NETGROUP(5) File Formats and Configurations NETGROUP(5)
NAME
netgroup - list of network groups
SYNOPSIS
/etc/netgroupDESCRIPTION
A
netgroup defines a network-wide group of hosts and users. Use a
netgroup to restrict access to shared
NFS filesystems and to restrict
remote login and shell access.
Network groups are usually stored in network information services,
such as
LDAP, or
NIS, but may alternatively be stored in the local
/etc/netgroup file. The
netgroup line of the
nsswitch.conf(5) file
determines which of those sources are used.
This manual page describes the format for a file that is used to
supply input to a program such as
ldapaddent(8) for LDAP, or
makedbm(8) for NIS. The same file format is used in the local
/etc/netgroup file.
Each line of the file defines the name and membership of a network
group. The line should have the format:
groupname member...
The items on a line can be separated by a combination of one or more
spaces or tabs.
The
groupname is the name of the group being defined. This is
followed by a list of members of the group. Each
member is either
another group name, all of whose members are to be included in the
group being defined, or a triple of the form:
(hostname,username,domainname) In each triple, any of the three fields
hostname,
username, and
domainname, can be empty. An empty field signifies a wildcard that
matches any value in that field. Thus:
everything (,,this.domain)
defines a group named "everything" for the domain "this.domain" to
which every host and user belongs.
The
domainname field refers to the domain in which the triple is
valid, not the domain containing the host or user. In fact,
applications using
netgroup generally do not check the
domainname.
Therefore, using
(,,domain)
is equivalent to
(,,)
You can also use netgroups to control
NFS mount access (see
share_nfs(8)) and to control remote login and shell access (see
hosts.equiv(5)). You can also use them to control local login access
(see
passwd(5),
shadow(5), and
compat in
nsswitch.conf(5)).
When used for these purposes, a host is considered a member of a
netgroup if the
netgroup contains any triple in which the
hostname field matches the name of the host requesting access and the
domainname field matches the domain of the host controlling access.
Similarly, a user is considered a member of a
netgroup if the
netgroup contains any triple in which the
username field matches the
name of the
user requesting access and the
domainname field matches
the domain of the host controlling access.
Note that when netgroups are used to control NFS mount access, access
is granted depending only on whether the requesting host is a member
of the
netgroup. Remote login and shell access can be controlled both
on the basis of host and user membership in separate netgroups.
FILES
/etc/netgroup Used by a network information service's utility to
construct a map or table that contains
netgroup information. For example,
ldapaddent(8) uses
/etc/netgroup to construct an LDAP container.
Alternatively, the
/etc/netgroup file may be used
directly if the
files source is specified in
nsswitch.conf(5) for the
netgroup database.
SEE ALSO
innetgr(3C),
hosts(5),
hosts.equiv(5),
nsswitch.conf(5),
passwd(5),
shadow(5),
ldapaddent(8),
makedbm(8),
share_nfs(8)NOTES
Applications may make general membership tests using the
innetgr() function. See
innetgr(3C).
Because the "-" character will not match any specific username or
hostname, it is commonly used as a placeholder that will match only
wildcarded membership queries. So, for example:
onlyhosts (host1,-,our.domain) (host2,-,our.domain)
onlyusers (-,john,our.domain) (-,linda,our.domain)
effectively define netgroups containing only hosts and only users,
respectively. Any other string that is guaranteed not to be a legal
username or hostname will also suffice for this purpose.
Use of placeholders will improve search performance.
When a machine with multiple interfaces and multiple names is defined
as a member of a
netgroup, one must list all of the names. See
hosts(5). A manageable way to do this is to define a
netgroup containing all of the machine names. For example, for a host
"gateway" that has names "gateway-subnet1" and "gateway-subnet2" one
may define the
netgroup:
gateway (gateway-subnet1,,our.domain) (gateway-subnet2,,our.domain)
and use this
netgroup "
gateway" whenever the host is to be included
in another
netgroup.
June 17, 2021 NETGROUP(5)
