netgroup(4)




NAME

     netgroup - list of network groups


SYNOPSIS

     /etc/netgroup


DESCRIPTION

     A netgroup defines a network-wide group of hosts and  users.
     Use  a netgroup to restrict access to shared NFS filesystems
     and to restrict remote login and shell access.

     Network groups are stored in a network information services,
     such as LDAP, NIS, or NIS+, not in a local file.

     This manual page describes the format for  a  file  that  is
     used to supply input to a program such as ldapaddent(1M) for
     LDAP, makedbm(1M) for NIS, or nisaddent(1M) for NIS+.  These
     programs  build  maps  or tables used by their corresponding
     network information services.

     Each line of the file defines the name and membership  of  a
     network group. The line should have the format:

     groupname     member ...

     The items on a line may be separated by a combination of one
     or more spaces or tabs.

     The groupname is the name of the group being  defined.  This
     is  followed  by a list of members of the group. Each member
     is either another group name, all of whose members are to be
     included  in  the  group  being  defined, or a triple of the
     form:

     (hostname,username,domainname)

     In each triple, any of the three fields hostname,  username,
     and  domainname,  can  be  empty. An empty field signifies a
     wildcard that matches any value in that field. Thus:

     everything (,,this.domain)

     defines  a  group  named   "everything"   for   the   domain
     "this.domain" to which every host and user belongs.

     The domainname field refers to the domain in which the  tri-
     ple is valid, not the domain containing the host or user. In
     fact, applications using netgroup generally do not check the
     the domainname. Therefore, using

     (,,domain)

     is equivalent to

     (,,)

     You can also use netgroups to control NFS mount access  (see
     share_nfs(1M))  and to control remote login and shell access
     (see hosts.equiv(4)). You can also use them to control local
     login  access  (see  passwd(4),  shadow(4),  and  compat  in
     nsswitch.conf(4)).

     When used for these purposes, a host is considered a  member
     of  a  netgroup if the netgroup contains any triple in which
     the hostname field matches the name of the  host  requesting
     access  and  the  domainname field matches the domain of the
     host controlling access.

     Similarly, a user is considered a member of  a  netgroup  if
     the netgroup contains any triple in which the username field
     matches the name of  the  user  requesting  access  and  the
     domainname  field matches the domain of the host controlling
     access.

     Note that when netgroups  are  used  to  control  NFS  mount
     access,  access  is  granted  depending  only on whether the
     requesting host is a member of the  netgroup.  Remote  login
     and shell access can be controlled both on the basis of host
     and user membership in separate netgroups.


FILES

     /etc/netgroup
           Used by a network  information  service's  utility  to
           construct a map or table that contains netgroup infor-
           mation. For example, ldapaddent(1M) uses /etc/netgroup
           to construct an LDAP container.

     Note that the netgroup information must always be stored  in
     a  network  information service, such as LDAP, NIS, or NIS+.
     The local file is only used to construct a map or table  for
     the  network  information  service.  It  is  never consulted
     directly.


SEE ALSO

     nis+(1),   ldapaddent(1M),    makedbm(1M),    nisaddent(1M),
     share_nfs(1M),    innetgr(3C),   hosts(4),   hosts.equiv(4),
     nsswitch.conf(4), passwd(4), shadow(4)


NOTES

     netgroup requires a  network  information  service  such  as
     LDAP, NIS, or NIS+.

     Applications may make general  membership  tests  using  the
     innetgr() function. See innetgr(3C).
     Because the "-" character will not match any specific  user-
     name  or hostname, it is commonly used as a placeholder that
     will match only wildcarded membership queries. So, for exam-
     ple:

     onlyhosts (host1,-,our.domain) (host2,-,our.domain)
     onlyusers (-,john,our.domain) (-,linda,our.domain)

     effectively define netgroups containing only hosts and  only
     users, respectively. Any other string that is guaranteed not
     to be a legal username or hostname  will  also  suffice  for
     this purpose.

     Use of placeholders will improve search performance.

     When a machine with multiple interfaces and  multiple  names
     is  defined  as a member of a netgroup, one must list all of
     the names. See hosts(4). A manageable way to do this  is  to
     define  a  netgroup containing all of the machine names. For
     example, for a  host  "gateway"  that  has  names  "gateway-
     subnet1" and "gateway-subnet2" one may define the netgroup:

     gateway (gateway-subnet1,,our.domain) (gateway-subnet2,,our.domain)

     and use this netgroup "gateway" whenever the host is  to  be
     included in another netgroup.


Man(1) output converted with man2html