netgroup(4) File Formats netgroup(4) NAME netgroup - list of network groups DESCRIPTION A netgroup defines a network-wide group of hosts and users. Netgroups may be used to restrict access to shared NFS filesystems and for restricting remote login and shell access. Network groups are stored in one of the Network Information Services, either NIS or NIS+, not in a local file. This manual page describes the format for a file that may be used to supply input to the makedbm(1M) or nisaddent(1M) programs that are use to build the NIS map or NIS+ table, respectively. Each line of the file defines the name and membership of network group. The line should have the format: groupname member ... The items on a line may be separated by a combination of one or more spaces or tabs. The groupname is the name of the group being defined. This is followed by a list of members of the group. Each member is either another group name, all of whose members are to be included in the group being defined, or a triple of the form: (hostname,username,domainname) In each triple, any of the three fields hostname, username, and domainname, can be empty. An empty field signifies a "wildcard" matching any value in that field. Thus: everything (,,this.domain) defines a group named "everything" for the domain "this.domain" to which every host and user belongs. The domainname field refers to the domain in which the tri- ple is valid, not the domain containing the host or user. Netgroups can be used to control NFS mount access (see share_nfs(1M)) and to control remote login and shell access (see hosts.equiv(4)). They can also be used to control local login access (see passwd(4), shadow(4), and "compat" in nsswitch.conf(4)). When used for these purposes, a host is considered a member of a netgroup if the netgroup contains any triple in which the hostname field matches the name of the host requesting access and the domainname field matches the domain of the host controlling access. Similarly, a user is considered a member of a netgroup if the netgroup contains any triple in which the username field matches the name of the user requesting access and the domainname field matches the domain of the host controlling access. Note that when netgroups are used to control NFS mount access, access is granted depending only on whether the requesting host is a member of the netgroup. Remote login and shell access can be controlled both on the basis of host and user membership in separate netgroups. FILES /etc/netgroup used by /var/yp/Makefile on NIS masters to build the NIS netgroup map Note that the netgroup information must always be stored in a network information service, either NIS or NIS+. The local file is only used to construct the netgroup NIS maps or NIS+ table; it is never consulted directly. SEE ALSO nis+(1), makedbm(1M), nisaddent(1M), share_nfs(1M), innetgr(3N), hosts.equiv(4), nsswitch.conf(4), passwd(4), shadow(4) NOTES Applications may make general membership tests using the innetgr() function (see innetgr(3N)). Because the "-" character will not match any specific user- name or hostname, it is commonly used as a placeholder that will match only wildcarded membership queries. So, for exam- ple: onlyhosts (host1,-,our.domain) (host2,-,our.domain) onlyusers (-,john,our.domain) (-,linda,our.domain) effectively define netgroups containing only hosts and only users, respectively. Any other string that is guaranteed not to be a legal username or hostname will also suffice for this purpose. When a machine with multiple interfaces and multiple names is defined as a member of a netgroup, one must list all of the names (see hosts(4)). A manageable way to do this is to define a netgroup containing all of the machine names. For example, for a host "gateway" that has names "gateway- subnet1" and "gateway-subnet2" one may define the netgroup: gateway (gateway-subnet1,,our.domain) (gateway-subnet2,,our.domain) and use this netgroup gateway whenever the host is to be included in another netgroup. SunOS 5.4 Last change: 8 Aug 1993