62 Securing NFS in AIX
7. The server NFS passes the context token to the server gssd in a request to
accept the context.
8. The server gssd passes the token to the KDC to verify the requesting user’s
identity.
9. If the KDC accepts the token, it returns another token to the server gssd and
a context handle. This token will authenticate the server’s identity to the
requesting client.
10.The server gssd returns this token to the server NFS. The server NFS now
has established context.
11.The server NFS returns the accept token to the client in response to the NULL
RPC call.
12.The client passes the accept token to the client gssd in a second call to
initiate the context.
13.The client gssd calls the KDC to verify the server’s token.
14.If the KDC accepts the token, it returns a context handle to the client gssd.
15.The client gssd returns the context handle to the client NFS. The client now
has established context.
16.The original NFS operation can now proceed under the established context.
17.The NFS server responds to the original operation.
18.Results of the original operation are returned to the user process.
3.4 NFS V4 user authorization
User authorization in an NFS context means controlling user access to
directories and files in the exported file systems. This section describes two ways
to control this access: via standard UNIX file permissions and via NFS V4
Access Control Lists (ACLs).
ACLs provide for more granular access control than standard UNIX file
permissions. One of the main differences is in group access. Whereas standard
UNIX permissions only provide access control for one group (the group that owns
the file), ACLs enable different access permissions to be specified for multiple
groups. ACLs also allow access permissions to be specified at a user level, but
Note: Although you can also use AIX ACLs (known in AIX 5.3 as the AIXC
ACL type), they are only supported on AIX systems, and they have not been
widely adopted. We do not discuss them in detail in this document. For more
about AIXC ACLs, see the AIX 5L Version 5.3 Security Guide, SC23-4907.
Chapter 3. Enhanced security in NFS V4 63
controlling access on a per-user basis is usually not practical for organizations of
any size.
3.4.1 Standard UNIX file permissions
The standard UNIX file permission model consists of granting read, write, and
execute access to three categories of users:
User The user who owns the file
Group The group that owns the file
Other Everyone else
This model frequently is inadequate when applied to a real-world organization
structure. Individuals often operate in multiple roles, or different individuals
operating in the same role may have attributes that require different data access.
For example, access to data is sometimes restricted based on company
affiliation. Two people working on an engineering project might be from different
companies. Although they both can have access to much of the engineering
data, some of that data may be restricted to employees of one company and not
the other. This sort of granular access control is very difficult, if not impossible, to
implement using standard UNIX file permissions.
3.4.2 AIXC ACLs
An AIXC ACL has two parts:
򐂰 Base permissions, which map directly to the standard user/group/other UNIX
file permissions
򐂰 Extended permissions, which enable you to control access to other specific
users and groups
Here is an example of an AIXC ACL (in aclget format) that has extended
permissions
disabled:
*
* ACL_type AIXC
*
attributes: SGID
base permissions
owner(root): rwx
group(system): r-x
others: r-x
extended permissions
disabled

Get Securing NFS in AIX An Introduction to NFS v4 in AIX 5L Version 5.3 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.