 |
» |
|
|
|
This section describes how to create and use NFS netgroups
to restrict NFS access to the client system. It describes the following
tasks: Creating
Netgroups in the /etc/netgroup File | |
To create netgroups in the /etc/netgroup file, follow these steps: If you are using the local /etc/netgroup file or the NIS netgroup map for netgroups, add entries with the following
syntax to the /etc/netgroup file. netgroup_name (host, user, NIS_domain) (host, user, NIS_domain) ...
If you are using NIS, edit the /etc/netgroup file only on the NIS master server. |
If you are using NIS to manage your netgroups database, enter the following command on the NIS
master server to generate the netgroup, netgroup.byhost, and netgroup.byuser maps from the /etc/netgroup file, and push the generated maps to the NIS slave servers: cd /var/yp
/usr/ccs/bin/make netgroup |
A netgroup can be used in most NFS and NIS configuration files,
instead of a host name or a user name. A netgroup does not create
a relationship between users and hosts. When a netgroup is used
in a configuration file, it represents either a group of hosts or
a group of users, but never both. If you are using BIND (DNS) for hostname resolution, hosts
must be specified as fully qualified domain names, for example: turtle.bio.nmt.edu. If host, user, or NIS_domain is left blank in a netgroup, that field can take
any value. If a dash (-) is specified in any field of a netgroup,
that field can take no value. The NIS_domain field specifies the NIS domain in which the triple (host, user, NIS_domain) is valid. For example, if the netgroup database contains the following netgroup: myfriends (sage,-,bldg1) (cauliflower,-,bldg2) (pear,-,bldg3) |
and an NFS server running NIS in the domain bldg1 shares a directory only to the netgroup myfriends, only the host sage can mount that directory. The other two triples
are ignored, because they are not valid in the bldg1 domain. If an HP-UX host not running NIS exports or shares a directory
to the netgroup myfriends, the NIS_domain field is ignored, and all three hosts (sage, cauliflower, and pear) can mount the directory. If the netgroup database contains the following netgroup, and a host in the NIS domain bldg1 shares a directory to the netgroup mydomain, any host in the bldg1 domain may
mount the directory, because the host field is blank. If an HP-UX host not running NIS shares a directory to the
netgroup mydomain, in this case, the NIS_domain field is ignored but the host field is used. As a result, any host in
any domain can mount the directory. If a host in the NIS domain bldg2 shares a directory to the netgroup mydomain, no host in any domain can mount the directory,
because the triple is not valid in the bldg2 domain. As a result, it is ignored. The following netgroup specifies a group of hosts: trusted_hosts (sage, , ) (basil, , ) (thyme, , ) |
The trusted_hosts netgroup can be used in the access_list argument of an entry in the /etc/dfs/dfstab file, as follows: /usr [access_list]=trusted_hosts |
The following netgroup specifies a group of users: administrators ( ,jane, ) ( ,art, ) ( ,mel, ) |
If this netgroup is accidentally included in a list of hosts
rather than users, the blank space is interpreted as a wildcard,
meaning any host. For example, if someone used this netgroup in
a [access_list] argument in the /etc/dfs/dfstab file, any host can access the shared directory.
If a netgroup is used strictly as a list of users, it is better
to put a dash in the host field, as follows: administrators (-,jane, ) (-,art, ) (-,mel, ) |
The dash indicates that no hosts are included in the netgroup. The trusted_hosts and administrators netgroups can be used together in the /etc/hosts.equiv file, as follows: +@trusted_hosts +@administrators |
The first netgroup is read for host names, and the second
is read for user names. Users in the administrators netgroup can log in to the local host from any
host in the trusted_hosts netgroup without supplying a password. The two netgroups can be combined into one, as follows: goodguys (sage,jane, ) (basil,art, ) (thyme,mel, ) |
If the two netgroups are combined this way, the same netgroup
can be used as both the host name and the user name in the /etc/hosts.equiv file, as follows: The first occurrence of it is read for the host name, and
the second occurrence is read for the user name. No relationship
exists between the host and user in any of the triples. For example,
user jane may not even have an account on host sage. A netgroup can contain other netgroups, as in the following
example: root-users (dill,-, ) (sage,-, ) (thyme,- , ) (basil,-, )
mail-users (rosemary, , ) (oregano, , ) root-users |
The root-users netgroup is a group of four systems. The mail-users netgroup uses the root-users netgroup as part of a larger group of systems.
