Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1‎ > ‎

nisopaccess


NAME
     nisopaccess - NIS+ operation access  control  administration
     command

SYNOPSIS
     nisopaccess [-v] directory operation rights


     nisopaccess [-v] [-r] directory operation


     nisopaccess [-v] [-l] directory [operation]


DESCRIPTION
     Most NIS+ operations have implied access control through the
     permissions  on  the objects that they manipulate. For exam-
     ple,  in order to read an entry in a table,  you  must  have
     read permission on that entry. However, some NIS+ operations
     by default perform no access checking at all and are allowed
     to all:

     Operation         Example of commands that use the operation


     NIS_CHECKPOINT    nisping -C


     NIS_CPTIME        nisping, rpc.nisd


     NIS_MKDIR         nismkdir


     NIS_PING          nisping,  rpc.nisd


     NIS_RMDIR         nisrmdir


     NIS_SERVSTATE     nisbackup,   nisrestore


     NIS_STATUS        nisstat, rpc.nispasswdd



     The nisopaccess command can be used to enforce  access  con-
     trol on these operations on a per NIS+ directory basis.



     The directory argument should be the fully  qualified  name,
     including  the  trailing dot, of the NIS+ directory to which
     nisopaccess will be  applied. As a short-hand method, if the
     directory  name  does not end in a trailing dot, for example
     "org_dir", then the domain name is appended. The domain name
     is also appended to partial paths such as "org_dir.xyz".


     You can use upper or lower case for the operation  argument.
     However,  you  cannot  mix  cases. The "NIS_"  prefix may be
     omitted.  For  example,  NIS_PING  can   be   specified   as
     NIS_PING, nis_ping, PING, or ping.


     The rights argument is specified in the  format  defined  by
     the  nischmod(1)  command.  Since only the read ("r") rights
     are used to  determine who has  the  right  to  perform  the
     operation,  the modify and delete rights may be used to con-
     trol who can change  access to the operation.


     The access checking performed for each operation is as  fol-
     lows.  When  an operation requires  access be checked on all
     directories served by its rpc.nisd(1M), access is denied  if
     even one of the directories prohibits the operation.

     NIS_CHECKPOINT    Check specified directory, or  all  direc-
                       tories  if there is no directory argument,
                       as is  the  case  when  NIS_CHECKPOINT  is
                       issued   by  the  "nisping  -Ca"  command.
                       Return  NIS_PERMISSION  when   access   is
                       denied.


     NIS_CPTIME        Check specified directory.  It  returns  0
                       when access  is denied.


     NIS_MKDIR         Check  parent  of   specified   directory.
                       Returns   NIS_PERMISSION  when  access  is
                       denied.

                       If the parent directory is  not  available
                       locally, that is, it is not served by this
                       rpc.nisd(1M),   NIS_MKDIR    access     is
                       allowed, though the operation will be exe-
                       cuted only if this  rpc.nisd  is  a  known
                       replica of the directory.

                       You should note that the NIS_MKDIR  opera-
                       tion does not create  a NIS+ directory; it
                       adds a directory to the serving  list  for
                       this rpc.nisd, if appropriate.


     NIS_PING          Check  specified  directory.   No   return
                       value.


     NIS_RMDIR         Check specified directory.  NIS_PERMISSION
                       is returned when access denied.

                       The NIS_RMDIR operation does not remove  a
                       NIS+  directory;  it deletes the directory
                       from the serving list for  this  rpc.nisd,
                       if appropriate.


     NIS_SERVSTATE     Check access on all directories served  by
                       this  rpc.nisd.  If access is denied for a
                       tag,  "<permission  denied>"  is  returned
                       instead of the tag value.


     NIS_STATUS        Same as for NIS_SERVSTATE.



     Notice that older  clients  may  not  supply  authentication
     information  for  some of the operations listed above. These
     clients are treated as "nobody" when access checking is per-
     formed.


     The access control is implemented by creating a  NIS+  table
     called  "proto_op_access"  in  each  NIS+ directory to which
     access control should be applied. The table can  be  manipu-
     lated  using  normal  NIS+ commands. However, nisopaccess is
     the only supported interface for NIS+ operation access  con-
     trol.

OPTIONS
     The following options are supported:

     -l    List the access control for a single operation, or for
           all operations that have access control enabled.


     -r    Remove access control for a certain operation  on  the
           specified directory.


     -v    Verbose mode.

EXAMPLES
     Example 1 Enabling  Access Control for the  NIS_PING  Opera-
     tion


     To enable access  control  for  the  NIS_PING  operation  on
     "org_dir.`domainname`."  such  that  only  the  owner of the
     directory can perform a NIS_PING,  or  change  the  NIS_PING
     rights:


       example% nisopaccess org_dir NIS_PING o=rmcd,g=,w=,n=



     Example 2 Listing the Access to NIS_PING


     To list the access to the NIS_PING operation for org_dir:


       example% nisopaccess -l org_dir NIS_PING

       NIS_PING    ----rmcd--------    owner.dom.ain.  group.dom.ain.



     Example 3 Removing Access Control for NIS_PING


     To remove access control for NIS_PING on org_dir:


       example% nisopaccess -r org_dir NIS_PING



EXIT STATUS
     The following exit values are returned:

     0        Successful operation.


     other    Operation failed. The status is usually the  return
              status from a NIS+ command such as nistbladm.


ATTRIBUTES
     See attributes(5)  for descriptions of the following  attri-
     butes:


     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWnisu                    |
    |_____________________________|_____________________________|


SEE ALSO
     NIS+(1),  nischmod(1),  nistbladm(1),  rpc.nisd(1M),  attri-
     butes(5)

NOTES
     NIS+ might not  be  supported  in  future  releases  of  the
     Solaris  operating  system.  Tools to aid the migration from
     NIS+ to LDAP are available in the current  Solaris  release.
     For            more            information,            visit
     http://www.sun.com/directory/nisplus/transition.html.










Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.
Comments