16.1
UDP Port 524
NCP Server uses UDP port 524 when mounting volumes with the ncpmount(8) command. NCP Server opens this port in the server firewall when it is installed.
16.2
Soft Links
Although NCP Server for Linux provides limited support for hardlinks, soft links are intentionally not supported. The following soft link features can be exploited to create security problems where users can give themselves access to subdirectories where they have no rights:
The Linux POSIX permissions set on the soft link do not need to match the permissions set on the source file or directory.
The soft link and source file are not restricted to paths on the same volume and file system.
Soft links can link to files or directories.
The name of the soft link does not need to match the name of the source file.
For example, directories on an NCP volume on Linux file systems can have different inherited rights, so the link can have different effective rights than the source. Security breaches can occur if someone accidentally creates a soft link to a sensitive area of the system, such as the /etc directory. A hacker can exploit the system by creating a soft link to a password file, then overwriting its contents. Soft links can cause security problems for programs that fail to consider the possibility that the file being opened may actually be a link to a different file. This is especially dangerous when the vulnerable program is running with elevated privileges.
16.3
Hard Links
NCP Server supports hardlinks for a file on an NCP volume (NCP share on a non-NSS file system) if the destination location for the hardlink is on the same NCP volume as the source file, and any of the following conditions is met:
If the user is supervisor equivalent of the NCP volume, or
If the user is the owner of the file, or
If the "Other" Read/Write mode bits are set on the file on the non-NSS file system.
Other users are unable to open hard-linked files. This is because of a hard-link security problem where users can give themselves write access to files where they should only have read access. For example, a user has world-readable access to /etc/fileA. The user creates a hardlink to /etc/fileA and specifies a destination for the link to be a directory on the same file system where the user has read/write access, such as the user's home directory. The user now has granted himself read/write access to fileA.
NCP Server supports hardlinks for a file on an NSS volume if the destination location for the hardlink is on the same NSS volume as the source file, and any of the following conditions is met:
If the user is supervisor equivalent of the NSS volume, or
If the user is the owner of the file.
In addition, the Hardlinks attribute must be enabled for the NSS volume to allow hardlinks support. The hardlinks can be in the same directory or in multiple directories in the same NSS volume. When hardlinks are used, the volume's users must be enabled with Linux User Management. The NSS file system is designed to provide secure support for hardlinks on NSS volumes. For information about how the hardlinks on an NSS volume work with file ownership, trustees, trustee rights, and inherited rights, see “Understanding Hard Links” in the OES 11 SP2: NSS File System Administration Guide for Linux.
16.4
Log Files
The following log files are located in the /var/opt/novell/log directory:
ncpserv.log
ncp2nss.log
ncptop.log
Log files are managed by logrotate. For information on usage, see its man page (man logrotate). The control files for logrotate are:
/etc/logrotate.d/novell-ncpserv-log
/etc/logrotate.d/novell-ncpserv-audit
/etc/logrotate.d/novell-ncp2nss-log
Security Considerations for NCP Server 147
16.5
Audit Logs
The following audit log files are available:
/var/opt/novell/log/ncpserv.audit.log
/var/opt/novell/log/ncp2nss.audit.log
/usr/novell/sys/._NETWARE/SYS.audit.log
/var/log/audit
By default, the NSS Auditing Client Logger (vlog) utility sends its output to stdout in an XML record format. The default log file location is /var/log/audit. You can use VLOG options to modify the output location and logging behavior. For information, see “VLOG Options“ in the OES 11 SP2: NSS Auditing Client Logger (VLOG) Utility Reference.
A
Commands and Utilities for NCP Server and NCP Volumes 149
A
Commands and Utilities for NCP
Server and NCP Volumes
This section describes commands and utilities for NCP Server services and NCP volumes on Novell Open Enterprise Server (OES) 11 SP2.
Section A.1, “NCPCON,” on page 149
Section A.2, “NCPCON SET Parameters,” on page 172
Section A.3, “NCP2NSS Command,” on page 180
Section A.4, “ShadowFS Command,” on page 180
Section A.5, “Virtual NCP Server Object Script,” on page 181
A.1
NCPCON
The NCP Server Console (ncpcon(8)) is a management utility for NCP Server on Novell Open Enterprise Server 11 SP2. The man page for NCPCON is located in the /usr/share/man/man8 directory. To view the man page when you are at the server console, enter man ncpcon at the terminal console prompt.