HP-UX Reference (11i v2 07/12) - 1 User Commands N-Z (vol 2)
n
nis+(1) nis+(1)
object apply only to that object. However, for purposes of authorization, rights granted to clients reading
directory and table objects are granted to those clients for all of the objects "contained" by the parent object.
This notion of containment is abstract. The objects do not actually contain other objects within them. Note
that group objects do contain the list of principals within their definition.
Access rights are interpreted as follows:
read This right grants read access to an object. For directory and table objects, having read
access on the parent object conveys read access to all of the objects that are direct children
of a directory, or entries within a table.
modify This right grants modification access to an existing object. Read access is not required for
modification. However, in many applications, one will need to read an object before modify-
ing it. Such modify operations will fail unless read access is also granted.
create This right gives a client permission to create new objects where one had not previously
existed. It is only used in conjunction with directory and table objects. Having create
access for a table allows a client to add additional entries to the table. Having create access
for a directory allows a client to add new objects to an NIS+ directory.
destroy This right gives a client permission to destroy or remove an existing object or entry. When
a client attempts to destroy an entry or object by removing it, the service first checks to see
if the table or directory containing that object grants the client destroy access. If it does,
the operation proceeds. If the containing object does not grant this right then the object
itself is checked to see if it grants this right to the client. If the object grants the right,
then the operation proceeds; otherwise the request is rejected.
Each of these rights may be granted to any one of four different categories.
owner A right may be granted to the owner of an object. The owner is the NIS+ principal
identified in the owner field. The owner can be changed with the nischown(1) command.
Note that if the owner does not have modification access rights to the object, the owner can-
not change any access rights to the object, unless the owner has modification access rights
to its parent object.
group owner A right may be granted to the group owner of an object. This grants the right to any princi-
pal that is identified as a member of the group associated with the object. The group owner
may be changed with the nischgrp(1) command. The object owner need not be a member of
this group.
world A right may be granted to everyone in the world. This grants the right to all clients who
have authenticated themselves with the service.
nobody A right may be granted to the nobody principal. This has the effect of granting the right to
any client that makes a request of the service, regardless of whether they are authenticated
or not.
Note that for bootstrapping reasons, directory objects that are NIS+ domains, the org_dir subdirectory and
the cred table within that subdirectory must have read access to the nobody principal. This makes naviga-
tion of the namespace possible when a client is in the process of locating its credentials. Granting this
access does not allow the contents of other tables within org_dir to be read (such as the entries in the pass-
word table) unless the table itself gives "read" access rights to the nobody principal.
Directory Authorization
Additional capabilities are provided for granting access rights to clients for directories. These rights are
contained within the object access rights (OAR) structure of the directory. This structure allows the NIS+
service to grant rights that are not granted by the directory object to be granted for objects contained by
the directory of a specific type.
An example of this capability is a directory object which does not grant create access to all clients, but does
grant create access in the OAR structure for group type objects to clients who are members of the NIS+
group associated with the directory. In this example the only objects that could be created as children of
the directory would have to be of the type group.
Another example is a directory object that grants create access only to the owner of the directory, and then
additionally grants create access through the OAR structure for objects of type table, link, group, and
private to any member of the directory’s group. This has the effect of giving nearly complete create access
to the group with the exception of creating subdirectories. This restricts the creation of new NIS+ domains
because creating a domain requires creating both a groups_dir and org_dir subdirectory.
52 Hewlett-Packard Company − 6 − HP-UX 11i Version 2: December 2007 Update