 |
» |
|
|
|
Ensuring filesystem security is essential when hundreds of
thousands of users are accessing directories and files on a NetWare
server daily. The following sections discuss how to add, delete,
and modify owners, trustee rights, and attributes for directories
and files. Understanding File and Directory Rights | |
Filesystem
security includes assigning trustee rights and setting file and
directory attributes. These two types of security are discussed
in the following sections. Trustee rights are given to
User objects, Group objects, or Organizational Role objects. These
rights determine the access users may have to directories and files.
These rights are explained in Table 3-5. Table 3-5 Trustee
Rights Right | Allows
object to |
|---|
Access
Control | Add
and remove trustees and change rights to files and directories. | Create | Create
subdirectories and files. | Erase | Delete
directories and files. | File
Scan | View
file and directory names in the filesystem structure. | Modify | Rename
directories and files and change file attributes. | Read | Open
and read files; open, read, and execute applications. | Supervisor | Grant
all rights listed in this table. | Write | Open, write
to, and modify a file. |
Directory and File AttributesDirec
tory and file attributes assign properties to individual directories
or files. Some are only meaningful when applied at the file level.
Some apply to both the directory and the file levels. Not all attributes
are supported on the NetWare server (see Table 3-6). Be careful when assigning directory and file attributes. Attributes
apply to all users and can supersede trustee rights. For example, if you assign a file the Delete Inhibit attribute,
no one, including the owner of the file or the system supervisor,
can delete the file. Table 3-6 Directory
and File Attributes Attribut
e code | Description | Applies
to |
|---|
A | Archive
Needed identifies files that have been modified since the last backup.
This attribute is assigned automatically. | Files
only | Ci* | Copy
Inhibit prevents Macintosh* users from copying a file. This attribute
overrides Read and File Scan trustee rights. | Files
only | Dc* | Don't
Compress keeps data from being compressed. This attribute overrides
settings for automatic compression of files not accessed within
a specified number of days. | Directories
and files | Di | Delete
Inhibit prevents the file or directory from being deleted. This
attribute overrides the Erase trustee right. | Directories
and files | Dm* | Don't
Migrate prevents files and directories from being migrated from
the server's hard disk to another storage medium. | Directories
and files | Ds* | Don't
Suballocate prevents data from being suballocated. | Files
only | H | The
Hidden attribute hides files and directories so they can't
be seen using the DIR command. A user with File Scan rights can
use FILER or NDIR to list directories and files with the Hidden
attribute. | Directories
and files | l* | Index
allows large files to be accessed quickly by indexing files with
more than 64 File Allocation Table (FAT) entries. This attribute
is set automatically. | Files
only | Ic* | Immediate
Compress sets data to be compressed as soon as a file is closed.
If it is applied to a directory, every file in the directory is
compressed as it is closed. | Directories
and files | N | Normal
indicates the Read/Write attribute is assigned and the Shareable
attribute is not. This is the default attribute assignment for all
new files. | Directories
and files | Ri | Rename
Inhibit prevents the file or directory name from being modified. | Directories
and files | Ro | Read
Only prevents a file from being modified. This attribute automatically
sets Delete Inhibit and Rename Inhibit. | Files
only | Rw | Read/Write
allows users to write to a file. All files are created with this
attribute. | Files
only | Sh | Shareable
allows more than one user to access the file at one time. This attribute
is usually used with Read Only. | Files
only | Sy | The
System attribute hides the file or directory so it can't
be seen by using the DIR command. It can be seen if a user with
File Scan rights uses FILER or NDIR. System is normally used with
operating-system files, such as DOS system files. | Directories
and files | T* | Transactional
allows a file to be tracked and protected by the Transaction Tracking
System™ (TTS™). | Files
only | X | The Execute
Only attribute prevents the file from being copied, modified, or
backed up. The attribute cannot be removed unless the file is deleted.
It does not allow renaming. Use the attribute for program files
such as the .EXE or .COM files. Make a copy of a file before you
flag it Execute Only, so you can replace the file if it becomes
corrupted. | Files only |
* Not supported by NetWare Services, even though it may be
set. Adding a Trustee to a Directory or File | |
You can add a trustee to a directory or file using either
NetWare Administrator or FILER. Both procedures are described in
this section. Adding a Trustee Using
NetWare AdministratorPrerequisites A 386 or later workstation and NetWare
Administrator The Access Control right to the file or directory
to which you want to add the trustee
Procedure From the Windows Program Manage, click on the "NetWare
Administrator" icon. Using the browser, select the directory or file
to which you want to add a trustee. For information about moving around in the browser and selecting
objects, choose "Help" from the menu bar. From the "Object" menu, choose
"Details." From the "Identification" page,
choose "Trustees of This Directory." From the "Trustees of This Directory"
page, choose "Add Trustee." Select a trustee from the list. If the object does not appear in the list, browse the Directory
tree to find the object that you want to make a trustee of the file
or directory. Choose "OK." To grant rights to the trustee name, mark the appropriate
check boxes below the trustee. To return to the browser, choose "OK."
