 |
» |
|
|
|
This section tells you how to create and use NFS netgroups
to restrict NFS access to your system. It describes the following
tasks: Creating
Netgroups in the /etc/netgroup File | |
If you are using the local /etc/netgroup file or the NIS netgroup map for netgroups, add lines with the following
syntax to the /etc/netgroup file. If you are using NIS, be sure to edit the /etc/netgroup file only on the NIS master server. netgroup_name (host, user, NIS_domain), (host, user, NIS_domain) ... |
If you are using NIS to manage your netgroups database, issue the following command on the NIS
master server to generate the netgroup, netgroup.byhost, and netgroup.byuser maps from the /etc/netgroup file and push the generated maps out to the NIS slave
servers: cd /var/yp
/usr/ccs/bin/make netgroup |
A netgroup can be used in most NFS and NIS configuration files
instead of a host name or a user name. A netgroup does not create
a relationship between users and hosts. When a netgroup is used
in a configuration file, it represents either a group of hosts or
a group of users but never both. If you are using BIND (DNS) for hostname resolution, hosts
must be specified as fully qualified domain names, for example turtle.bio.nmt.edu. If the host, user, or NIS_domain is left blank in a netgroup, that field can take
any value. If a dash (-) is specified in any field of a netgroup, that
field can take no value. The NIS_domain field specifies the NIS domain in which the (host, user, NIS_domain) triple is valid. For example, if the netgroup database contains the following netgroup, myfriends (sage,-,bldg1), (cauliflower,-,bldg2), (pear,-,bldg3) |
and an NFS server running NIS in the domain bldg1 exports a directory only to the netgroup myfriends, only host sage may mount that directory. The other two triples
are ignored, because they are not valid in the bldg1 domain. If an HP-UX host not running NIS exports a directory to the
netgroup myfriends, the NIS_domain field is ignored, and all three hosts (sage, cauliflower, and pear) may mount the directory. If the netgroup database contains the following netgroup, and a host in the NIS domain bldg1 exports a directory to the netgroup mydomain, any host in any domain may
mount the directory, because the host field is blank. If an HP-UX host not running NIS exports a directory to the
netgroup mydomain, shown above, the NIS_domain field is ignored, but the host field is used, so any host in any domain may
mount the directory. If a host in the NIS domain bldg2 exports a directory to the netgroup mydomain, no host in any domain may mount the directory,
because the triple is not valid in the bldg2 domain, so it is ignored. The following netgroup specifies a group of hosts: trusted_hosts (sage, , ), (basil, , ), (thyme, , ) |
The trusted_hosts netgroup could be used in the -access option of a line in the /etc/exports file, as follows: /usr -access=trusted_hosts |
The following netgroup specifies a group of users: administrators ( ,jane, ), ( ,art, ), ( ,mel, ) |
If this netgroup were ever accidentally included in a list
of hosts rather than users, the blank space would be interpreted
as a wildcard meaning any host. For example, if someone used this
netgroup in a -access list in the /etc/exports file, any host would have access to the exported directory.
For this reason, if a netgroup is used strictly as a list of users, it
is better to put a dash in the host field, as follows: administrators (-,jane, ), (-,art, ), (-,mel, ) |
The dash indicates that no hosts are included in the netgroup. The trusted_hosts and administrators netgroups could be used together in the /etc/hosts.equiv file, as follows: +@trusted_hosts +@administrators |
The first netgroup would be read for host names, and the second
would be read for user names. Users in the administrators netgroup could log into the local host from any
host in the trusted_hosts netgroup without supplying a password. The two netgroups could be combined into one, as follows: goodguys (sage,jane, ), (basil,art, ), (thyme,mel, ) |
If the two netgroups were combined this way, the same netgroup
could be used as both the host name and the user name in the /etc/hosts.equiv file: The first occurrence of it would be read for the host name,
and the second occurrence would be read for the user name. No relationship
exists between the host and user in any of the triples. For example,
user jane might not even have an account on host sage. A netgroup can contain other netgroups, as in the following
example: root-users (dill,-, ), (sage,-, ), (thyme,- , ), (basil,-, )
mail-users (rosemary, , ), (oregano, , ), root-users |
The root-users netgroup is a group of four systems. The mail-users netgroup uses the root-users netgroup as part of a larger group of systems.
