1nisopaccess(1)                   User Commands                  nisopaccess(1)
2
3
4

NAME

6       nisopaccess - NIS+ operation access control administration command
7

SYNOPSIS

9       nisopaccess [-v] directory operation rights
10
11
12       nisopaccess [-v] [-r] directory operation
13
14
15       nisopaccess [-v] [-l] directory [operation]
16
17

DESCRIPTION

19       Most  NIS+  operations  have implied access control through the permis‐
20       sions on the objects that they manipulate. For example,   in  order  to
21       read  an entry in a table, you must have read permission on that entry.
22       However, some NIS+ operations by default perform no access checking  at
23       all and are allowed to all:
24
25       Operation         Example of commands that use the operation
26
27
28       NIS_CHECKPOINT    nisping -C
29
30
31       NIS_CPTIME        nisping, rpc.nisd
32
33
34       NIS_MKDIR         nismkdir
35
36
37       NIS_PING          nisping,  rpc.nisd
38
39
40       NIS_RMDIR         nisrmdir
41
42
43       NIS_SERVSTATE     nisbackup,   nisrestore
44
45
46       NIS_STATUS        nisstat, rpc.nispasswdd
47
48
49
50       The  nisopaccess command can be used to enforce access control on these
51       operations on a per NIS+ directory basis.
52
53
54       The directory argument should be the fully  qualified  name,  including
55       the  trailing  dot,  of the NIS+ directory to which nisopaccess will be
56       applied. As a short-hand method, if the directory name does not end  in
57       a  trailing  dot,  for  example  "org_dir",  then  the  domain  name is
58       appended. The domain name is also appended to  partial  paths  such  as
59       "org_dir.xyz".
60
61
62       You  can  use  upper or lower case for the operation argument. However,
63       you cannot mix cases. The "NIS_"  prefix may be omitted.  For  example,
64       NIS_PING can be specified as  NIS_PING, nis_ping, PING, or ping.
65
66
67       The  rights  argument  is  specified  in the format defined by the nis‐
68       chmod(1) command. Since only the read ("r") rights are used to   deter‐
69       mine who has the right to perform the operation,  the modify and delete
70       rights may be used to control who can change  access to the operation.
71
72
73       The access checking performed for each operation is as   follows.  When
74       an  operation requires  access be checked on all  directories served by
75       its rpc.nisd(1M), access is denied if even one of the directories  pro‐
76       hibits the operation.
77
78       NIS_CHECKPOINT    Check  specified  directory,  or  all  directories if
79                         there is no directory argument, as is the  case  when
80                         NIS_CHECKPOINT  is  issued  by the "nisping -Ca" com‐
81                         mand. Return NIS_PERMISSION when access is denied.
82
83
84       NIS_CPTIME        Check specified directory. It returns 0  when  access
85                         is denied.
86
87
88       NIS_MKDIR         Check   parent   of   specified   directory.  Returns
89                         NIS_PERMISSION when access is denied.
90
91                         If the parent directory  is  not  available  locally,
92                         that  is,  it  is  not  served  by this rpc.nisd(1M),
93                         NIS_MKDIR access  is allowed,  though  the  operation
94                         will  be  executed  only  if this rpc.nisd is a known
95                         replica of the directory.
96
97                         You should note that the NIS_MKDIR operation does not
98                         create   a NIS+ directory; it adds a directory to the
99                         serving list for this rpc.nisd, if appropriate.
100
101
102       NIS_PING          Check specified directory. No return value.
103
104
105       NIS_RMDIR         Check specified directory. NIS_PERMISSION is returned
106                         when access denied.
107
108                         The NIS_RMDIR operation does not remove a NIS+ direc‐
109                         tory; it deletes the directory from the serving  list
110                         for this rpc.nisd, if appropriate.
111
112
113       NIS_SERVSTATE     Check  access  on  all  directories  served  by  this
114                         rpc.nisd. If access is denied for a tag, "<permission
115                         denied>" is returned instead of the tag value.
116
117
118       NIS_STATUS        Same as for NIS_SERVSTATE.
119
120
121
122       Notice that older clients may not supply authentication information for
123       some of the operations listed  above.  These  clients  are  treated  as
124       "nobody" when access checking is performed.
125
126
127       The  access  control  is  implemented  by creating a NIS+ table  called
128       "proto_op_access" in each  NIS+  directory  to  which   access  control
129       should  be applied. The table can be manipulated using normal NIS+ com‐
130       mands. However, nisopaccess is the only supported  interface  for  NIS+
131       operation access control.
132

OPTIONS

134       The following options are supported:
135
136       -l    List the access control for a single operation, or for all opera‐
137             tions that have access control enabled.
138
139
140       -r    Remove access control for a certain operation on  the   specified
141             directory.
142
143
144       -v    Verbose mode.
145
146

EXAMPLES

148       Example 1 Enabling  Access Control for the NIS_PING Operation
149
150
151       To    enable   access   control   for   the   NIS_PING   operation   on
152       "org_dir.`domainname`." such that only the owner of the  directory  can
153       perform a NIS_PING, or change the NIS_PING rights:
154
155
156         example% nisopaccess org_dir NIS_PING o=rmcd,g=,w=,n=
157
158
159
160       Example 2 Listing the Access to NIS_PING
161
162
163       To list the access to the NIS_PING operation for org_dir:
164
165
166         example% nisopaccess -l org_dir NIS_PING
167
168         NIS_PING    ----rmcd--------    owner.dom.ain.  group.dom.ain.
169
170
171
172       Example 3 Removing Access Control for NIS_PING
173
174
175       To remove access control for NIS_PING on org_dir:
176
177
178         example% nisopaccess -r org_dir NIS_PING
179
180
181

EXIT STATUS

183       The following exit values are returned:
184
185       0        Successful operation.
186
187
188       other    Operation failed. The status is usually the return status from
189                a NIS+ command such as nistbladm.
190
191

ATTRIBUTES

193       See attributes(5)  for descriptions of the following attributes:
194
195
196
197
198       ┌─────────────────────────────┬─────────────────────────────┐
199       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
200       ├─────────────────────────────┼─────────────────────────────┤
201       │Availability                 │SUNWnisu                     │
202       └─────────────────────────────┴─────────────────────────────┘
203

SEE ALSO

205       NIS+(1), nischmod(1), nistbladm(1), rpc.nisd(1M), attributes(5)
206

NOTES

208       NIS+ might not be supported in future releases of the Solaris operating
209       system.  Tools  to aid the migration from NIS+ to LDAP are available in
210       the   current   Solaris   release.   For   more   information,    visit
211       http://www.sun.com/directory/nisplus/transition.html.
212
213
214
215SunOS 5.11                        2 Dec 2005                    nisopaccess(1)
Impressum