Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP CIFS Server 2.2g Administrator's Guide: HP-UX 11.0, 11i version 1 and 2 > Chapter 3 Managing HP-UX File Access Permissions from Windows NT/XP/2000

UNIX File Permissions and POSIX ACLs
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The HP CIFS Server enables the manipulation of UNIX file permissions or VxFS POSIX ACLs from Windows NT, XP or Windows 2000 clients. With this capability most management of UNIX file permissions or POSIX ACLs can be done from the familiar Windows Explorer interface.

NOTE: Although concepts of file ACLs are similar across the Windows and HP-UX platforms, there are sufficient differences in functionality that one cannot substitute UNIX ACLs for Windows ACLs (i.e. full emulation is not provided). For example, a Windows application that changes the ACL data of a file may behave unexpectedly if that file resides on a HP CIFS Server.

Viewing UNIX Permissions From Windows NT

As a result of the ACL data differences in NT and UNIX file permissions and VxFS POSIX, Samba must map data from UNIX to NT and NT to UNIX.

The table below shows how UNIX file permissions translate to Windows NT ACL access types:

Table 3-1 Title not available (Viewing UNIX Permissions From Windows NT )

UNIX Permission

NT access type

r--

Special Access(R)

-w-

Special Access(W)

--x

Special Access(X)

rw-

Special Access(RW)

r-x

Read(RX)

-wx

Special Access(WX)

rwx

Special Access(RWX)

r--

Special Access

 

In addition to the permission modes shown above, UNIX file permissions also distinguish between the file owner, the owning group of the file, and other (all other users and group).

UNIX File Owner Translation in NT ACL

A UNIX file system owner has additional permissions that others users do not have. For example, the owner can give away his ownership of the file, delete the file, rename the file, or change the permission mode on the file. These capabilities are similar to the delete (D), change permissions (P) and take ownership (O) permissions on the Windows NT client. Samba adds the DPO permissions to represent UNIX file ownership in the Windows NT explorer interface.

For example, if a file on the UNIX file system is owned by UNIX user john and john has read and write (rw-) permissions on that file, the Windows NT client will display the same permissions for user john as:

Special Access(RWDPO)

You can also display the UNIX owner in the Windows NT Explorer interface. If you are in the File Properties dialog box with the Security tab selected and you press the Ownership button, the owning UNIX user's name will be displayed.

UNIX Owning Group Translation in NT ACL

The owning group on a UNIX file system is represented on the Windows NT client with the take ownership (O) permission. While the meaning of the take ownership permission on NT doesn't exactly match the meaning of an owning group on the UNIX file system, this permission is still translated into the take ownership permission.

This representation becomes even more significant when translating VxFS POSIX ACLs, as there can be many groups with different permissions on an individual file in this file system. Without this permission type, you would not be able to tell the owning group entry from other group entries.

For example, if an owning group named sales on the UNIX file system has read and execute (r-x) permissions on a file, the Windows NT client will display the permissions for group sales as:

Special Access(RXO)

UNIX Other Permission Translation in NT ACL

In UNIX, the other permission entry represents permissions for any user or group that is not the owner, and doesn't belong to the owning group. This entry maps to the everyone access control entry on the Windows NT client.

NT Directory and File Permission Translations

Windows NT clients display two sets of permissions for directory entries: directory permissions and file permissions. Directory Permissions are the permissions for the directory itself. File Permissions are the permissions inherited by the files and subdirectories created in the directory. Samba translates UNIX permissions for a directory into Windows NT directory permissions and vice versa. Windows NT file permissions are not supported when the translation is to/from UNIX permissions.

NT file permissions, however, are supported with VxFS POSIX ACLs (as described in the next section).

Setting UNIX Permissions from Windows NT

With one exception, reversing the UNIX to NT translations described above will always work. You cannot, however, change the owner or owning group by adding Special Access(DPO) or Special Access(O) to a user or group from the client.

All NT permissions, except read, write and execute, are disregarded when applied to files on the Samba server. These include delete (D), change permissions (P) and take ownership (O).

