netgroup(4) File Formats netgroup(4)
netgroup - list of network groups
A netgroup defines a network-wide group of hosts and users. Use a net-
group to restrict access to shared NFS filesystems and to restrict
remote login and shell access.
Network groups are stored in a network information services, such as
LDAP, NIS, or NIS+, not in a local file.
This manual page describes the format for a file that is used to supply
input to a program such as ldapaddent(1M) for LDAP, makedbm(1M) for
NIS, or nisaddent(1M) for NIS+. These programs build maps or tables
used by their corresponding network information services.
Each line of the file defines the name and membership of a network
group. The line should have the format:
groupname member ...
The items on a line can be separated by a combination of one or more
spaces or tabs.
The groupname is the name of the group being defined. This is followed
by a list of members of the group. Each member is either another group
name, all of whose members are to be included in the group being
defined, or a triple of the form:
In each triple, any of the three fields hostname, username, and domain-
name, can be empty. An empty field signifies a wildcard that matches
any value in that field. Thus:
defines a group named "everything" for the domain "this.domain" to
which every host and user belongs.
The domainname field refers to the domain in which the triple is valid,
not the domain containing the host or user. In fact, applications using
netgroup generally do not check the the domainname. Therefore, using
is equivalent to
You can also use netgroups to control NFS mount access (see
share_nfs(1M)) and to control remote login and shell access (see
hosts.equiv(4)). You can also use them to control local login access
(see passwd(4), shadow(4), and compat in nsswitch.conf(4)).
When used for these purposes, a host is considered a member of a net-
group if the netgroup contains any triple in which the hostname field
matches the name of the host requesting access and the domainname field
matches the domain of the host controlling access.
Similarly, a user is considered a member of a netgroup if the netgroup
contains any triple in which the username field matches the name of the
user requesting access and the domainname field matches the domain of
the host controlling access.
Note that when netgroups are used to control NFS mount access, access
is granted depending only on whether the requesting host is a member of
the netgroup. Remote login and shell access can be controlled both on
the basis of host and user membership in separate netgroups.
/etc/netgroup Used by a network information service's utility
to construct a map or table that contains net-
group information. For example, ldapaddent(1M)
uses /etc/netgroup to construct an LDAP con-
Note that the netgroup information must always be stored in a network
information service, such as LDAP, NIS, or NIS+. The local file is only
used to construct a map or table for the network information service.
It is never consulted directly.
nis+(1), ldapaddent(1M), makedbm(1M), nisaddent(1M), share_nfs(1M),
innetgr(3C), hosts(4), hosts.equiv(4), nsswitch.conf(4), passwd(4),
netgroup requires a network information service such as LDAP, NIS, or
Applications may make general membership tests using the innetgr()
function. See innetgr(3C).
Because the "-" character will not match any specific username or host-
name, it is commonly used as a placeholder that will match only wild-
carded membership queries. So, for example:
onlyhosts (host1,-,our.domain) (host2,-,our.domain)
onlyusers (-,john,our.domain) (-,linda,our.domain)
effectively define netgroups containing only hosts and only users,
respectively. Any other string that is guaranteed not to be a legal
username or hostname will also suffice for this purpose.
Use of placeholders will improve search performance.
When a machine with multiple interfaces and multiple names is defined
as a member of a netgroup, one must list all of the names. See
hosts(4). A manageable way to do this is to define a netgroup contain-
ing all of the machine names. For example, for a host "gateway" that
has names "gateway-subnet1" and "gateway-subnet2" one may define the
gateway (gateway-subnet1,,our.domain) (gateway-subnet2,,our.domain)
and use this netgroup "gateway" whenever the host is to be included in
SunOS 5.10 22 Jul 2004 netgroup(4)