Specifying Access Rights in Commands

This section describes how to specify access rights, as well as owner, group owner, and object, when using any of the commands described in this chapter.

Syntax for Access Rights

Access rights, whether specified in an environment variable or a command, are identified with three types of arguments: class, operator, and right.

class:=                  n | o | g | w | a
operator:=               + | - | =
right:=                  r | m | c | d

The class refers to the type of NIS+ principal to which the rights will apply. The operator indicates the operation that will be performed with the rights. The rights are the access rights themselves. The accepted values for each are listed below.

Table 9-1

Class	Description
n	Nobody: all unauthenticated requests.
o	The owner of the object or table entry.
g	The group owner of the object or table entry.
w	World: all authenticated principals
a	All: shorthand for Owner, Group, and World. This is the default.
Operator	Description
+	Add the access rights specified by right.
-	Revoke the access rights specified by right.
=	Explicitly set the access rights specified by right; that is, revoke all existing rights and replace them with the new access rights.

Right	Description
r	Read the object definition or table entry
m	Modify the object definition or table entry
c	Create a table entry or column
d	Destroy a table entry or column

This example adds the Read access right to the Owner.

o+r

This example adds the Modify access right to the Owner, Group, and World.

a+m

This example sets the rights of the Owner, Group, and World to Read. This means that all three classes of principal now only have Read access, regardless of what access rights they had before:

a=r

This example adds the Create and Destroy rights to the Owner.

o+cd

This example adds the Read and Modify rights to the World and Nobody.

wn+rm

This example removes all four rights from the Group, World, and Nobody.

gwn-rmcd

This example combines the first two operations.

o+cd,wn+rm

Syntax for Owner and Group

To specify an owner, use an NIS+ principal name. To specify an NIS+ group, use an NIS+ group name with the domain name appended.

owner	::= principal-name.domain-name.
group	::= group-name.domain-name.

Syntax for Objects and Entries

Objects and entries use different syntaxes. Objects use simple object names, while table entries use indexed names.

object	::= object-name
entry	::= [column-name=value,...],table-name

For example:

hosts.org_dir.Sales.Wiz.Com.
[name=butler],hosts.org_dir.Eng.Wiz.Com.
[uid=33555],passwd.org_dir.Eng.Wiz.Com.

---

Note - In this case the brackets are part of the syntax, not just the "optional" symbol of the grammar.

---

Indexed names can specify more than one column-value pair. If so, the operation applies only to the entries that match all the column-value pairs. The more column-value pairs you provide, the more stringent the search. This example uses two pairs to specify the entry:

[winner=yoyoma,year=1992],races.org_dir.Wiz.Com.

Columns use a special version of indexed names. Because you can only work on columns with the nistbladm command, see "The nistbladm Command" on page 190 for more information.

The nisdefaults Command

The nisdefaults command displays the seven defaults currently active in the namespace: domain, group, host, principal, access rights, directory search path, and time-to-live. NIS+ supplies preset values for these defaults. They are listed under "Options," below. In addition, you can specify your own security-related defaults (owner, group, access rights, and time-to-live) with the NIS_DEFAULTS environment variable. Once you set the value of NIS_DEFAULTS, every object you create from that shell will acquire those defaults, unless you override them by using the -D option when you invoke a command. This section describes how to perform tasks related to the nisdefaults command, the NIS_DEFAULTS environment variable, and the -D option.

Syntax

--To display individual defaults:

nisdefaults [-dghprst]
nisdefaults [-dghprst] [-v]

--To display all defaults:

nisdefaults [-a]

-- Options: Table 9-2

nisdefaults Options

-d	Domain. Displays the home domain of the workstation from which the command was entered.
-g	Group. Displays the group that would be assigned to the next object created from this shell. The group is taken from the NIS_GROUP environment variable.
-h	Hostname. Displays the workstation's hostname.
-p	Principal. Displays the user ID or hostname of the NIS+ principal who entered the nisdefaults command.
-r----rmcdr---r---	Rights. Displays the access rights that will be assigned to the next object or entry created from this shell. They are:
-s	Search Path. Displays the syntax of the search path, which indicate the domains that NIS+ will search through when looking for information.
-t	Time to live. Displays the time to live that will be assigned to the next object created from this shell. The default is 12 hours.

Displaying Default Values

You can display all default values or any subset of them. To display all values, enter the nisdefaults command without arguments. They are displayed in verbose format. To use terse format, add the -a option. Here is an example:

rootmaster% nisdefaults Principal Name : topadmin.Wiz.Com. Domain Name : Wiz.Com. Host Name : rootmaster.Wiz.Com. Group Name : Access Rights : ----rmcdr---r--- Time to live : 12:0:0 Search Path : $Wiz.Com.

