| Certification Objective 11.04—The NIS+ Security The main NIS+ security concepts are described in the following:
NIS+ object. NIS+ objects are the NIS+ entities (things) that are
secured—for example, the server itself, the NIS+ table, the table entries, and
so forth. The access rights (permissions) are set on an object, meaning who can
do what to this object.
NIS+ principal. An NIS+ principal is an entity that seeks access to an
NIS+ object. In other words, all requests for NIS+ services will come from NIS+
principals. Note that a principal does not always have to be a user. For
example, a request made by an ordinary user on a client machine would come from
the client user, whereas a request made by the root user on a client machine
would come from the client machine itself. NIS objects do not grant permissions
to principals directly. To have access to an object, a principal must be a
member of an authorization class.
Permission matrix. A permission matrix is a set of permissions set on
the objects and granted to principals. Once a principal has been properly
authenticated to NIS+, its ability to read, modify, create, or destroy the NIS+
objects is determined by the applicable permission matrix.
Authorization class. An authorization class is a type of principal to
whom the permissions on an object are granted. There are four classes of
principals:
Owner. A principal who is also the owner of the object gets the
permissions set on the object for the owner class.
Group. A group is a collection of principals. Each NIS+ object has one
group associated with it. You, the administrator, specify the principals for a
given group, and each principal in the group enjoys the access permissions set
on the object for the group class. Note that NIS+ groups are not the same as
UNIX groups.
World. The world class is a collection of all principals that the
server can authenticate. Any principal that belongs neither to the owner class
nor to the group class but can be authenticated, belongs to the world class.
Nobody. Any principal that cannot be authenticated belongs to the
nobody class.
When an NIS+ request from a principal is received, the system determines
which class the requesting principal belongs to; the principal is then given the
access rights belonging to that class. You, the administrator, can set on an
object any combination of access rights for each of these classes—the permission
matrix. Typically, however, a higher class (the owner class being the highest
and the nobody class being the lowest) is assigned the same rights as all the
lower classes, plus possible additional rights. For example, you could set on an
object read access for the nobody class and the world class, read and modify
access for the group class, and read, modify, create, and destroy access for the
owner class.
How does a client go through the NIS+ security process?
NIS+ Security Process
NIS+ security is mainly a two-stage process:
Authentication. Authentication is the process to verify that a client
is actually what the client claims to be. After a request (to access an NIS+
object) from a client is received, the client's identity and secure RPC password
is verified. After the client's identity is validated, the authorization kicks
in.
Authorization. Once a client's identity has been validated by the
authentication process, NIS+ determines the class for the client. What a client
(user or a machine) can do with a given NIS+ object depends on which class the
client belongs to.
The entire security process can be broken down into the following steps:
A client (principal) requests access to an NIS+ object.
The server authenticates the client's identity by examining the client's
credentials.
If the client is authenticated (credentials are validated), the client falls
into the world class; otherwise, it falls into the nobody class.
The server looks into the target object's definition to make a final
determination of the class that will be associated with the client
(principal).
The client will get the permissions associated with the class of principal
assigned to the client.
In any network service, caching is used to improve service performance. | 