The blank space in the third field of each triple indicates that the
netgroup is valid in any NIS domain. Using
Netgroups in Configuration Files | |
Netgroups may be used in the following files: /etc/dfs/dfstab, in the [access_list], -rw, -ro, and root list /etc/hosts.equiv or $HOME/.rhosts, in place of a host name or user name /etc/passwd, to instruct processes whether to look in the
NIS password database, for information about the users in the netgroup /etc/group, to instruct processes whether to look in the
NIS group database, for information about the users in the netgroup
The following sections explain how to use netgroups in configuration files. Using
Netgroups in the /etc/dfs/dfstab FileIn the /etc/dfs/dfstab file, netgroups can be used in the list of NFS clients
following the -rw, -ro, or root option, as in the following example: share -F nfs -o rw="mail_clients" -d "home dirs" /home |
The mail_clients netgroup is defined, as follows: mail_clients (cauliflower, , ) (broccoli, , ) (cabbage, , ) |
Only the host names from the netgroup are used. If the netgroup
also contains user names, these are ignored. This netgroup is valid
in any NIS domain, because the third field in each triple is left
blank. Using
Netgroups in the /etc/hosts.equiv or $HOME/.rhosts FileIn the /etc/hosts.equiv file, or in a .rhosts file in a user’s home directory, netgroups
can be used in either the host name field or the user name field,
as in the following example: +@our_friends +@our_friends |
The netgroup our_friends can be used both as host name and user name, because
it includes both host names and user names. This can be illustrated
in the following example: our_friends (sage,sara, ) (sage,eric, ) (dill,-, )
( ,monica, ) |
The blank host name field in the fourth triple serves as a
wildcard, allowing users from any host on the network to log in
without supplying a password. However, only the users listed in
the netgroup are given this privileged access, because each user
name field contains either a user name or a dash. Netgroups can also be used to deny privileged access to certain
hosts or users in the /etc/hosts.equiv or $HOME/.rhosts file, as in the following example: The plus (+) sign is a wildcard in the /etc/hosts.equiv or $HOME/.rhosts file syntax, allowing privileged access from any
host in the network. The netgroup vandals is defined as follows: vandals ( ,pat, ) ( ,harriet, ) ( ,reed, ) |
All users except those listed in the vandals netgroup can log in to the local system without
supplying a password from any system in the network. | | | |  | CAUTION: Users who are denied privileged access in the /etc/hosts.equiv file can be granted privileged access in a user’s $HOME/.rhosts file. The $HOME/.rhosts file is read after the /etc/hosts.equiv file and overrides it. | | | | |
For more information, see hosts.equiv(4). Using
Netgroups in the /etc/passwd FileIn the /etc/passwd file, netgroups can be used to indicate whether
user information must be looked up in the NIS passwd database. The following sample entry from the /etc/passwd file indicates that users in the netgroup animals must be looked up in the NIS passwd database: The animals netgroup is defined in the /etc/netgroup file, as follows: animals (-,mickey, ) (-,daffy, ) (-,porky, ) (-,bugs, ) |
The /etc/passwd file is searched sequentially. As a result, user mickey, daffy,porky, or bugs appear before the animals netgroup in the /etc/passwd file. The NIS database is not consulted for information
on that user. Netgroups can also be used to prevent lookups of certain users
in the NIS passwd database. The following sample entries from the /etc/passwd file indicate that if the NIS passwd database contains entries for users in the bears netgroup, these entries cannot be used on the
local system. Any other user can be looked up in the NIS database. For more information on NIS, see
NIS Administrator’s
Guide (5991-7656). For information on the /etc/passwd file, see passwd(4). Using
Netgroups in the /etc/group FileIn the /etc/group file, netgroups can be used to indicate whether
group information about certain users must be looked up in the NIS group database. The following sample entry from the /etc/group file indicates that group information for users
in the netgroup animals can be found in the NIS group database: The animals netgroup is defined in the /etc/netgroup file, as follows: animals (-,mickey, ) (-,daffy, ) (-,porky, ) (-,bugs, ) |
Members of the animals netgroup can belong to groups listed in the local /etc/group file as well as in the NIS group database. The following entries in the /etc/group file give users bugs and daffy membership in the group wiseguys and in any group in the NIS database that includes them
as members: wiseguys::22:bugs,daffy
+@animals |
Netgroups can also be used in the /etc/group file to prevent lookups for certain users. The bears netgroup is defined in the /etc/netgroup file, as follows: bears (-,yogi, ) (-,smokey, ) (-,pooh, ) |
The following entries in the /etc/group file allow user pooh membership in the group teddybears, but not in any other group listed in the NIS
database or after the -@bears entry in the /etc/group file: teddybears::23:pooh,paddington
-@bears |
For more information on NIS, see
NIS Administrator’s
Guide(5991-7656). For information on the /etc/group file, see group(4). |
Printable version