To display a subset of the values, use the appropriate options. The values are displayed in terse mode. To display them in verbose mode, add the -v flag.

rootmaster% nisdefaults -rs ----rmcdr---r--- $Wiz.Com.

Changing Defaults

You can change the default access rights, owner, and group by changing the value of the NIS_DEFAULTS environment variable. Use the command that is appropriate for your shell with the access=, owner=, and group= arguments:

access=right ...
owner=principal-name
group=group-name

You can combine two or more arguments into one line:

owner=principal-name:group=group-name

Here are some examples:

client% setenv NIS_DEFAULTS access=o+r client% setenv NIS_DEFAULTS owner=abe.Wiz.Com. client% setenv NIS_DEFAULTS access=o+r:owner=abe.Wiz.Com.

All objects and entries created from the shell in which you changed the defaults will have the new values you specified. You cannot specify default settings for a table column; the column simply inherits the defaults of the table.

Displaying the Value of NIS_DEFAULTS

You can check the setting of an environment variable by using the echo command, as shown below:

client% echo $NIS_DEFAULTS owner=butler:group=gamblers:access=o+rmcd

Resetting the Value of NIS_DEFAULTS

You can reset the NIS_DEFAULTS variable back to its original values (listed on page 145), by entering the name of the variable without arguments, using the format appropriate to your shell:

client# unsetenv NIS_DEFAULTS # for csh client# NIS_DEFAULTS=; export NIS_DEFAULTS # for sh/ksh

Overriding Defaults

You can override default access rights, owner, and group, any time that you create an NIS+ object or table entry with any of these NIS+ commands:

• nismkdir - creates NIS+ directory objects
• nisaddent - transfers entries into an NIS+ table
• nistbladm - creates entries in an NIS+ table

Insert the -D option into the syntax of those commands, as shown below:

command -D access=right . . . command-arguments command -D owner=principal-name command-arguments command -D group=group-name command-arguments

As when setting defaults, you can combine two or more arguments into one line:

command -D owner=principal-name:group=group-name \

command-arguments

Remember that a column's owner and group are always the same as its table, so you cannot override them.

These two examples override the default access rights:

Figure 9-1

These two examples override the default owner:

Client% nistbladm -D owner=abe.Wiz.Com. -a name=derby \ year=1992 \ winner=yoyoma \ races.org_dir.Wiz.Com. client% nismkdir -D owner=abe.Wiz.Com. Sales.Wiz.Com.

These two examples override the default group:

Figure 9-2

This example overrides the default owner and group:

client% nismkdir -D owner=abe.Wiz.Com.:group=admin.Wiz.Com. \ Sales.Wiz.Com.

The nischmod Command

The nischmod command operates on the access rights of an NIS+ object or table entry. It does not operate on the access rights of a table column; for columns, use the nistbladm command with the -D option. For all nischmod operations, you must already have Modify rights to the object or entry.

Syntax

--To add rights for an object or entry:

nischmod class...+right... object-name. nischmod class...+right... [ column-name=value ],table-name

--To remove rights for an object or entry:

nischmod class...-right... object-name. nischmod class...-right... [ column-name=value ],table-name

Adding Rights to an Object

To add access rights to an NIS+ object, use the + operator:

nischmod class...+right... object-name.

This example adds Read and Modify rights to the Group of the Sales.Wiz.Com. directory object.

client% nischmod g+rm Sales.Wiz.Com.

Removing Rights to an Object

To remove access rights to an NIS+ object, use the - operator:

nischmod class...-right... object-name

This example removes Create and Destroy rights from the Group of the Sales.Wiz.Com. directory object.

client% nischmod g-cd Sales.Wiz.Com.

Adding Rights to a Table Entry

To add access rights to an entry in an NIS+ table, use the + operator and an indexed name:

nischmod class...+right... [column-name=value],table-name

This example adds Read and Modify rights to Group for an entry in the hosts.org_dir.Wiz.Com. table. The entry is the one whose hostname column has the value of abe:

Figure 9-3

Removing Rights to a Table Entry

To remove access rights to an entry in an NIS+ table, use the - operator and an indexed name:

nischmod class...-right... [column-name=value],table-name

This example removes Destroy rights from Group for an entry in the "hosts.org_dir.Wiz.Com." table. The entry is the one whose hostname column has the value of abe:

Figure 9-4

The nistbladm Command

The nistbladm command performs a variety of operations on NIS+ tables, as described in Chapter 12, "Administering NIS+ Tables." However, two of its options, -c and -u, enable you to perform several security-related tasks. To use the -c option, you must have create rights to the directory under which you will create the table. To use the -u option, you must have Modify rights to the table column.

