netgroups

[Deb Lilly]

In article <17600 at hydra.gatech.EDU>, flur at duke.gatech.edu (Peter W. Flur)
writes:

> ... we would
> like to be able to restrict which group of machines any one person has
> access to.  Rather than use the YP domains to do this, as we are now,
> we would like to use netgroups.  

At Fluke we use netgroups to limit logins on certain machines.  
Our YP domain is 'tc'.


Example 1 (netgroup in /etc/passwd to exclude logins from a machine):

Our netgroup 'uucpLogins' contains uucp accounts:

    uucpLogins (,uuaea,tc) (,uualle,tc) ...

In all our /etc/passwd files except on the uucphost, we exclude the
uucp accounts with:

    - at uucpLogins::0:0:::


Example 2 (netgroup in /etc/passwd to allow logins on a machine):

Our netgroup 'CDXusers' contains accounts for people allowed access to
a set of machines running a specialized application:

    CDXusers (,john,tc) (,amyh,tc) (,bryanf,tc) (,darren,tc) ...

In the /etc/passwd files on the restricted machines, we do not use
the full Yellow Pages passwd (no +::0:0::: entry), but do allow access 
to the CDXusers with:

    + at CDXusers::0:0:::


Example 3 (netgroup in /etc/hosts.equiv):

Our netgroup 'trustedhosts' includes all computers which use the same
logins, uids, groups, and gids as the rest of the network:

    trustedhosts (daphne,,tc) (eros,,tc) (hera,,tc) ...

The /etc/hosts.equiv file on all systems contains:

    + at trustedhosts 

There was a bug in SunOS 4.0.1 (bug ID 1022453) that required netgroup
names to be all lower case to work properly in /etc/hosts.equiv.  I 
don't know whether it's been fixed in 4.0.3 or 4.1.


Deb Lilly
Domain:	deb at tc.fluke.COM
UUCP:	uunet!fluke!deb
John Fluke Mfg. Co., M/S 223B, PO Box 9090, Everett WA 98206-9090  USA
+1 206 356-5052
-- 
Deb Lilly
Domain:	deb at tc.fluke.COM
UUCP:	uunet!fluke!deb
John Fluke Mfg. Co., M/S 223B, PO Box 9090, Everett WA 98206-9090  USA
+1 206 356-5052