User Commands nisopaccess(1)
NAME
nisopaccess - NIS] operation access control administration
command
SYNOPSIS
nisopaccess [-v] directory operation rights
nisopaccess [-v] [-r] directory operation
nisopaccess [-v] [-l] directory [operation]
DESCRIPTION
Most NIS] operations have implied access control through the
permissions on the objects that they manipulate. For exam-
ple, in order to read an entry in a table, you must have
read permission on that entry. However, some NIS] operations
by default perform no access checking at all and are allowed
to all:
Operation Example of commands that use the operation
NISCHECKPOINT nisping -C
NISCPTIME nisping, rpc.nisd
NISMKDIR nismkdir
NISPING nisping, rpc.nisd
NISRMDIR nisrmdir
NISERVSTATE nisbackup, nisrestore
NISTATUS nisstat, rpc.nispasswdd
The nisopaccess command can be used to enforce access con-
trol on these operations on a per NIS] directory basis.
SunOS 5.11 Last change: 2 Dec 2005 1
User Commands nisopaccess(1)
The directory argument should be the fully qualified name,
including the trailing dot, of the NIS] directory to which
nisopaccess will be applied. As a short-hand method, if the
directory name does not end in a trailing dot, for example
"orgdir", then the domain name is appended. The domain name
is also appended to partial paths such as "orgdir.xyz".
You can use upper or lower case for the operation argument.
However, you cannot mix cases. The "NIS" prefix may be
omitted. For example, NISPING can be specified as
NISPING, nisping, PING, or ping.
The rights argument is specified in the format defined by
the nischmod(1) command. Since only the read ("r") rights
are used to determine who has the right to perform the
operation, the modify and delete rights may be used to con-
trol who can change access to the operation.
The access checking performed for each operation is as fol-
lows. When an operation requires access be checked on all
directories served by its rpc.nisd(1M), access is denied if
even one of the directories prohibits the operation.
NISCHECKPOINT Check specified directory, or all direc-
tories if there is no directory argument,
as is the case when NISCHECKPOINT is
issued by the "nisping -Ca" command.
Return NISPERMISION when access is
denied.
NISCPTIME Check specified directory. It returns 0
when access is denied.
NISMKDIR Check parent of specified directory.
Returns NISPERMISION when access is
denied.
If the parent directory is not available
locally, that is, it is not served by this
rpc.nisd(1M), NISMKDIR access is
allowed, though the operation will be exe-
cuted only if this rpc.nisd is a known
replica of the directory.
You should note that the NISMKDIR opera-
tion does not create a NIS] directory; it
adds a directory to the serving list for
SunOS 5.11 Last change: 2 Dec 2005 2
User Commands nisopaccess(1)
this rpc.nisd, if appropriate.
NISPING Check specified directory. No return
value.
NISRMDIR Check specified directory. NISPERMISION
is returned when access denied.
The NISRMDIR operation does not remove a
NIS] directory; it deletes the directory
from the serving list for this rpc.nisd,
if appropriate.
NISERVSTATE Check access on all directories served by
this rpc.nisd. If access is denied for a
tag, "" is returned
instead of the tag value.
NISTATUS Same as for NISERVSTATE.
Notice that older clients may not supply authentication
information for some of the operations listed above. These
clients are treated as "nobody" when access checking is per-
formed.
The access control is implemented by creating a NIS] table
called "protoopaccess" in each NIS] directory to which
access control should be applied. The table can be manipu-
lated using normal NIS] commands. However, nisopaccess is
the only supported interface for NIS] operation access con-
trol.
OPTIONS
The following options are supported:
-l List the access control for a single operation, or for
all operations that have access control enabled.
-r Remove access control for a certain operation on the
specified directory.
-v Verbose mode.
SunOS 5.11 Last change: 2 Dec 2005 3
User Commands nisopaccess(1)
EXAMPLES
Example 1 Enabling Access Control for the NISPING Opera-
tion
To enable access control for the NISPING operation on
"orgdir.`domainname`." such that only the owner of the
directory can perform a NISPING, or change the NISPING
rights:
example% nisopaccess orgdir NISPING o=rmcd,g=,w=,n=
Example 2 Listing the Access to NISPING
To list the access to the NISPING operation for orgdir:
example% nisopaccess -l orgdir NISPING
NISPING ----rmcd-------- owner.dom.ain. group.dom.ain.
Example 3 Removing Access Control for NISPING
To remove access control for NISPING on orgdir:
example% nisopaccess -r orgdir NISPING
EXIT STATUS
The following exit values are returned:
0 Successful operation.
other Operation failed. The status is usually the return
status from a NIS] command such as nistbladm.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.11 Last change: 2 Dec 2005 4
User Commands nisopaccess(1)
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWnisu
SEE ALSO
NIS](1), nischmod(1), nistbladm(1), rpc.nisd(1M), attri-
butes(5)
NOTES
NIS] might not be supported in future releases of the
Solaris operating system. Tools to aid the migration from
NIS] to LDAP are available in the current Solaris release.
For more information, visit
http:/www.sun.com/directory/nisplus/transition.html.
SunOS 5.11 Last change: 2 Dec 2005 5
|
