Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Apropos / Subsearch:
optional field

nisopaccess(1)                   User Commands                  nisopaccess(1)

       nisopaccess - NIS+ operation access control administration command

       nisopaccess [-v] directory operation rights

       nisopaccess [-v] [-r] directory operation

       nisopaccess [-v] [-l] directory [operation]

       Most  NIS+  operations  have implied access control through the permis-
       sions on the objects that they manipulate. For example,   in  order  to
       read  an entry in a table, you must have read permission on that entry.
       However, some NIS+ operations by default perform no access checking  at
       all and are allowed to all:

       Operation               Example of commands that use the operation

       NIS_CHECKPOINT          nisping -C

       NIS_CPTIME              nisping, rpc.nisd

       NIS_MKDIR               nismkdir

       NIS_PING                nisping,  rpc.nisd

       NIS_RMDIR               nisrmdir

       NIS_SERVSTATE           nisbackup,   nisrestore

       NIS_STATUS              nisstat, rpc.nispasswdd

       The  nisopaccess command can be used to enforce access control on these
       operations on a per NIS+ directory basis.

       The directory argument should be the fully  qualified  name,  including
       the  trailing  dot,  of the NIS+ directory to which nisopaccess will be
       applied. As a short-hand method, if the directory name does not end  in
       a  trailing  dot,  for  example  "org_dir",  then  the  domain  name is
       appended. The domain name is also appended to  partial  paths  such  as

       You  can  use  upper or lower case for the operation argument. However,
       you cannot mix cases. The "NIS_"  prefix may be omitted.  For  example,
       NIS_PING can be specified as  NIS_PING, nis_ping, PING, or ping.

       The  rights  argument  is  specified  in the format defined by the nis-
       chmod(1) command. Since only the read ("r") rights are used to   deter-
       mine who has the right to perform the operation,  the modify and delete
       rights may be used to control who can change  access to the operation.

       The access checking performed for each operation is as   follows.  When
       an  operation requires  access be checked on all  directories served by
       its rpc.nisd(1M), access is denied if even one of the directories  pro-
       hibits the operation.

       NIS_CHECKPOINT          Check  specified  directory, or all directories
                               if there is no directory argument,  as  is  the
                               case  when  NIS_CHECKPOINT  is  issued  by  the
                               "nisping -Ca"  command.  Return  NIS_PERMISSION
                               when access is denied.

       NIS_CPTIME              Check  specified  directory.  It returns 0 when
                               access  is denied.

       NIS_MKDIR               Check parent of  specified  directory.  Returns
                               NIS_PERMISSION when access is denied.

                               If   the  parent  directory  is  not  available
                               locally, that is, it  is  not  served  by  this
                               rpc.nisd(1M),  NIS_MKDIR  access   is  allowed,
                               though the operation will be executed  only  if
                               this  rpc.nisd is a known replica of the direc-

                               You should note that  the  NIS_MKDIR  operation
                               does  not  create   a NIS+ directory; it adds a
                               directory  to  the  serving   list   for   this
                               rpc.nisd, if appropriate.

       NIS_PING                Check specified directory. No return value.

       NIS_RMDIR               Check  specified  directory.  NIS_PERMISSION is
                               returned when access denied.

                               The NIS_RMDIR operation does not remove a  NIS+
                               directory;  it  deletes  the directory from the
                               serving list for this rpc.nisd, if appropriate.

       NIS_SERVSTATE           Check access on all directories served by  this
                               rpc.nisd. If access is denied for a tag, "<&lt;per-
                               mission denied>&gt;" is returned instead of the tag

       NIS_STATUS              Same as for NIS_SERVSTATE.

       Notice that older clients may not supply authentication information for
       some of the operations listed  above.  These  clients  are  treated  as
       "nobody" when access checking is performed.

       The  access  control  is  implemented  by creating a NIS+ table  called
       "proto_op_access" in each  NIS+  directory  to  which   access  control
       should  be applied. The table can be manipulated using normal NIS+ com-
       mands. However, nisopaccess is the only supported  interface  for  NIS+
       operation access control.

       The following options are supported:

       -l       List  the  access  control  for a single operation, or for all
                operations that have access control enabled.

       -r       Remove access control for a certain operation on  the   speci-
                fied directory.

       -v       Verbose mode.

       Example 1: Enabling  Access Control for the NIS_PING Operation

       To    enable   access   control   for   the   NIS_PING   operation   on
       "org_dir.`domainname`." such that only the owner of the  directory  can
       perform a NIS_PING, or change the NIS_PING rights:

       example% nisopaccess org_dir NIS_PING o=rmcd,g=,w=,n=

       Example 2: Listing the Access to NIS_PING

       To list the access to the NIS_PING operation for org_dir:

       example% nisopaccess -l org_dir NIS_PING

       NIS_PING    ----rmcd--------    owner.dom.ain.  group.dom.ain.

       Example 3: Removing Access Control for NIS_PING

       To remove access control for NIS_PING on org_dir:

       example% nisopaccess -r org_dir NIS_PING

       The following exit values are returned:

       0               Successful operation.

       other           Operation failed. The status is usually the return sta-
                       tus from a NIS+ command such as nistbladm.

       See attributes(5)  for descriptions of the following attributes:

       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).  ATTRIBUTE TYPEATTRIBUTE VALUE AvailabilitySUNWnisu

       nis+(1), nischmod(1), nistbladm(1), rpc.nisd(1M), attributes(5)

       NIS+ might not be supported in future releases of the SolarisTM Operat-
       ing Environment. Tools to aid the  migration  from  NIS+  to  LDAP  are
       available in the Solaris 9 operating environment. For more information,
       visit http://www.sun.com/directory/nisplus/transition.html.

SunOS 5.10                        10 Dec 2001                   nisopaccess(1)