big-one Old usr/src/man/man4/netgroup.4

   1 '\" te
   2 .\" Copyright (C) 2003, Sun Microsystems, Inc. All Rights Reserved
   3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   6 .TH NETGROUP 4 "Feb 25, 2017"
   7 .SH NAME
   8 netgroup \- list of network groups
   9 .SH SYNOPSIS
  10 .LP
  11 .nf
  12 \fB/etc/netgroup\fR
  13 .fi
  14 
  15 .SH DESCRIPTION
  16 .LP
  17 A \fBnetgroup\fR defines a network-wide group of hosts and users. Use a
  18 \fBnetgroup\fR to restrict access to shared \fBNFS\fR filesystems and to
  19 restrict remote login and shell access.
  20 .sp
  21 .LP
  22 Network groups are stored in a network information service, such as
  23 \fBLDAP\fR or \fBNIS\fR, not in a local file.
  24 .sp
  25 .LP
  26 This manual page describes the format for a file that is used to supply input
  27 to a program such as \fBldapaddent\fR(1M) for LDAP or \fBmakedbm\fR(1M) for
  28 NIS. These programs build maps or tables used by
  29 their corresponding network information services.
  30 .sp
  31 .LP
  32 Each line of the file defines the name and membership of a network group. The
  33 line should have the format:
  34 .sp
  35 .in +2
  36 .nf
  37 \fIgroupname     member\fR...
  38 .fi
  39 .in -2
  40 .sp
  41 
  42 .sp
  43 .LP
  44 The items on a line can be separated by a combination of one or more spaces or
  45 tabs.
  46 .sp
  47 .LP
  48 The \fIgroupname\fR is the name of the group being defined. This is followed by
  49 a list of members of the group. Each \fImember\fR is either another group name,
  50 all of whose members are to be included in the group being defined, or a triple
  51 of the form:
  52 .sp
  53 .in +2
  54 .nf
  55 \fI(hostname,username,domainname)\fR
  56 .fi
  57 .in -2
  58 .sp
  59 
  60 .sp
  61 .LP
  62 In each triple, any of the three fields \fIhostname\fR, \fIusername\fR, and
  63 \fIdomainname\fR, can be empty. An empty field signifies a wildcard that
  64 matches any value in that field. Thus:
  65 .sp
  66 .in +2
  67 .nf
  68 everything (\|,\|,this.domain)
  69 .fi
  70 .in -2
  71 .sp
  72 
  73 .sp
  74 .LP
  75 defines a group named "everything" for the domain "this.domain" to which every
  76 host and user belongs.
  77 .sp
  78 .LP
  79 The \fIdomainname\fR field refers to the domain in which the triple is valid,
  80 not the domain containing the host or user. In fact, applications using
  81 \fBnetgroup\fR generally do not check the \fIdomainname\fR. Therefore, using
  82 .sp
  83 .in +2
  84 .nf
  85 (,,domain)
  86 .fi
  87 .in -2
  88 .sp
  89 
  90 .sp
  91 .LP
  92 is equivalent to
  93 .sp
  94 .in +2
  95 .nf
  96 (,,)
  97 .fi
  98 .in -2
  99 .sp
 100 
 101 .sp
 102 .LP
 103 You can also use netgroups to control \fBNFS\fR mount access (see
 104 \fBshare_nfs\fR(1M)) and to control remote login and shell access (see
 105 \fBhosts.equiv\fR(4)). You can also use them to control local login access (see
 106 \fBpasswd\fR(4), \fBshadow\fR(4), and \fBcompat\fR in \fBnsswitch.conf\fR(4)).
 107 .sp
 108 .LP
 109 When used for these purposes, a host is considered a member of a \fBnetgroup\fR
 110 if the \fBnetgroup\fR contains any triple in which the \fBhostname\fR field
 111 matches the name of the host requesting access and the \fBdomainname\fR field
 112 matches the domain of the host controlling access.
 113 .sp
 114 .LP
 115 Similarly, a user is considered a member of a \fBnetgroup\fR if the
 116 \fBnetgroup\fR contains any triple in which the \fIusername\fR field matches
 117 the name of the \fBuser\fR requesting access and the \fIdomainname\fR field
 118 matches the domain of the host controlling access.
 119 .sp
 120 .LP
 121 Note that when netgroups are used to control NFS mount access, access is
 122 granted depending only on whether the requesting host is a member of the
 123 \fBnetgroup\fR. Remote login and shell access can be controlled both on the
 124 basis of host and user membership in separate netgroups.
 125 .SH FILES
 126 .ne 2
 127 .na
 128 \fB\fB/etc/netgroup\fR\fR
 129 .ad
 130 .RS 17n
 131 Used by a network information service's utility to construct a map or table
 132 that contains \fBnetgroup\fR information. For example, \fBldapaddent\fR(1M)
 133 uses \fB/etc/netgroup\fR to construct an LDAP container.
 134 .RE
 135 
 136 .sp
 137 .LP
 138 Note that the netgroup information must always be stored in a network
 139 information service, such as \fBLDAP\fR or \fBNIS\fR. The local file is
 140 only used to construct a map or table for the network information service. It
 141 is never consulted directly.
 142 .SH SEE ALSO
 143 .LP
 144 \fBldapaddent\fR(1M), \fBmakedbm\fR(1M),
 145 \fBshare_nfs\fR(1M), \fBinnetgr\fR(3C), \fBhosts\fR(4), \fBhosts.equiv\fR(4),
 146 \fBnsswitch.conf\fR(4), \fBpasswd\fR(4), \fBshadow\fR(4)
 147 .SH NOTES
 148 .LP
 149 \fBnetgroup\fR requires a network information service such as \fBLDAP\fR
 150 or \fBNIS\fR.
 151 .sp
 152 .LP
 153 Applications may make general membership tests using the \fBinnetgr()\fR
 154 function. See \fBinnetgr\fR(3C).
 155 .sp
 156 .LP
 157 Because the "-" character will not match any specific username or hostname, it
 158 is commonly used as a placeholder that will match only wildcarded membership
 159 queries. So, for example:
 160 .sp
 161 .in +2
 162 .nf
 163 onlyhosts       (host1,-,our.domain) (host2,-,our.domain)
 164 onlyusers       (-,john,our.domain) (-,linda,our.domain)
 165 .fi
 166 .in -2
 167 .sp
 168 
 169 .sp
 170 .LP
 171 effectively define netgroups containing only hosts and only users,
 172 respectively. Any other string that is guaranteed not to be a legal username or
 173 hostname will also suffice for this purpose.
 174 .sp
 175 .LP
 176 Use of placeholders will improve search performance.
 177 .sp
 178 .LP
 179 When a machine with multiple interfaces and multiple names is defined as a
 180 member of a \fBnetgroup\fR, one must list all of the names. See \fBhosts\fR(4).
 181 A manageable way to do this is to define a \fBnetgroup\fR containing all of the
 182 machine names. For example, for a host "gateway" that has names
 183 "gateway-subnet1" and "gateway-subnet2" one may define the \fBnetgroup\fR:
 184 .sp
 185 .in +2
 186 .nf
 187 gateway (gateway-subnet1,\|,our.domain) (gateway-subnet2,\|,our.domain)
 188 .fi
 189 .in -2
 190 .sp
 191 
 192 .sp
 193 .LP
 194 and use this \fBnetgroup\fR "\fBgateway\fR" whenever the host is to be included
 195 in another \fBnetgroup\fR.