big-one New usr/src/man/man4/netgroup.4

   1 '\" te
   2 .\" Copyright 2012 Nexenta Systems, Inc.  All rights reserved.
   3 .\" Copyright (C) 2003, Sun Microsystems, Inc. All Rights Reserved
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH NETGROUP 4 "Feb 25, 2017"
   8 .SH NAME
   9 netgroup \- list of network groups
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fB/etc/netgroup\fR
  14 .fi
  15 
  16 .SH DESCRIPTION
  17 .LP
  18 A \fBnetgroup\fR defines a network-wide group of hosts and users. Use a
  19 \fBnetgroup\fR to restrict access to shared \fBNFS\fR filesystems and to
  20 restrict remote login and shell access.
  21 .sp
  22 .LP
  23 Network groups are usually stored in network information services,
  24 such as \fBLDAP\fR, or \fBNIS\fR, but may alternatively be stored in
  25 the local \fB/etc/netgroup\fR file.  The \fBnetgroup\fR line of the
  26 \fBnsswitch.conf\fR(4) file determines which of those sources are used.
  27 .sp
  28 .LP
  29 This manual page describes the format for a file that is used to supply input
  30 to a program such as \fBldapaddent\fR(1M) for LDAP, or \fBmakedbm\fR(1M) for
  31 NIS.  The same file format is used in the local \fB/etc/netgroup\fR file.
  32 .sp
  33 .LP
  34 Each line of the file defines the name and membership of a network group. The
  35 line should have the format:
  36 .sp
  37 .in +2
  38 .nf
  39 \fIgroupname     member\fR...
  40 .fi
  41 .in -2
  42 .sp
  43 
  44 .sp
  45 .LP
  46 The items on a line can be separated by a combination of one or more spaces or
  47 tabs.
  48 .sp
  49 .LP
  50 The \fIgroupname\fR is the name of the group being defined. This is followed by
  51 a list of members of the group. Each \fImember\fR is either another group name,
  52 all of whose members are to be included in the group being defined, or a triple
  53 of the form:
  54 .sp
  55 .in +2
  56 .nf
  57 \fI(hostname,username,domainname)\fR
  58 .fi
  59 .in -2
  60 .sp
  61 
  62 .sp
  63 .LP
  64 In each triple, any of the three fields \fIhostname\fR, \fIusername\fR, and
  65 \fIdomainname\fR, can be empty. An empty field signifies a wildcard that
  66 matches any value in that field. Thus:
  67 .sp
  68 .in +2
  69 .nf
  70 everything (\|,\|,this.domain)
  71 .fi
  72 .in -2
  73 .sp
  74 
  75 .sp
  76 .LP
  77 defines a group named "everything" for the domain "this.domain" to which every
  78 host and user belongs.
  79 .sp
  80 .LP
  81 The \fIdomainname\fR field refers to the domain in which the triple is valid,
  82 not the domain containing the host or user. In fact, applications using
  83 \fBnetgroup\fR generally do not check the \fIdomainname\fR. Therefore, using
  84 .sp
  85 .in +2
  86 .nf
  87 (,,domain)
  88 .fi
  89 .in -2
  90 .sp
  91 
  92 .sp
  93 .LP
  94 is equivalent to
  95 .sp
  96 .in +2
  97 .nf
  98 (,,)
  99 .fi
 100 .in -2
 101 .sp
 102 
 103 .sp
 104 .LP
 105 You can also use netgroups to control \fBNFS\fR mount access (see
 106 \fBshare_nfs\fR(1M)) and to control remote login and shell access (see
 107 \fBhosts.equiv\fR(4)). You can also use them to control local login access (see
 108 \fBpasswd\fR(4), \fBshadow\fR(4), and \fBcompat\fR in \fBnsswitch.conf\fR(4)).
 109 .sp
 110 .LP
 111 When used for these purposes, a host is considered a member of a \fBnetgroup\fR
 112 if the \fBnetgroup\fR contains any triple in which the \fBhostname\fR field
 113 matches the name of the host requesting access and the \fBdomainname\fR field
 114 matches the domain of the host controlling access.
 115 .sp
 116 .LP
 117 Similarly, a user is considered a member of a \fBnetgroup\fR if the
 118 \fBnetgroup\fR contains any triple in which the \fIusername\fR field matches
 119 the name of the \fBuser\fR requesting access and the \fIdomainname\fR field
 120 matches the domain of the host controlling access.
 121 .sp
 122 .LP
 123 Note that when netgroups are used to control NFS mount access, access is
 124 granted depending only on whether the requesting host is a member of the
 125 \fBnetgroup\fR. Remote login and shell access can be controlled both on the
 126 basis of host and user membership in separate netgroups.
 127 .SH FILES
 128 .ne 2
 129 .na
 130 \fB\fB/etc/netgroup\fR\fR
 131 .ad
 132 .RS 17n
 133 Used by a network information service's utility to construct a map or table
 134 that contains \fBnetgroup\fR information. For example, \fBldapaddent\fR(1M)
 135 uses \fB/etc/netgroup\fR to construct an LDAP container.  Alternatively,
 136 the \fB/etc/netgroup\fR file may be used directly if the \fBfiles\fR
 137 source is specified in \fBnsswitch.conf\fR(4) for the \fBnetgroup\fR
 138 database.
 139 
 140 .RE
 141 
 142 .SH SEE ALSO
 143 .LP
 144 \fBldapaddent\fR(1M), \fBmakedbm\fR(1M),
 145 \fBshare_nfs\fR(1M), \fBinnetgr\fR(3C), \fBhosts\fR(4), \fBhosts.equiv\fR(4),
 146 \fBnsswitch.conf\fR(4), \fBpasswd\fR(4), \fBshadow\fR(4)
 147 .SH NOTES
 148 .LP
 149 Applications may make general membership tests using the \fBinnetgr()\fR
 150 function. See \fBinnetgr\fR(3C).
 151 .sp
 152 .LP
 153 Because the "-" character will not match any specific username or hostname, it
 154 is commonly used as a placeholder that will match only wildcarded membership
 155 queries. So, for example:
 156 .sp
 157 .in +2
 158 .nf
 159 onlyhosts       (host1,-,our.domain) (host2,-,our.domain)
 160 onlyusers       (-,john,our.domain) (-,linda,our.domain)
 161 .fi
 162 .in -2
 163 .sp
 164 
 165 .sp
 166 .LP
 167 effectively define netgroups containing only hosts and only users,
 168 respectively. Any other string that is guaranteed not to be a legal username or
 169 hostname will also suffice for this purpose.
 170 .sp
 171 .LP
 172 Use of placeholders will improve search performance.
 173 .sp
 174 .LP
 175 When a machine with multiple interfaces and multiple names is defined as a
 176 member of a \fBnetgroup\fR, one must list all of the names. See \fBhosts\fR(4).
 177 A manageable way to do this is to define a \fBnetgroup\fR containing all of the
 178 machine names. For example, for a host "gateway" that has names
 179 "gateway-subnet1" and "gateway-subnet2" one may define the \fBnetgroup\fR:
 180 .sp
 181 .in +2
 182 .nf
 183 gateway (gateway-subnet1,\|,our.domain) (gateway-subnet2,\|,our.domain)
 184 .fi
 185 .in -2
 186 .sp
 187 
 188 .sp
 189 .LP
 190 and use this \fBnetgroup\fR "\fBgateway\fR" whenever the host is to be included
 191 in another \fBnetgroup\fR.