field in the entry displays the permission
bits. In this case, the owner, 'Wilson', has read, write and execute (rwx) permissions. Users that belong to the
group 'Engineering', have read and execute (r-x) permission. All other users have execute only (--x)
permission.
When a user attempts to access a file, the file system first categorizes the user as either owner, group, or other,
based on matching the file UID and GID to the users UID and GID. Once the user is categorized, then the
permission bits of the category are examined to determine the allowed access.
An extension of this security system is the Network Information Services (NIS). The NIS service automatically
distributes centrally maintained system files to all of the host systems on the network. This allows security files,
such as the passwd file, to be maintained centrally. Using this service, users need not create and maintain a
separate account on each host. In fact, security can be enhanced by preventing users from creating and
managing local accounts on each host. NIS also prevents the same UID number being assigned to several
different users, which could be problematic in network file storage.
One of the weaknesses of this security system is that individuals on other UNIX host systems, that have root
access to their own system, can easily create local accounts that can have any UID they desire. Thus,
unscrupulous users can impersonate other accounts when accessing remote resources. To address this security
weakness, a second mechanism may be employed that restricts host access to remote resources.
Copyright © 2000 Hewlett-Packard Company
All Rights Reserved
This is the identifier of the owner of the file
This is the identifier of the group owner of the file
These bits identify the read, write and execute (rwx) privilege for the file's owner, the
file's group and anyone else who is not the owner or in the group (referred to as
other).
Engineering 611 Nov 11 11:09 testfile
Page 5 of 28