Goals
In this session you will:
- understand the problems that NFS was designed to fix
- understand the problems that NIS was designed to fix
- backfill some important ideas about permissions on Solaris boxes
- understand NIS domain design
what NFS is for
- mount remote filesystems as if they were local
- centralize data storage for users that log on from various points
- allow for Network Attached Storage
what NIS is for
- maintaining configuration files across multiple machines
- allowing for unified account information (consider the UID/GID problem with NFS)
- hostname lookups (a la DNS)
advanced permissions
setuid, setgid
- generally used to elevate rights on a binary; suid scripts are deprecated and many shells and *nix distributions will go out of their way to circumvent privileged execution.
- more on setuid,
a short tutorial,
---s--s--t 7000 setuid, setgid, sticky
---s--s--- 6000 setuid, setgid
---s-----t 5000 setuid, sticky
---s------ 4000 setuid
------s--t 3000 setgid, sticky
---s------ 2000 setgid
---------t 1000 sticky
---------- 0000 none
/usr/bin/find / -user root -perm -4000 -o -perm -2000
Access Control Lists (ACLs) (Solaris only)
File Access Control Lists are a way to achieve finer permissions granularity than normal unix ownership/permissions allows. ACLs are allowed on files and dirs, and dirs can have (and should have) a default ACL.
getfacl shows the current ACL
$ getfacl examplefile
# file: examplefile
# owner: snelling
# group: snelling
user::rw-
group::r-- #effective:r--
mask:r--
other:r--
The main difference here is the presence of a mask which specifies the maximal permission for any non-user (ie, non-owner) account.
setfacl sets the ACL for a file or directory
setfacl -s acl_settings file - set the ACL. cf numerical mode chmod
setfacl -m acl_settings file - modify the ACL. cf symbolic mode chmod
u[ser]::perms
g[roup]::perms
o[ther]:perms
m[ask]:perms
u[ser]:uid:perms
g[roup]:gid:perms
d[efault]:u[ser]::perms
d[efault]:g[roup]::perms
d[efault]:o[ther]:perms
d[efault]:m[ask]:perms
d[efault]:u[ser]:uid:perms
d[efault]:g[roup]:gid:perms
getfacl bar | setfacl -f - foo
RBAC
RBAC is generally implemented via the SMC.
- some utilities are RBAC-aware; some will need to be run through SMC
- may require the creation of roles before granting privs to users
remote logins and authentication
rlogin and rsh are superceded by
ssh.
ssh -C -v -l login hostname
- like telnet
- like rlogin/.rhosts
- like ftp
NIS Domain design considerations
- only on secured network
- load placed on network by NIS broadcast traffic
- load placed on network by RPC traffic (various uses: editors v. ls)
- server - client ratio 30:1 with same speed
- master - slave ratio
- master - slave - slave setups, cross-binding, and lockups
- multiple domains?
- tuning and design info later
http://www.mousetrap.net/syllabus/solaris8-nfs/day1.html
$Id: day1.orb,v 1.5 2002/11/10 23:25:46 mouse Exp $
