v Change the ®le permissions for ªthe worldº while still mapped to QNFSANON

 

Exporting to The World

 

Instead of making exported data accessible to everyone, an administrator can

 

employ the technique of specifying selective clients. Administrators can use the

 

ACCESS option of the CHGNFSEXP command to use this technique. This option

 

will also accept particular UIDs, GIDs, and supplemental GIDs. Using the ACCESS

 

option limits access to exported ®les to only the speci®ed clients. The server will

 

ignore access requests from all other clients. The ®le/etc/netgroup allows you to

 

create names for groups of clients. These netgroup names can be used on the

 

ACCESS option of the CHGNFSEXP command. For more information on the use of

 

netgroups in exporting, see ªHow Do I Export File Systems?º on page 28 and

 

ª/etc/netgroup Fileº on page 96.

The only method of limiting access to NFS exports is to use the ACCESS= option

the export command. Even if you add values to or change the RW= and ROOT=

options, the export command will still provide read-only access to ªthe world.º The

RW= option gives only the listed clients read/write access to the mount. Using the

ROOT= option disallows root access for any hosts that are not listed. Using the

ACCESS= option makes the export accessible to only the clients that are listed.

 

If users specify no options with the CHGNFSEXP command, the default is to export

 

®le systems to ªthe world,º allowing all clients access to data. This can cause a

 

major breach of security because information that may be sensitive will be passed

 

outside of the NFS namespace trusted community. Administrators should only ever

export data to those who need it.

Root User Mappings

Lori has a UID of 165 and *ALLOBJ authority on a remote TULAB2. She also has a

UID of 165 on a local XHOST1, a UNIX client. If Chris Admin has correctly exported

the ®le systems Lori requests access to on which she has *ALLOBJ authority, then

Lori's requests for access will fail. However, if Lori is on the list of ROOT= clients,

her requests will not fail.

UNIX servers and AS/400 servers map UIDs differently. A UNIX server will treat a

user that comes in with a UID of 0 as a root user. If the client originating the

request is not on the ROOT= list in the export options, the user is mapped to the

anonymous user. The AS/400's de®nition of a root user is broader. If the incoming

UID maps to any user pro®le with *ALLOBJ authority on the server, that user is

mapped to the anonymous user pro®le. This is only if the request came from a

client that is not on the ROOT= list. In this example, even though Lori is not the root

user on her UNIX client, she is still be mapped to the anonymous pro®le on

TULAB2. This is because the pro®le with UID 165 has *ALLOBJ special authority.

The AS/400 considers her a root user. This ensures greater security for exported

®le systems by not allowing remote users to assume this special authority unless

speci®cally speci®ed on the export request.

Chapter 9. Network File System Security Considerations 89

Page 106 Page 108
Page 107
Image 107
IBM AS/400E manual Exporting to ″The World″, Root User Mappings
Page 106 Page 108

AS/400E specifications

The IBM AS/400E, now more commonly known as IBM i, is a robust and versatile midrange server that has been designed to provide a comprehensive computing solution for businesses of all sizes. First introduced in the late 1980s, the AS/400 series has undergone multiple enhancements and rebranding, with the AS/400E being one of the notable iterations. This powerful platform is closely associated with IBM's commitment to reliability, scalability, and integrated business solutions.

One of the main features of the AS/400E is its highly integrated architecture that combines hardware and software into a cohesive system. This integration allows for seamless operations, reducing the complexity typically associated with managing disparate systems. The system is powered by IBM's proprietary OS/400 operating system, which has evolved into IBM i, featuring advanced capabilities like object-oriented programming, integrated database management, and security features that are essential for enterprise environments.

A key characteristic of the AS/400E is its robust database support, primarily through the use of DB2 for i. This integrated database management system enables efficient data handling and retrieval, facilitating real-time business analytics and reporting. Furthermore, the platform supports a variety of programming languages, including RPG, COBOL, and Java, making it flexible for developers who require diverse tools for application development.

The AS/400E is also known for its exceptional reliability and uptime, making it a preferred choice for critical business applications in industries such as finance, healthcare, and manufacturing. This reliability is backed by advanced error detection and correction mechanisms, as well as redundancy features that help prevent data loss and minimize downtime.

In terms of scalability, the AS/400E can effortlessly expand to accommodate growing business demands. Organizations can increase processing power by adding more resources without significant disruption. This scalability, combined with the system’s built-in virtualization capabilities, allows businesses to optimize resource usage and streamline operations.

Security is another defining feature of the AS/400E. The platform incorporates various layers of security measures, including user authentication, encryption, and comprehensive auditing capabilities, ensuring that sensitive business data is protected against unauthorized access.

Overall, the IBM AS/400E remains a powerful tool in the enterprise computing landscape, providing businesses with an integrated, reliable, and secure solution for their technological needs. Its enduring popularity is a testament to its capability to evolve with changing business requirements while maintaining its core attributes of high performance and stability.
Top Page Image Contents