HP-UX Reference (11i v2 04/09) - 1 User Commands N-Z (vol 2)
n
nis+(1) nis+(1)
directory and table objects are granted to those clients for all of the objects "contained" by the parent
object. This notion of containment is abstract. The objects do not actually contain other objects within
them. Note that group objects do contain the list of principals within their definition.
Access rights are interpreted as follows:
read This right grants read access to an object. For directory and table objects, having read
access on the parent object conveys read access to all of the objects that are direct chil-
dren of a directory, or entries within a table.
modify This right grants modification access to an existing object. Read access is not required for
modification. However, in many applications, one will need to read an object before
modifying it. Such modify operations will fail unless read access is also granted.
create This right gives a client permission to create new objects where one had not previously
existed. It is only used in conjunction with directory and table objects. Having create
access for a table allows a client to add additional entries to the table. Having create
access for a directory allows a client to add new objects to an NIS+ directory.
destroy This right gives a client permission to destroy or remove an existing object or entry.
When a client attempts to destroy an entry or object by removing it, the service first
checks to see if the table or directory containing that object grants the client destroy
access. If it does, the operation proceeds. If the containing object does not grant this
right then the object itself is checked to see if it grants this right to the client. If the
object grants the right, then the operation proceeds; otherwise the request is rejected.
Each of these rights may be granted to any one of four different categories.
owner A right may be granted to the owner of an object. The owner is the NIS+ principal
identified in the owner field. The owner can be changed with the nischown(1) command.
Note that if the owner does not have modification access rights to the object, the owner
cannot change any access rights to the object, unless the owner has modification access
rights to its parent object.
group owner A right may be granted to the group owner of an object. This grants the right to any prin-
cipal that is identified as a member of the group associated with the object. The group
owner may be changed with the nischgrp(1) command. The object owner need not be a
member of this group.
world A right may be granted to everyone in the world. This grants the right to all clients who
have authenticated themselves with the service.
nobody A right may be granted to the nobody principal. This has the effect of granting the right
to any client that makes a request of the service, regardless of whether they are authenti-
cated or not.
Note that for bootstrapping reasons, directory objects that are NIS+ domains, the org_dir subdirectory
and the cred table within that subdirectory must have read access to the nobody principal. This makes
navigation of the namespace possible when a client is in the process of locating its credentials. Granting
this access does not allow the contents of other tables within org_dir to be read (such as the entries in the
password table) unless the table itself gives "read" access rights to the nobody principal.
Directory Authorization
Additional capabilities are provided for granting access rights to clients for directories. These rights are
contained within the object access rights (OAR) structure of the directory. This structure allows the NIS+
service to grant rights that are not granted by the directory object to be granted for objects contained by
the directory of a specific type.
An example of this capability is a directory object which does not grant create access to all clients, but
does grant create access in the OAR structure for group type objects to clients who are members of the
NIS+ group associated with the directory. In this example the only objects that could be created as chil-
dren of the directory would have to be of the type group.
Another example is a directory object that grants create access only to the owner of the directory, and
then additionally grants create access through the OAR structure for objects of type table, link, group,
and private to any member of the directory’s group. This has the effect of giving nearly complete create
access to the group with the exception of creating subdirectories. This restricts the creation of new NIS+
domains because creating a domain requires creating both a groups_dir and org_dir subdirectory.
Section 1−−636 Hewlett-Packard Company − 6 − HP-UX 11i Version 2: September 2004