The table below shows how NT access types map to UNIX permissions:

Table 3-2 Title not available (Viewing UNIX Permissions From Windows NT )

NT access type

UNIX Permission

Special Access(R)

r--

Special Access(W)

-w-

Special Access(X)

--x

Special Access(RW)

rw-

Read(RX)

r-x

Special Access(WX)

-wx

Special Access(RWX)

rwx

Special Access

r--

 

When mapping to UNIX file permissions from NT, you will not be able to add new NT ACL entries because only the owner, owning group and other ACL entries are supported by UNIX permissions. UNIX ignores unrecognized entries. Conversely, you cannot delete any of the three entries listed above as these entries are required by UNIX.

Pre-defined NT Permissions

The Windows NT Explorer ACL interface allows you to choose predefined permissions like Change and Full Control in addition to creating custom Special Access permissions.

Figure 3-1 Windows NT Explorer ACL Interface

Windows NT Explorer ACL Interface

If you use pre-defined NT access types to set permissions on a Samba share, the permissions that are displayed later will not match what you set in NT.

For example, Full Control will become rwx on the Samba server, and when it is displayed on the Windows NT client, it will show up as Special Access (RWX).

Table 3-3 Title not available (Viewing UNIX Permissions From Windows NT )

NT Access Type

UNIX Permission

No Access

---

Read

r-x

Change

rwx

Full Control

rwx

 

Figure 3-2 Windows NT Special Access Permissions

Windows NT Special Access Permissions

The VxFS POSIX ACL File Permissions

VxFS POSIX ACLs are a superset of UNIX file permissions. VxFS POSIX ACLs extend the concept of UNIX file permissions in three ways.

  • VxFS POSIX ACLs allow for more entries than the basic owner, group and other UNIX file permissions.

  • VxFS POSIX ACLs support default Access Control Entry (ACE) for directory permissions. This means that any files created in that directory will automatically inherit the default ACEs of the parent directory. It adds an inheritance permission type to directory permissions.

  • A special ACE called the class ACE is used. The role of the class ACE is to limit the other ACEs. The base UNIX permissions are not affected.

    For example, if the class ACE for a file is set to read (r--), then even when ACEs grant some users and groups write and execute access, write and execute access will not be given to them. The class ACE acts as a mask that filters out the permissions of non-class ACEs. If the class ACE was set to (---) or no access, other ACEs might exist, but they would not change the effective permissions.

IMPORTANT: VxFS is known as OnLineJFS.

VxFS POSIX ACL file permissions only work when JFS 3.3 disk layout version4 is installed on the HP-UX 11.00 system. For HP-UX 11.11, JFS 3.3 and disk layout version4 is installed by default.

Learn how to install JFS 3.3 on HP-UX 11.0 in the HP JFS 3.3 and HP OnLineJFS 3.3 Release Notes (MPN B3929-90007) located at www.docs.hp.com.

Learn about installing and upgrading disk layout versions in the HP JFS 3.3 and HPOnLineJFS 3.3 VERITAS File System 3.3 System Administrator’s Guide (MPN B3929-90011) located at www.docs.hp.com.

VxFS POSIX ACLs translated to NT ACLs

The extra features of VxFS POSIX ACLs affect the translations to and from NT ACLs in the following ways:

  • The extra VxFS POSIX ACEs show up as NT ACEs on the Windows NT client. The permission mode translates like a UNIX permission mode. With this feature you can also add new user and group entries from the Windows NT client. The limitations to this feature will be discussed in the next section.

  • The default ACEs that are supported for inheritance by directories are translated into file permissions for a directory on NT. The file permissions displayed on the Windows NT client represent the default ACEs on the UNIX file system of the Samba server. If the file permissions are set on a directory on the NT client, equivalent default ACEs are set on the directory on the UNIX file system.

  • The class ACE used to limit the other ACEs is ignored. It is not displayed on the Windows NT client and there is no way to set it from the NT client. It would be difficult to support on the client side, as Windows NT has nothing similar to a class ACE.



Introduction
  		 


Using the NT Explorer GUI to Create ACLs  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.