HP-UX Reference (11i v1 05/09) - 1 User Commands N-Z (vol 2)
n
nis+(1) nis+(1)
Access rights are interpreted as follows:
read This right grants read access to an object. For directory and table objects, having read access
on the parent object conveys read access to all of the objects that are direct children of a direc-
tory, or entries within a table.
modify This right grants modification access to an existing object. Read access is not required for
modification. However, in many applications, one will need to read an object before modifying
it. Such modify operations will fail unless read access is also granted.
create This right gives a client permission to create new objects where one had not previously existed.
It is only used in conjunction with directory and table objects. Having create access for a table
allows a client to add additional entries to the table. Having create access for a directory
allows a client to add new objects to an NIS+ directory.
destroy This right gives a client permission to destroy or remove an existing object or entry. When a
client attempts to destroy an entry or object by removing it, the service first checks to see if
the table or directory containing that object grants the client destroy access. If it does, the
operation proceeds. If the containing object does not grant this right then the object itself is
checked to see if it grants this right to the client. If the object grants the right, then the opera-
tion proceeds; otherwise the request is rejected.
Each of these rights may be granted to any one of four different categories.
owner A right may be granted to the owner of an object. The owner is the NIS+ principal identified
in the owner field. The owner can be changed with the nischown(1) command. Note that if the
owner does not have modification access rights to the object, the owner cannot change any
access rights to the object, unless the owner has modification access rights to its parent object.
group owner
A right may be granted to the group owner of an object. This grants the right to any principal
that is identified as a member of the group associated with the object. The group owner may
be changed with the nischgrp(1) command. The object owner need not be a member of this
group.
world A right may be granted to everyone in the world. This grants the right to all clients who have
authenticated themselves with the service.
nobody A right may be granted to the nobody principal. This has the effect of granting the right to
any client that makes a request of the service, regardless of whether they are authenticated or
not.
Note that for bootstrapping reasons, directory objects that are NIS+ domains, the org_dir subdirectory and
the cred table within that subdirectory must have read access to the nobody principal. This makes naviga-
tion of the namespace possible when a client is in the process of locating its credentials. Granting this
access does not allow the contents of other tables within org_dir to be read (such as the entries in the pass-
word table) unless the table itself gives "read" access rights to the nobody principal.
Directory Authorization
Additional capabilities are provided for granting access rights to clients for directories. These rights are
contained within the object access rights (OAR) structure of the directory. This structure allows the NIS+
service to grant rights that are not granted by the directory object to be granted for objects contained by
the directory of a specific type.
An example of this capability is a directory object which does not grant create access to all clients, but does
grant create access in the OAR structure for group type objects to clients who are members of the NIS+
group associated with the directory. In this example the only objects that could be created as children of
the directory would have to be of the type group.
Another example is a directory object that grants create access only to the owner of the directory, and then
additionally grants create access through the OAR structure for objects of type table, link, group, and
private to any member of the directory’s group. This has the effect of giving nearly complete create access
to the group with the exception of creating subdirectories. This restricts the creation of new NIS+ domains
because creating a domain requires creating both a groups_dir and org_dir subdirectory.
Note that there is currently no command line interface to set or change the OAR of the directory object.
HP-UX 11i Version 1: September 2005 − 6 − Hewlett-Packard Company Section 1−−611