HPE Community
Operating System - HP-UX
1826703 Members
2517 Online
109696 Solutions
New Discussion

ACL in mcsg/SAP NFS environment

 
Animesh Chakraborty
Honored Contributor

‎06-23-2003 12:09 AM

‎06-23-2003 12:09 AM

ACL in mcsg/SAP NFS environment

Anybody using ACL for NFS mounted file systems in mcsg/SAP environment?

We are having a problem with ACL for NFS mounted file systems.
The interface users still getting permission problem.

Thanks
Animesh
Did you take a backup?
0 Kudos
Reply
3 REPLIES 3
Animesh Chakraborty
Honored Contributor

‎06-24-2003 01:57 AM

‎06-24-2003 01:57 AM

Re: ACL in mcsg/SAP NFS environment

.
Did you take a backup?
0 Kudos
Reply
Massimo Bianchi
Honored Contributor

‎06-24-2003 02:11 AM

‎06-24-2003 02:11 AM

Re: ACL in mcsg/SAP NFS environment

Hi,
i saw your post, but hope that someone with a depper knoledge would help you.


What problem do you incurr in ?
Users cannot write in directory or something different ?

I found a document stating that there are many problem with NFS and ACL, and in many cases they are not supported.

HTH,
Massimo


0 Kudos
Reply
Massimo Bianchi
Honored Contributor

‎06-24-2003 02:14 AM

‎06-24-2003 02:14 AM

Re: ACL in mcsg/SAP NFS environment

Hi,
i found that the document in "customer viewable", so

PROBLEM
Why does the HP-UX command:

find -acl=*.*+r+w

not report anything when performed on an NFS mount point?


CONFIGURATION
Operating System - HP-UX
Version - 10.X, 11.X
Subsystem - NFS (Network File Service)

RESOLUTION
It is important to understand the difference between:

1. an NFS client system's ability to SET an ACL entry on an
NFS-mounted file (via the setacl(1) command) or RETRIEVE
an ACL entry on an NFS-mounted file (via the getacl(1)
command)

versus

2. an NFS server system's ability to ENFORCE an existing ACL
entry on an exported file residing in a VxFS 3.3 filesystem.

From the NFS server's perspective, VxFS ACLs may only be created in VxFS
3.3 filesystems using disk layout version 4. (See vxupgrade(1M) for
information on upgrading a VxFS 3.3 file system to disk layout version 4.)

Once the underlying VxFS filesystem is configured to support ACLs, ACL
entries may be configured via the setacl(1) command. These ACL entries
may be viewed on the NFS server system via the getacl(1) command. Once
this VxFS filesystem is exported for NFS access (via the exportfs(1M)
command), when a user on an NFS client attempts to access a file that has
an ACL configured, then the NFS server will ENFORCE the ACL security.

From an NFS client perspective, users on NFS clients are not able to VIEW
ACL entries configured on NFS-mounted filesystems via the getacl(1)
command. Also, NFS client users are not able to SET or MODIFY an ACL
entry on an NFS-mounted file via the setacl(1) command. However, as
stated above, when a user on an NFS client attempts to access a file in an
NFS-mounted filesystem that has a valid VxFS 3.3 ACL present, the server
will enforce the ACL security.

So, the only piece of functionality missing from HP's implementation is
the ability for users on an NFS client to SET or GET ACL entries remotely
via the setacl(1) and getacl(1) commands. ACL ENFORCEMENT for NFS-mounted
files works today with our current HP-UX product.

From a practical standpoint, this is not much of a limitation since most
systems administrators prefer to manage their ACL entries on the NFS
server system anyway. Also, since ACLs are a component of system
security, one could argue that it is beneficial to not allow a remote user
to inspect and modify the ACL security permissions of a file on an NFS
server.

It is not clear if/when HP will be adding the ability to remotely manage
ACL entries from NFS clients to HP-UX. This ability does not exist in
HP-UX 11.0 or 11i.



HTH,
Massimo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.