Additional Information Adding a Trustee Using FILERPrerequisites A workstation running DOS 3.30 or
later and FILER A minimum of 512 KB of memory available in the workstation Access Control right to the file or directory to
which you want to add the trustee
Procedure At the DOS prompt, type A list of available options appears. Your current context, Volume object, and path are shown in
the upper left corner of the screen. Select "Manage Files and Directories." The "Directory Contents" list appears. Find and select the file or directory you want. If the item you want appears in the
list, select it and press <F10>. If the item is not in the list, browse a directory
by selecting it and pressing <Enter> until you see the
item you want. Select it and press <F10>. If you cannot find the directory you want, check
the Volume object name in the upper left corner of the screen. If
you are in the wrong Volume, you can change it by returning to the
"Available Options" menu and choosing "Select
Current Directory."
Select "View/Set File [or Directory] Information"
and press <Enter>. Information for that file or directory appears. Use the arrow keys to move to the "Trustees"
field and press <Enter>. A list of trustees for that file or directory appears. To add a trustee, press <Insert> and locate
the trustee's name in the list. Select the name and press
<Enter>. The new trustee, object type, and default rights appear in
the list. (Optional) Add another trustee to this file or directory. Press <Esc> until you get to the "View/Set
File [or Directory] Information" screen and then repeat
Steps 5 and 6. (Optional) Assign rights to the new trustee. You can assign or modify trustee rights now, or at any time
after the trustee has been assigned to the directory or file. From the trustee list, select the user you want to assign
or modify rights for and press <Enter>. The "Trustee Rights" list appears, showing
the rights the trustee currently has to this directory or file. Press <Insert> to see a list of rights
you can assign. Select a right you want to give the trustee and
press <Enter>. To give the trustee more than one right,
press <F5> to mark the rights, and then press <Enter>. The "Trustee Rights" list reappears with
the new rights added. Press <Esc>. The new rights appear next to the trustee name.
Exit FILER by pressing <Esc> until you
reach the Exit confirmation box and select "Yes."
Additional Information Deleting a Trustee from a Directory or File | |
You can delete a trustee from a directory or file using NetWare
Administrator or FILER. Both procedures are described in this section. Deleting a Trustee Using
NetWare AdministratorPrerequisites A 386 or later workstation and NetWare
Administrator The Access Control right to the file or directory
to which you want to delete the trustee
Procedure From the Windows Program Manager, click on the "NetWare
Administrator" icon. Using the browser, select a directory or file from
which you want to delete a trustee. For information on moving around in the browser and selecting
objects, choose "Help" from the menu bar. From the "Object" menu, choose
"Details." From the "Identication" page,
choose "Trustees of This Directory." From the "Trustees" list, select
a trustee. Choose "Delete Trustee." To delete that object as a trustee, choose "Yes." To return to the browser, choose "OK."
Additional Information Deleting a Trustee Using FILERPrerequisites A workstation running DOS 3.30 or
later and FILER A minimum of 512 KB of memory available on the workstation The Access Control right to the file or directory
to which you want to delete the trustee
Procedure At the DOS prompt, type A list of available options appears. Your current context, Volume object, and path are shown in
the upper left corner of the screen. Select "Manage Files and Directories." The "Directory Contents" list appears. Find and select the file or directory you want. If the item you want appears on the
list, select it and press <F10>. If the item is not on the list, browse a directory
by selecting it and pressing <Enter> until you see the
item you want. Select it and press <F10>. If you cannot find what you want, check the Volume
object name in the upper left corner of the screen. If you are in
the wrong Volume, you can change it by returning to the "Available
Options" menu and choosing "Select Current Directory."
Select "View/Set File [or Directory] Information"
and press <Enter>. Information for that file or directory appears. Use the arrow keys to move to the "Trustees"
field and press <Enter>. A list of trustees for that file or directory appear. Select the trustee you want to delete, and then
press <Delete>. You are prompted to delete that trustee from the file or directory. Select "Yes." To exit, press <Esc> until the menu you
want appears.