Syntax

--To set column rights when creating a table:

nistbladm -c type column=access-rights... table-name

--To change rights to a particular column:

nistbladm -u [column=access-rights,...],table-name

Setting Column Rights When Creating a Table

When a table is created, its columns are assigned the same rights as the table object. To assign a column its own set of rights, append access-rights to each column's equal sign and separate the columns with a space:

column=access-rights column=access-rights column=access-rights

Here is the full syntax:

nistbladm -c type column=access-rights... table-name

This example creates a table with three columns and adds Modify rights for the World to the second and third columns:

client% nistbladm -c races.org_dir.Wiz.Com. \ name=S year=S,w+m winner=S,w+m races

For more information about the nistbladm -c option, see Chapter 12, "Administering NIS+ Tables."

Adding Rights to an Existing Table Column

To add access rights to a column in an existing NIS+ table, use the u option (its full syntax is described in Chapter 12, "Administering NIS+ Tables"). Use one column=access-rights pair for each column whose rights you want to update. To update multiple columns, separate them with commas and enclose the entire set with square brackets:

[column=access-rights] [column=access-rights,column=access-rights]

Here is the full syntax:

nistbladm -u [column=class...+right...],table-name

This example adds Read and Modify rights to Group for the "hostname" column in the "hosts.org_dir.Wiz.Com." table.

Figure 9-5

This example adds Read and Modify rights to Group for two columns in the Hosts table of the Wiz.Com. domain:

client% nistbladm -u \ [name=g+rm,addr=g+rm],hosts.org_dir.Wiz.Com.

Removing Rights to a Table Column

To remove access rights to a column in an NIS+ table, use the u option, the -operator, and an indexed name:

nistbladm -u [column=class...-access-rights...],table-name

This example removes Group's Read and Modify rights to the "hostname" column in the hosts.org_dir.Wiz.Com. table.

Figure 9-6

The nischown Command

The nischown command changes the owner of one or more objects or entries. To use it, you must have Modify rights to the object or entry. The nischown command cannot change the owner of a column, since a table's columns belong the table's owner. To change a column's owner, you must change the table's owner.

Syntax

--To change an object's owner:

nischown new-owner object-name...

--To change an entry's owner:

nischown new-owner [column=value,...],table-name...

Changing an Object's Owner

To change an object's owner, use the following syntax:

nischown new-owner object-name

Be sure to append the domain name to both the object name and new owner name. This example changes the owner of the Hosts table in the Wiz.Com. domain to grant.Wiz.Com.:

client% nischown grant.Wiz.Com. hosts.org_dir.Wiz.Com.

Changing a Table Entry's Owner

To change a table entry's owner, use an indexed name for the entry, as shown below (this syntax is fully described on page 144):

nischown new-owner [column=value,...],table-name

Be sure to append the domain name to both the new owner name and the table name. This example changes the owner of an entry in the Hosts table of the Wiz.Com. domain to lee.Eng.Wiz. The entry is the one whose value in the hostname column is virginia.

Figure 9-7

The nischgrp Command

The nischgrp command changes the group owner of one or more objects or table entries. To use it, you must have Modify rights to the object or entry. The nischgrp command cannot change the group of a column, since the group assigned to a table's columns is the same as the group assigned to the table. To change a column's group owner, you must change the table's group owner.

Syntax

--To change an object's group:

nischgrp new-group object-name...

--To change an entry's group:

nischgrp new-group [column=value,...],table-name...

Changing an Object's Group

To change an object's group, use the following syntax:

nischgrp new-group object-name

Be sure to append the domain name to both the object name and new group name. This example changes the group of the Hosts table in the Wiz.Com. domain to admins.Wiz.Com.:

client% nischown admins.Wiz.Com. hosts.org_dir.Wiz.Com.

Changing a Table Entry's Group

To change a table entry's group, use an indexed name for the entry, as shown below (this syntax is fully described on page 144):

nischgrp new-group [column=value,...],table-name

Be sure to append the domain name to both the new group name and the table name. This example changes the group of an entry in the Hosts table of the Wiz.Com. domain to admins.Eng.Wiz.Com. The entry is the one whose value in the hostname column is "virginia."

Figure 9-8