1nisopaccess(1) User Commands nisopaccess(1)
2
3
4
6 nisopaccess - NIS+ operation access control administration command
7
9 nisopaccess [-v] directory operation rights
10
11
12 nisopaccess [-v] [-r] directory operation
13
14
15 nisopaccess [-v] [-l] directory [operation]
16
17
19 Most NIS+ operations have implied access control through the permis‐
20 sions on the objects that they manipulate. For example, in order to
21 read an entry in a table, you must have read permission on that entry.
22 However, some NIS+ operations by default perform no access checking at
23 all and are allowed to all:
24
25 Operation Example of commands that use the operation
26
27
28 NIS_CHECKPOINT nisping -C
29
30
31 NIS_CPTIME nisping, rpc.nisd
32
33
34 NIS_MKDIR nismkdir
35
36
37 NIS_PING nisping, rpc.nisd
38
39
40 NIS_RMDIR nisrmdir
41
42
43 NIS_SERVSTATE nisbackup, nisrestore
44
45
46 NIS_STATUS nisstat, rpc.nispasswdd
47
48
49
50 The nisopaccess command can be used to enforce access control on these
51 operations on a per NIS+ directory basis.
52
53
54 The directory argument should be the fully qualified name, including
55 the trailing dot, of the NIS+ directory to which nisopaccess will be
56 applied. As a short-hand method, if the directory name does not end in
57 a trailing dot, for example "org_dir", then the domain name is
58 appended. The domain name is also appended to partial paths such as
59 "org_dir.xyz".
60
61
62 You can use upper or lower case for the operation argument. However,
63 you cannot mix cases. The "NIS_" prefix may be omitted. For example,
64 NIS_PING can be specified as NIS_PING, nis_ping, PING, or ping.
65
66
67 The rights argument is specified in the format defined by the nis‐
68 chmod(1) command. Since only the read ("r") rights are used to deter‐
69 mine who has the right to perform the operation, the modify and delete
70 rights may be used to control who can change access to the operation.
71
72
73 The access checking performed for each operation is as follows. When
74 an operation requires access be checked on all directories served by
75 its rpc.nisd(1M), access is denied if even one of the directories pro‐
76 hibits the operation.
77
78 NIS_CHECKPOINT Check specified directory, or all directories if
79 there is no directory argument, as is the case when
80 NIS_CHECKPOINT is issued by the "nisping -Ca" com‐
81 mand. Return NIS_PERMISSION when access is denied.
82
83
84 NIS_CPTIME Check specified directory. It returns 0 when access
85 is denied.
86
87
88 NIS_MKDIR Check parent of specified directory. Returns
89 NIS_PERMISSION when access is denied.
90
91 If the parent directory is not available locally,
92 that is, it is not served by this rpc.nisd(1M),
93 NIS_MKDIR access is allowed, though the operation
94 will be executed only if this rpc.nisd is a known
95 replica of the directory.
96
97 You should note that the NIS_MKDIR operation does not
98 create a NIS+ directory; it adds a directory to the
99 serving list for this rpc.nisd, if appropriate.
100
101
102 NIS_PING Check specified directory. No return value.
103
104
105 NIS_RMDIR Check specified directory. NIS_PERMISSION is returned
106 when access denied.
107
108 The NIS_RMDIR operation does not remove a NIS+ direc‐
109 tory; it deletes the directory from the serving list
110 for this rpc.nisd, if appropriate.
111
112
113 NIS_SERVSTATE Check access on all directories served by this
114 rpc.nisd. If access is denied for a tag, "<permission
115 denied>" is returned instead of the tag value.
116
117
118 NIS_STATUS Same as for NIS_SERVSTATE.
119
120
121
122 Notice that older clients may not supply authentication information for
123 some of the operations listed above. These clients are treated as
124 "nobody" when access checking is performed.
125
126
127 The access control is implemented by creating a NIS+ table called
128 "proto_op_access" in each NIS+ directory to which access control
129 should be applied. The table can be manipulated using normal NIS+ com‐
130 mands. However, nisopaccess is the only supported interface for NIS+
131 operation access control.
132
134 The following options are supported:
135
136 -l List the access control for a single operation, or for all opera‐
137 tions that have access control enabled.
138
139
140 -r Remove access control for a certain operation on the specified
141 directory.
142
143
144 -v Verbose mode.
145
146
148 Example 1 Enabling Access Control for the NIS_PING Operation
149
150
151 To enable access control for the NIS_PING operation on
152 "org_dir.`domainname`." such that only the owner of the directory can
153 perform a NIS_PING, or change the NIS_PING rights:
154
155
156 example% nisopaccess org_dir NIS_PING o=rmcd,g=,w=,n=
157
158
159
160 Example 2 Listing the Access to NIS_PING
161
162
163 To list the access to the NIS_PING operation for org_dir:
164
165
166 example% nisopaccess -l org_dir NIS_PING
167
168 NIS_PING ----rmcd-------- owner.dom.ain. group.dom.ain.
169
170
171
172 Example 3 Removing Access Control for NIS_PING
173
174
175 To remove access control for NIS_PING on org_dir:
176
177
178 example% nisopaccess -r org_dir NIS_PING
179
180
181
183 The following exit values are returned:
184
185 0 Successful operation.
186
187
188 other Operation failed. The status is usually the return status from
189 a NIS+ command such as nistbladm.
190
191
193 See attributes(5) for descriptions of the following attributes:
194
195
196
197
198 ┌─────────────────────────────┬─────────────────────────────┐
199 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
200 ├─────────────────────────────┼─────────────────────────────┤
201 │Availability │SUNWnisu │
202 └─────────────────────────────┴─────────────────────────────┘
203
205 NIS+[22m(1), nischmod(1), nistbladm(1), rpc.nisd(1M), attributes(5)
206
208 NIS+ might not be supported in future releases of the Solaris operating
209 system. Tools to aid the migration from NIS+ to LDAP are available in
210 the current Solaris release. For more information, visit
211 http://www.sun.com/directory/nisplus/transition.html.
212
213
214
215SunOS 5.11 2 Dec 2005 nisopaccess(1)