Additional Information Modifying a Trustee's
Rights to a Directory or File | |
You can modify trustee rights to a directory or file using
NetWare Administrator or FILER. Both procedures are described in
this section. Modifying a Trustee's Rights Using NetWare
Administrator''Prerequisites A 386 or later workstation and NetWare
Administrator The Access Control right to the file or directory
to which you want to change the trustee rights
Procedure From the Windows Program Manager, click on the "NetWare
Administrator" icon. Using the browser, select the file or directory
for which you want to change trustee rights. For information about moving around in the browser and selecting
objects, choose "Help" from the menu bar. From the "Object" menu, choose
"Details." From the "Identification" page,
choose "Trustees of This Directory." From the "Trustees" list, select
a trustee. Grant or revoke rights by marking the check boxes
below the trustee name. Choose "OK" to save the trustee
rights.
Additional Information Modifying a Trustee's Rights Using
FILER'
'Prerequisites A workstation running DOS 3.30 or
later and FILER A minimum of 512 KB of memory available on the workstation The Access Control right to the file or directory
for which you want to change the trustee rights
Procedure At the DOS prompt, type A list of available options appears. Your current context, Volume object, and path are shown in
the upper left corner of the screen. Select "Manage Files and Directories." The "Directory Contents" list appears. Find and select the file or directory you want. If the item you want appears in the
list, select it and press <F10>. If the item is not on the list, browse a directory
by selecting it and pressing <Enter> until you see the
item you want. Select it and press <F10>. If you cannot find the item you want, check the
Volume object name in the upper left corner of the screen. If you
are in the wrong Volume, you can change it by returning to the "Available
Options" menu and choosing "Select Current Directory."
Select "View/Set File [or Directory] Information"
and press <Enter>. Using the arrow keys, move to the "Trustee"
field and press <Enter>. Select the name of the trustee whose rights you
want to modify and press <Enter>. A list of the trustee's current rights appears. Press <Insert> to see a list of rights
you can assign. Select a right you want to give the trustee and
press <Enter>. If you want to assign more than one right,
press <F5> to mark the rights, then press <Enter>. The "Trustee Rights" list reappears, showing
the new list of rights. To exit, press <Esc>. The new rights appear next to the trustee name.
Additional Information Viewing or Modifying the Inherited Rights Filter for
Directories and Files | |
You can view or modify the Inherited Rights Filter (IRF) for
a directory or file using NetWare Administrator or FILER. Both procedures
are described in this section. Viewing or Modifying the IRF Using NetWare AdministratorPrerequisites A 386 or later workstation and NetWare
Administrator The Access Control right to the file or directory
to which you want to view or modify the IRF
Procedure From the Windows Program Manager, click on the "NetWare
Administrator" icon. Using the browser, select a directory or file. For information on moving around in the browser and selecting
objects, choose "Help" from the menu bar. From the "Object" menu, choose
"Details." From the "Identification" page,
choose "Trustees of This Directory." Under "Inheritance Filter," select
the check boxes for the rights that you want to allow to be inherited
for that directory or file. Choose "OK." The "Trustees" dialog box reappears. To return to the browser, choose "OK."
Additional Information Viewing or Modifying the IRF using FILERPrerequisites A workstation running DOS 3.30 or
later and FILER A minimum of 512 KB of memory available on the workstation The Access Control right to the file or directory
for which you want to view or modify the filter
Procedure At the DOS prompt, type A list of available options appears. Your current context, Volume object, and path are shown in
the upper left corner of the screen. Select "Manage Files and Directories." The "Directory Contents" list appears. Find and select the file or directory you want. If the item you want appears in the
list, select it and press <F10>. If the item is not on the list, browse a directory
by selecting it and pressing <Enter> until you see the
item you want. Select it and press <F10>. If you cannot find what you want, check the Volume
object name in the upper left corner of the screen. If you are in
the wrong Volume, you can change it by returning to the "Available
Options" menu and choosing "Select Current Directory."
Select "View/Set File [or Directory] Information"
and press <Enter>. Information for that file or directory appears. The current
inherited rights are shown in the "Inherited Rights Filter"
field. Use the arrow keys to move to the "Inherited
Rights Filter" field and press <Enter>. A list of the rights inherited by the file or directory appears. Select a file or directory attribute you want to
revoke and press <Delete>. To revoke more than one attribute,
press <F5> to mark attributes, then press <Delete>. Press <Esc>. The "File [or Directory] Information" screen
reappears with a listing of the rights that can be inherited. To exit, press <Esc> until the menu you
want appears.
