Displaying the Value of NIS_DEFAULTS
You can check the setting of an environment variable by using the echo command, as shown below:
client% echo $NIS_DEFAULTS owner=butler:group=gamblers:access=o+rmcd |
You can also display a general list of the NIS+ defaults active in the namespace by using the nisdefaults command as described in "Displaying NIS+ Defaults--The nisdefaults Command".
Changing Defaults
You can change the default access rights, owner, and group, by changing the value of the NIS_DEFAULTS environment variable. Use the environment command that is appropriate for your shell (setenv for C-shell or $NIS_DEFAULTS=, export for Bourne and Korn shells) with the following arguments:
access=right, where right are the access rights using the formats described in "Specifying Access Rights in Commands".
owner=name, where name is the user name of the owner.
group=group, where group is the name of the default group
You can combine two or more arguments into one line separated by colons:
-owner=principal-name:-group=group-name
Table 15-13 shows some examples:
Table 15-13 Changing Defaults--Examples
Tasks | Examples |
|---|---|
This command grants owner read access as the default access right. | client% setenv NIS_DEFAULTS access=o+r |
This command sets the default owner to be the user abe whose home domain is doc.com. | client% setenv NIS_DEFAULTS owner=abe.doc.com. |
This command combines the first two examples on one code line. | client% setenv NIS_DEFAULTS access=o+r:owner=abe.doc.com. |
All objects and entries created from the shell in which you changed the defaults will have the new values you specified. You cannot specify default settings for a table column or entry; the columns and entries simply inherit the defaults of the table.
Resetting the Value of NIS_DEFAULTS
You can reset the NIS_DEFAULTS variable to its original values, by typing the name of the variable without arguments, using the format appropriate to your shell:
For C shell
client# unsetenv NIS_DEFAULTS |
For Bourne or Korn shell
client$ NIS_DEFAULTS=; export NIS_DEFAULTS |
Specifying Nondefault Security Values at Creation Time
You can specify different (that is, nondefault) access rights, owner, and group, any time that you create an NIS+ object or table entry with any of the following NIS+ commands:
To specify security values other than the default values, insert the -D option into the syntax of those commands, as described in "Specifying Access Rights in Commands".
As when setting defaults, you can combine two or more arguments into one line. Remember that column and entry's owner and group are always the same as the table, so you cannot override them.
For example, to use the nismkdir command to create a sales.doc.com directory and override the default access right by granting the owner only read rights you would type:
client% nismkdir -D access=o+r sales.doc.com |
Changing Object and Entry Access Rights
The nischmod command operates on the access rights of an NIS+ object or table entry. It does not operate on the access rights of a table column; for columns, use the nistbladm command with the -D option. For all nischmod operations, you must already have modify rights to the object or entry.
Using nischmod to Add Rights
To add rights for an object or entry use:
For object
nischmod class+right object-name |
For table entry
nischmod class+right [column-name=value],table-name |
For example, to add read and modify rights to the group of the sales.doc.com. directory object you would type:
client% nischmod g+rm sales.doc.com. |
For example to add read and modify rights to group for the name=abe entry in the hosts.org_dir.doc.com. table you would type:
client% nischmod g+rm '[name=abe],hosts.org_dir.doc.com.' |
Using nischmod to Remove Rights
To remove rights for an object or entry use:
For object
nischmod class-right object-name |
For entry
nischmod class-right [column-name=value],table-name |
For example, to remove create and destroy rights from the group of the sales.doc.com. directory object you would type:
client% nischmod g-cd sales.doc.com. |
For example to remove destroy rights from group for the name=abe entry in the hosts.org_dir.doc.com. table, you would type:
client% nischmod g-d '[name=abe],hosts.org_dir.doc.com.' |
Specifying Column Access Rights
The nistbladm command performs a variety of operations on NIS+ tables. Most of these tasks are described in "The nistbladm Command". However, two of its options, -c and -u, enable you to perform some security-related tasks:
The -c option. The -c option allows you to specify initial column access rights when creating a table with the nistbladm command.
The -u option. The -u option allows you to change column access rights with the nistbladm command.
Setting Column Rights When Creating a Table
When a table is created, its columns are assigned the same rights as the table object. These table level, rights are derived from the NIS_DEFAULTS environment variable, or are specified as part of the command that creates the table. You can also use the nistbladm -c option to specify initial column access rights when creating a table with nistbladm. To use this option you must have create rights to the directory in which you will be creating the table. To set column rights when creating a table use:
nistbladm -c type `columname=[flags] [,access]... tablename' |
Where:
type is a character string identifying the kind of table. A table's type can be anything you want it to be.
columnname is the name of the column.
flags is the type of column. Valid flags are:
S for searchable
I for case insensitive
C for encrypted
B for binary data
X for XDR encoded data
access is the access rights for this column that you specify using the syntax described in "Specifying Access Rights in Commands".
... indicates that you can specify multiple columns each of the own type and with their own set of rights.
tablename is the fully qualified name of the table you are creating.