forbidden to their profiles. It is important to become aware of which users from
which groups have access to your data. GIDs can help a user from a powerful
group gain unauthorized access to sensitive data.
The various IDs a user has and the attached authorities can create NFS security
hazards. This is particularly crucial when dealing with the CHGNFSEXP command
options for making file system available to clients. For more information regarding
exporting safely, see “Securely Exporting File Systems”on page 87.
Mapping User Identifications
Whenever users successfully log onto a server, the server automatically and
immediately grants the authorities for their user profiles on that server.
When users access remote server files through local client systems, their requests
are sent to that remote server. The server will check the user’s UID and authority
with each request, due to the statelessness of NFS. As a user accesses a remote
server, the request carries
only
the UID and
not
the user profile name (nor any
password). The server then maps the UID to a matching authority
no matter
what
user profile name it actually has. This can cause problems if UIDs from different
systems match each other, yet belong to different users. See “UID Mapping
Examples” on page85 for more information about improper UID mapping.

Potential User Identification Mapping Scenarios

There are four possibilities for UID mapping across a distributed network:
1. The UID of a user on a client and server map to the same user profile. There is
no conflict.
2. The UID of a user exists on both the client and server, but is mapped to
different profiles. This can cause security conflicts because users can be
mapped to profiles with more or less authority than what is required.
3. The UID of a user exists on the client, but does not exist on the server. In this
case, the export entry is checked for an entry for the ANON parameter.If a
profile is found for mapping anonymous users, then the UID of the user will be
mapped to this profile. If the server does not allow the mapping of anonymous
users, then a user making this request will receive the EACCES error condition.
See “Anonymous Users” on page88 for more information about the ANON
parameter and allowing anonymous users access to your exports.
Because of differing UID mapping across a network, users may have problems
working with files on a remote system. This occurs because users do not have the
same authority on the remote system as on the local system.

Administrating User Identifications

The administrator of an NFS namespace must be ready to:
1. Set up matching authorities, whenever possible, for users. This ensures that
they will not become confused while crossing mount points and working on both
local and remote systems. This includes properly mapping UIDs and GIDs
throughout the network.
2. Create appropriate individual authorities that are tailored to both the system and
the user. These authorities need not be
matching
, but they should be
84 OS/400 Network File System Support V4R4
|
|
|