nisopaccess - NIS+ operation access control administration
nisopaccess [-v] directory operation rights
nisopaccess [-v] [-r] directory operation
nisopaccess [-v] [-l] directory [operation]
Most NIS+ operations have implied access control through the
permissions on the objects that they manipulate. For exam-
ple, in order to read an entry in a table, you must have
read permission on that entry. However, some NIS+ operations
by default perform no access checking at all and are allowed
Example of commands that use the operation
The nisopaccess command can be used to enforce access con-
trol on these operations on a per NIS+ directory basis.
The directory argument should be the fully qualified name,
including the trailing dot, of the NIS+ directory to which
nisopaccess will be applied. As a short-hand method, if the
directory name does not end in a trailing dot, for example
"org_dir", then the domain name is appended. The domain name
is also appended to partial paths such as "org_dir.xyz".
You can use upper or lower case for the operation argument.
However, you cannot mix cases. The "NIS_" prefix may be
omitted. For example, NIS_PING can be specified as
NIS_PING, nis_ping, PING, or ping.
The rights argument is specified in the format defined by
the nischmod(1) command. Since only the read ("r") rights
are used to determine who has the right to perform the
operation, the modify and delete rights may be used to con-
trol who can change access to the operation.
The access checking performed for each operation is as fol-
lows. When an operation requires access be checked on all
directories served by its rpc.nisd(1M), access is denied if
even one of the directories prohibits the operation.
Check specified directory, or all directories if
there is no directory argument, as is the case
when NIS_CHECKPOINT is issued by the "nisping
-Ca" command. Return NIS_PERMISSION when access
Check specified directory. It returns 0 when
access is denied.
Check parent of specified directory. Returns
NIS_PERMISSION when access is denied.
If the parent directory is not available locally,
that is, it is not served by this rpc.nisd(1M),
NIS_MKDIR access is allowed, though the opera-
tion will be executed only if this rpc.nisd is a
known replica of the directory.
You should note that the NIS_MKDIR operation does
not create a NIS+ directory; it adds a directory
to the serving list for this rpc.nisd, if
Check specified directory. No return value.
Check specified directory. NIS_PERMISSION is
returned when access denied.
The NIS_RMDIR operation does not remove a NIS+
directory; it deletes the directory from the
serving list for this rpc.nisd, if appropriate.
Check access on all directories served by this
rpc.nisd. If access is denied for a tag, "<per-
mission denied>" is returned instead of the tag
Same as for NIS_SERVSTATE.
Notice that older clients may not supply authentication
information for some of the operations listed above. These
clients are treated as "nobody" when access checking is per-
The access control is implemented by creating a NIS+ table
called "proto_op_access" in each NIS+ directory to which
access control should be applied. The table can be manipu-
lated using normal NIS+ commands. However, nisopaccess is
the only supported interface for NIS+ operation access con-
The following options are supported:
-l List the access control for a single operation,
or for all operations that have access control
-r Remove access control for a certain operation on
the specified directory.
-v Verbose mode.
Example 1: Enabling Access Control for the NIS_PING Opera-
To enable access control for the NIS_PING operation on
"org_dir.`domainname`." such that only the owner of the
directory can perform a NIS_PING, or change the NIS_PING
example% nisopaccess org_dir NIS_PING o=rmcd,g=,w=,n=
Example 2: Listing the Access to NIS_PING
To list the access to the NIS_PING operation for org_dir:
example% nisopaccess -l org_dir NIS_PING
NIS_PING ----rmcd-------- owner.dom.ain. group.dom.ain.
Example 3: Removing Access Control for NIS_PING
To remove access control for NIS_PING on org_dir:
example% nisopaccess -r org_dir NIS_PING
The following exit values are returned:
0 Successful operation.
other Operation failed. The status is usually the return
status from a NIS+ command such as nistbladm.
See attributes(5) for descriptions of the following attri-
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
| Availability | SUNWnisu |
nis+(1), nischmod(1), nistbladm(1), rpc.nisd(1M), attri-
NIS+ might not be supported in future releases of the
SolarisTM Operating Environment. Tools to aid the migration
from NIS+ to LDAP are available in the Solaris 9 operating
environment. For more information, visit
Man(1) output converted with