Additional Information Changing Attributes
of a Directory or File | |
You can change the attributes of a directory or file using
NetWare Administrator or FILER. Both procedures are described in
this section. Changing Attributes Using NetWare Ad ministratorPrerequisites A 386 or later workstation and NetWare
Administrator The Modify right to the file or directory whose
attributes you want to change
Procedure From the Windows Program Manager, click on the "NetWare
Administrator" icon. Using the browser, select a directory or file. For information on moving around in the browser and selecting
objects, choose "Help" from the menu bar. From the "Object" menu, choose
"Details." From the "Identification" page,
choose "Attributes." Select the check boxes for the attributes that you
want to set or change for this directory or file. To close the "Object" dialog box
and save the new attributes, choose "OK."
Additional Information Changing Attributes Usi ng FILERPrerequisites A workstation running DOS 3.30 or
later and FILER A minimum of 512 KB of memory available on the workstation The Modify right to the file or directory whose
attributes you want to change
Procedure At the DOS prompt, type A list of available options appears. Your current context, Volume object, and path are shown in
the upper left corner of the screen. Select "Manage Files and Directories." The "Directory Contents" list appears. Find and select the file or directory you want. If the item you want appears in the
list, select it and press <F10>. If the item is not on the list, browse a directory
by selecting it and pressing <Enter> until you see the
item you want. Select it and press <F10>. If you cannot find what you want, check the Volume
object name in the upper left corner of the screen. If you are in
the wrong Volume, you can change it by returning to the "Available
Options" menu and choosing "Select Current Directory."
Select "View/Set File [or Directory] Information"
and press <Enter>. Information for the file or directory appears. To modify an attribute, use the arrow keys to move
to the "File [or Directory] Attributes" field
and press <Enter>. The attributes for that file or directory appear. Modify the attribute by completing one of the following
steps: To delete an attribute, select it
and press <Delete>. Select "Yes" when
you are prompted to delete the attribute. To add an attribute, press <Insert>. Select
the attribute you want to add and press <Enter>. To assign more than one right, press <F5> to mark
the rights, and then press <Enter>.
To exit, press <Esc> until the menu you
want appears.
Additional Information Changing the Owner of a Directory or File | |
You can change the owner of a directory or file using NetWare
Administrator or FILER. Both procedures are described in this section. Changing the Owner Using NetWare AdministratorPrerequisites A 386 or later workstation and NetWare
Administrator The Modify right to the file or directory whose
attributes you want to change the owner
Procedure From the Windows Program Manager, click on the "NetWare
Administrator" icon. Using the browser, select a directory or file for
which you want to change the owner. For information on moving around in the browser and selecting
objects, choose "Help" from the menu bar. From the "Object" menu, choose
"Details." From the "Identification" page,
choose "Facts." To change the owner of this file or directory, click
on the browser button to the right of the "Owner"
field. Choose the object that you want to make the new
owner of this directory or file. When the correct user is displayed in the "Object
Name" field, choose "OK." The new owner appears in the "Owner" field
of the "Object" dialog box. To save changes, choose "OK."
Additional Information Changing the Owner Using FILERPrerequisites A workstation running DOS 3.30 or
later and FILER A minimum of 512 KB of memory available on the workstation The Modify right to the file or directory for which
you want to change the owner
Procedure At the DOS prompt, type A list of available options appears. Your current context, Volume object, and path are shown in
the upper left corner of the screen. Select "Manage Files and Directories." The "Directory Contents" list appears. Find and select the file or directory you want. If the item you want appears in the
list, select it and press <F10>. If the item is not on the list, browse a directory
by selecting it and pressing <Enter> until you see the
item you want. Select it and press <F10>. If you cannot find what you want, check the Volume
object name in the upper left corner of the screen. If you are in
the wrong Volume, you can change it by returning to the "Available
Options" menu and choosing "Select Current Directory."
Select "View/Set File [or Directory] Information"
and press <Enter>. Information for the file or directory appears. The current
owner of the file or directory appears in the "Owner"
field. Use the arrow keys to move to the "Owner"
field and press <Enter>. Select the user that you want to be the owner of
the file or directory and press <Enter>. For directories only, apply the change of ownership to either
the entire subdirectory structure or to the selected directory. To exit, press <Esc> until the menu you
want appears.
Additional Information |
Printable version
