role of ndsd in netstorage

vivek reddy · 04-22-2006, 03:53 AM

hey guys,

software- OES SP2 on SLES-9.

i have setup a netstorage server on the oes machine. i have given rights to a user(say "test1") to read and write to the files. no rights to delete. it works perfectly fine on a local machine. the problem arises when the user "test1" accesses the same files via NetStorage.

i have written some scripts to keep track of the users and processes that access the file on the NSS server.

on a local system the script reports the user as "test1" and the process as /sbin/cat. which looks perfectly fine.

when the same file is accessed via NetStorage the script reports the user as "root" and the process as /usr/sbin/ndsd

that log tells me that the user accessing the file is root and the process is ndsd. there are no problems as of now.

the only thing that is worrying me:
1: do we create a vunerability to external treats if "ndsd" accesses the file as root even when you are logged in as a user with limited permissions. can the user take advantage of this situation and create trouble.
2: who is this ndsd. what has this process got to do with NetStorage.

can any one post a link to the solution or answer my question please.

Sorry for this long never ending post.

jschiwal · 04-22-2006, 05:43 AM

According to this: http://www.novell.com/coolsolutions/.../1651.html#8.6
NDS is the "Netware core protocol/eDirectory"

This link also contains steps for securing the server.

The ndsd service is running a root because it is a system service, and not run directly by the user. The web server that the user uses to access the files is probably running in a chroot jail as a demoted system user.

vivek reddy · 04-24-2006, 12:41 AM

thanks a lot.

but will it compromise the security of my system or will it make it vurnerable to external threats cos we have an application using ndsd. i was just thinking of redesigning the whole arch of the application to byepass the ndsd usage.

jschiwal · 04-25-2006, 06:05 PM

If you were using Samba, for example, smbd would be running as root also. These are system services that run in the background of the server. I'm not familiar with ndsd, so I don't know if there are any security issues surrounding it. You might want to peruse security websites or mailing lists for an answer.

geletine · 04-28-2006, 08:46 AM

As we are on the topic of Novell NetStorage ...

How can i access my /NetStorage/Home@BC_TREE/ files via a ftp client that supports https?
I have set up to use https protocol,set my user/password, added the host name extranet.barnet.ac.uk
i had to disable verify ssl peer for it to even connect otherwise i get this error

Quote:

rtificate at depth: 2
Issuer = /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Subject = /C=BE/O=GlobalSign nv-sa/OU=Primary Secure Server CA/CN=GlobalSign Primary Secure Server CA
Error 20:unable to get local issuer certificate

I am using gftp , which fully supports https