The blank space in the third field of each triple indicates that these
netgroups are valid in any NIS domain. Creating
Netgroups in the NIS+ netgroup Table | |
If you are using NIS+ to manage your netgroups, issue commands
with the following syntax to add entries to the NIS+ netgroup table: nistbladm -a group= host=host user=user domain=domain \
comment= netgroup.org_dir |
or nistbladm -a group=netgroup host= user= domain= \
comment= netgroup.org_dir |
In the NIS+ netgroup table, each netgroup may consist of multiple
table entries. Each table entry specifies either a (host, user, domain) triple or an included netgroup. Each entry may contain
a comment in the last column. For information on the general syntax of netgroups and how
they are used, see “Creating
Netgroups in the /etc/netgroup File”. For more information on NIS+, see Chapter 5 “Configuring
and Administering NIS+”. Using
Netgroups in Configuration Files | |
Netgroups may be used in the following files: /etc/exports, in the -access list /etc/hosts.equiv or $HOME/.rhosts, in place of a host name or user name /etc/passwd, to tell processes whether to look in the NIS
password database for information about the users in the netgroup /etc/group, to tell processes whether to look in the NIS
group database for information about the users in the netgroup
The next few sections explain how to use netgroups in these
files. Using
Netgroups in the /etc/exports FileIn the /etc/exports file, netgroups can be used in the list of NFS
clients following the -access option, as in the following example: /var/mail -access=mail_clients |
The mail_clients netgroup is defined as follows: mail_clients (cauliflower, , ), (broccoli, , ), (cabbage, , ) |
Only the host names from the netgroup are used. If the netgroup
also contains user names, these are ignored. This netgroup is valid
in any NIS domain, because the third field in each triple is left
blank. Using
Netgroups in the /etc/hosts.equiv or $HOME/.rhosts FileIn the /etc/hosts.equiv file, or in a .rhosts file in a user’s home directory, netgroups
can be used in either the host name field or the user name field,
as in the following example: +@our_friends +@our_friends |
The netgroup our_friends can be used as both the host name and the user
name, because it includes both host names and user names, as follows: our_friends (sage,sara, ), (sage,eric, ), (dill,-, ), ( ,monica, ) |
The blank host name field in the fourth triple serves as a
wildcard, allowing users from any host on the network to log in
without supplying a password. However, only the users listed in
the netgroup are given this privileged access, because each user
name field contains either a user name or a dash. Netgroups can also be used to deny privileged access to certain
hosts or users in the /etc/hosts.equiv or $HOME/.rhosts file, as in the following example: The plus sign (+) is a wildcard in the /etc/hosts.equiv or $HOME/.rhosts file syntax, allowing privileged access from any
host in the network. The netgroup vandals is defined as follows: vandals ( ,pat, ), ( ,harriet, ), ( ,reed, ) |
All users except those listed in the vandals netgroup can log into the local system without
supplying a password from any system in the network. | | | |  | CAUTION: Any users who are denied privileged access in the /etc/hosts.equiv file can still be allowed privileged access in
a user’s $HOME/.rhosts file. The $HOME/.rhosts file is read after the /etc/hosts.equiv file and overrides it. | | | | |
For more information, type man 4 hosts.equiv at the HP-UX prompt. Using
Netgroups in the /etc/passwd FileIn the /etc/passwd file, netgroups can be used to indicate whether
user information should be looked up in the NIS or NIS+ passwd database. The following example line from the /etc/passwd file indicates that users in the netgroup animals should be looked up in the NIS or NIS+ passwd database: The animals netgroup is defined as follows in the /etc/netgroup file: animals (-,mickey, ), (-,daffy, ), (-,porky, ), (-,bugs, ) |
Note that the /etc/passwd file is searched sequentially, so if user mickey, daffy, porky, or bugs appears before the animals netgroup in the /etc/passwd file, the NIS or NIS+ database will never be consulted for
information on that user. The Name Service Switch configuration is used to determine
where to look for the contents of a netgroup. See Chapter 6 “Configuring
the Name Service Switch”. Netgroups can also be used to prevent lookups of certain users
in the NIS or NIS+ passwd database. The following example lines from the /etc/passwd file indicate that if the NIS or NIS+ passwd database contains entries for users in the bears netgroup, these entries cannot be used on the
local system. Any other users can be looked up in the NIS or NIS+
database. The line beginning with + causes the NIS or NIS+ database
to be searched for any users (except those in the bears netgroup) who are not listed before the line beginning
with +. For more information on NIS, see Chapter 4 “Configuring
and Administering NIS”. For more information on NIS+, see Chapter 5 “Configuring
and Administering NIS+”. For information on the /etc/passwd file, type man 4 passwd at the HP-UX prompt. Using
Netgroups in the /etc/group FileIn the /etc/group file, netgroups can be used to indicate whether
group information about certain users should be looked up in the
NIS or NIS+ group database. The following example line from the /etc/group file indicates that group information for users
in the netgroup animals can be found in the NIS or NIS+ group database: The animals netgroup is defined as follows in the /etc/netgroup file: animals (-,mickey, ), (-,daffy, ), (-,porky, ), (-,bugs, ) |
Members of the animals netgroup can belong to groups listed in the local /etc/group file as well as in the NIS or NIS+ group database. The following lines in the /etc/group file give users bugs and daffy membership in the group wiseguys and in any group in the NIS or NIS+ database that
includes them as members: wiseguys::22:bugs,daffy
+@animals |
Netgroups can also be used in the /etc/group file to prevent lookups for certain users. The bears netgroup is defined as follows in the /etc/netgroup file: bears (-,yogi, ), (-,smokey, ), (-,pooh, ) |
The following lines in the /etc/group file allow user pooh membership in group teddybears but not in any other group listed in the NIS or NIS+
database or after the -@bears line in the /etc/group file: teddybears::23:pooh,paddington
-@bears |
For more information on NIS, see Chapter 4 “Configuring
and Administering NIS”. For more information on NIS+, see Chapter 5 “Configuring
and Administering NIS+”. For information on the /etc/group file, type man 4 group at the HP-UX prompt. |
Printable version
