[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Network Information Services (NIS and NIS+) Guide


Operating System Security Mechanisms

Operating system security is provided by gates that users must pass through before entering the operating system environment, and permission matrixes that determine what they are able to do once inside. In some contexts, secure RPC passwords have been referred to as network passwords.

The overall system is composed of four gates and two permission matrixes:

Dialup gate
To access a given operating system environment from the outside through a modem and phone line, you must provide a valid login ID and dial-up password.

Login gate
To enter a given operating system environment you must provide a valid login ID and user password.

Root gate
To gain access to root privileges, you must provide a valid root user password.

Secure RPC gate
In an NIS+ environment running at security level 2 (the default), when you try to use NIS+ services and gain access to NIS+ objects (servers, directories, tables, table entries, and so on) your identity is confirmed by NIS+, using the secure RPC process.

Entering the secure RPC gate requires presentation of a secure RPC password. Your secure RPC password and your login password normally are identical. When that is the case, you are passed through the gate automatically without having to re-enter your password. (In some contexts, secure RPC passwords have been referred to as network passwords. See Secure RPC Password versus Login Password for information about handling two passwords that are not identical.)

A set of credentials is used to automatically pass your requests through the secure RPC gate. The process of generating, presenting, and validating your credentials is called authentication because it confirms who you are and that you have a valid secure RPC password. This authentication process is automatically performed every time you request NIS+ service.

In an NIS+ environment running in NIS-compatibility mode, the protection provided by the secure RPC gate is significantly weakened because everyone has read rights for all NIS+ objects and modify rights for those entries that apply to them regardless of whether or not they have a valid credential (that is, regardless of whether or not the authentication process has confirmed their identity and validated their secure RPC password). Because this situation allows anyone to have read rights for all NIS+ objects and modify rights for those entries that apply to them, an NIS+ network running in compatibility mode is less secure than one running in normal mode. (In secure RPC terminology, any user without a valid credential is considered a member of the nobody class. See Authorization Classes for a description of the four classes.)

For details on how to administer NIS+ authentication and credentials, see Administering NIS+ Credentials.

File and directory matrix
Once you have gained access to an operating system environment, your ability to read, execute, modify, create, and destroy files and directories is governed by the applicable permissions.

NIS+ objects matrix
Once you have been properly authenticated to NIS+, your ability to read, modify, create, and destroy NIS+ objects is governed by the applicable permissions. This process is called NIS+ authorization.

For details on NIS+ permissions and authorization, see Administering NIS+ Access Rights.


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]