netgroup(4)
NAME
netgroup - list of network groups
SYNOPSIS
/etc/netgroup
DESCRIPTION
A netgroup defines a network-wide group of hosts and users.
Use a netgroup to restrict access to shared NFS filesystems
and to restrict remote login and shell access.
Network groups are stored in a network information services,
such as LDAP, NIS, or NIS+, not in a local file.
This manual page describes the format for a file that is
used to supply input to a program such as ldapaddent(1M) for
LDAP, makedbm(1M) for NIS, or nisaddent(1M) for NIS+. These
programs build maps or tables used by their corresponding
network information services.
Each line of the file defines the name and membership of a
network group. The line should have the format:
groupname member ...
The items on a line may be separated by a combination of one
or more spaces or tabs.
The groupname is the name of the group being defined. This
is followed by a list of members of the group. Each member
is either another group name, all of whose members are to be
included in the group being defined, or a triple of the
form:
(hostname,username,domainname)
In each triple, any of the three fields hostname, username,
and domainname, can be empty. An empty field signifies a
wildcard that matches any value in that field. Thus:
everything (,,this.domain)
defines a group named "everything" for the domain
"this.domain" to which every host and user belongs.
The domainname field refers to the domain in which the tri-
ple is valid, not the domain containing the host or user. In
fact, applications using netgroup generally do not check the
the domainname. Therefore, using
(,,domain)
is equivalent to
(,,)
You can also use netgroups to control NFS mount access (see
share_nfs(1M)) and to control remote login and shell access
(see hosts.equiv(4)). You can also use them to control local
login access (see passwd(4), shadow(4), and compat in
nsswitch.conf(4)).
When used for these purposes, a host is considered a member
of a netgroup if the netgroup contains any triple in which
the hostname field matches the name of the host requesting
access and the domainname field matches the domain of the
host controlling access.
Similarly, a user is considered a member of a netgroup if
the netgroup contains any triple in which the username field
matches the name of the user requesting access and the
domainname field matches the domain of the host controlling
access.
Note that when netgroups are used to control NFS mount
access, access is granted depending only on whether the
requesting host is a member of the netgroup. Remote login
and shell access can be controlled both on the basis of host
and user membership in separate netgroups.
FILES
/etc/netgroup
Used by a network information service's utility to
construct a map or table that contains netgroup infor-
mation. For example, ldapaddent(1M) uses /etc/netgroup
to construct an LDAP container.
Note that the netgroup information must always be stored in
a network information service, such as LDAP, NIS, or NIS+.
The local file is only used to construct a map or table for
the network information service. It is never consulted
directly.
SEE ALSO
nis+(1), ldapaddent(1M), makedbm(1M), nisaddent(1M),
share_nfs(1M), innetgr(3C), hosts(4), hosts.equiv(4),
nsswitch.conf(4), passwd(4), shadow(4)
NOTES
netgroup requires a network information service such as
LDAP, NIS, or NIS+.
Applications may make general membership tests using the
innetgr() function. See innetgr(3C).
Because the "-" character will not match any specific user-
name or hostname, it is commonly used as a placeholder that
will match only wildcarded membership queries. So, for exam-
ple:
onlyhosts (host1,-,our.domain) (host2,-,our.domain)
onlyusers (-,john,our.domain) (-,linda,our.domain)
effectively define netgroups containing only hosts and only
users, respectively. Any other string that is guaranteed not
to be a legal username or hostname will also suffice for
this purpose.
Use of placeholders will improve search performance.
When a machine with multiple interfaces and multiple names
is defined as a member of a netgroup, one must list all of
the names. See hosts(4). A manageable way to do this is to
define a netgroup containing all of the machine names. For
example, for a host "gateway" that has names "gateway-
subnet1" and "gateway-subnet2" one may define the netgroup:
gateway (gateway-subnet1,,our.domain) (gateway-subnet2,,our.domain)
and use this netgroup "gateway" whenever the host is to be
included in another netgroup.
Man(1) output converted with
man2html