Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Apropos / Subsearch:
optional field

netgroup(4)                      File Formats                      netgroup(4)

       netgroup - list of network groups


       A  netgroup defines a network-wide group of hosts and users. Use a net-
       group to restrict access to shared  NFS  filesystems  and  to  restrict
       remote login and shell access.

       Network  groups  are  stored in a network information services, such as
       LDAP, NIS, or NIS+, not in a local file.

       This manual page describes the format for a file that is used to supply
       input  to  a  program  such as ldapaddent(1M) for LDAP, makedbm(1M) for
       NIS, or nisaddent(1M) for NIS+.  These programs build  maps  or  tables
       used by their corresponding network information services.

       Each  line  of  the  file  defines the name and membership of a network
       group. The line should have the format:

       groupname     member ...

       The items on a line can be separated by a combination of  one  or  more
       spaces or tabs.

       The  groupname is the name of the group being defined. This is followed
       by a list of members of the group. Each member is either another  group
       name,  all  of  whose  members  are  to  be included in the group being
       defined, or a triple of the form:


       In each triple, any of the three fields hostname, username, and domain-
       name,  can  be  empty. An empty field signifies a wildcard that matches
       any value in that field. Thus:

       everything (,,this.domain)

       defines a group named "everything"  for  the  domain  "this.domain"  to
       which every host and user belongs.

       The domainname field refers to the domain in which the triple is valid,
       not the domain containing the host or user. In fact, applications using
       netgroup generally do not check the the domainname. Therefore, using


       is equivalent to


       You   can   also  use  netgroups  to  control  NFS  mount  access  (see
       share_nfs(1M)) and to  control  remote  login  and  shell  access  (see
       hosts.equiv(4)).  You  can  also use them to control local login access
       (see passwd(4), shadow(4), and compat in nsswitch.conf(4)).

       When used for these purposes, a host is considered a member of  a  net-
       group  if  the netgroup contains any triple in which the hostname field
       matches the name of the host requesting access and the domainname field
       matches the domain of the host controlling access.

       Similarly,  a user is considered a member of a netgroup if the netgroup
       contains any triple in which the username field matches the name of the
       user  requesting  access and the domainname field matches the domain of
       the host controlling access.

       Note that when netgroups are used to control NFS mount  access,  access
       is granted depending only on whether the requesting host is a member of
       the netgroup. Remote login and shell access can be controlled  both  on
       the basis of host and user membership in separate netgroups.

       /etc/netgroup           Used by a network information service's utility
                               to construct a map or table that contains  net-
                               group  information. For example, ldapaddent(1M)
                               uses /etc/netgroup to construct  an  LDAP  con-

       Note  that  the netgroup information must always be stored in a network
       information service, such as LDAP, NIS, or NIS+. The local file is only
       used  to  construct a map or table for the network information service.
       It is never consulted directly.

       nis+(1),  ldapaddent(1M),  makedbm(1M),  nisaddent(1M),  share_nfs(1M),
       innetgr(3C),  hosts(4),  hosts.equiv(4),  nsswitch.conf(4),  passwd(4),

       netgroup requires a network information service such as LDAP,  NIS,  or

       Applications  may  make  general  membership  tests using the innetgr()
       function. See innetgr(3C).

       Because the "-" character will not match any specific username or host-
       name,  it  is commonly used as a placeholder that will match only wild-
       carded membership queries. So, for example:

       onlyhosts (host1,-,our.domain) (host2,-,our.domain)
       onlyusers (-,john,our.domain) (-,linda,our.domain)

       effectively define netgroups containing  only  hosts  and  only  users,
       respectively.  Any  other  string  that is guaranteed not to be a legal
       username or hostname will also suffice for this purpose.

       Use of placeholders will improve search performance.

       When a machine with multiple interfaces and multiple names  is  defined
       as  a  member  of  a  netgroup,  one  must  list  all of the names. See
       hosts(4). A manageable way to do this is to define a netgroup  contain-
       ing  all  of  the machine names. For example, for a host "gateway" that
       has names "gateway-subnet1" and "gateway-subnet2" one  may  define  the

       gateway (gateway-subnet1,,our.domain) (gateway-subnet2,,our.domain)

       and  use this netgroup "gateway" whenever the host is to be included in
       another netgroup.

SunOS 5.10                        22 Jul 2004                      netgroup(4)