uid_a |
gid_a |
sgid_b,... |
N/A |
N/A |
N/A |
When security(none) or security(exports) is used
the z/OS NFS server checks the object owner uid, owner_group gid and
its permission bits against the client uid (uid_a), gid (gid_a), and
supplemental gids (sgid_b,...) in the RPC AUTH_SYS authentication.
Advantages: Performance may be improved.
Disadvantages: - The RPC AUTH_SYS allows only a maximum of 16 supplemental gids.
- Spoofing of client uids, gids, and sgids cannot be prevented.
- The object in the underlying physical file system (zFS or HFS)
could have extended ACL entries, but the z/OS NFS server does not
check
|
uid_a |
gid_a |
sgid_b,.. |
uid_A |
gid_A |
sgid_B,.. |
When security(saf) or security(safexp) is used
the z/OS NFS server defers to the underlying physical file system
(zFS or HFS) and RACF to check the object owner uid, owner_group gid,
and its permission bits against the mapped Client-z/OS uid (uid_A),
gid (gid_A), and supplemental gids (sgid_B,...) from RACF User's Definition
Note: - mvslogin establishes the mapped Client to z/OS uid_A, gid_A, sgid_B,....
- The RPC AUTH_SYS authentication (uid_a) is used to find the mapped
Client to z/OS segment ( uid_A, gid_A, sgid_B,... ).
Advantages: - The RPC AUTH_SYS limitation of maximum 16 supplemental gids is
eliminated because of the mapped Client to z/OS supplemental gids
( sgid_B,... ).
- Spoofing of uid/gids/sgids is prevented by mvslogin
- Exploits the underlying physical file system ACL support
Disadvantages: Performance
may be impaired.
|