Displaying the Value of NIS_DEFAULTS

You can check the setting of an environment variable by using the echo command, as shown below:

client% echo $NIS_DEFAULTS
owner=butler:group=gamblers:access=o+rmcd

You can also display a general list of the NIS+ defaults active in the namespace by using the nisdefaults command as described in Displaying NIS+ Defaults--The nisdefaults Command.

Changing Defaults

You can change the default access rights, owner, and group, by changing the value of the NIS_DEFAULTS environment variable. Use the environment command that is appropriate for your shell (setenv for C-shell or $NIS_DEFAULTS=, export for Bourne and Korn shells) with the following arguments:

• access=right, where right are the access rights using the formats described in Specifying Access Rights in Commands.

• owner=name, where name is the user name of the owner.

• group=group, where group is the name of the default group

You can combine two or more arguments into one line separated by colons:

-owner=principal-name:-group=group-name

Table 15-13 shows some examples:

Table 15-13 Changing Defaults--Examples

All objects and entries created from the shell in which you changed the defaults will have the new values you specified. You cannot specify default settings for a table column or entry; the columns and entries simply inherit the defaults of the table.

Resetting the Value of NIS_DEFAULTS

You can reset the NIS_DEFAULTS variable to its original values, by typing the name of the variable without arguments, using the format appropriate to your shell:

For C shell

client# unsetenv NIS_DEFAULTS

For Bourne or Korn shell

client$ NIS_DEFAULTS=; export NIS_DEFAULTS

Specifying Nondefault Security Values at Creation Time

You can specify different (that is, nondefault) access rights, owner, and group, any time that you create an NIS+ object or table entry with any of the following NIS+ commands:

• nismkdir--Creates NIS+ directory objects

• nisaddent--Transfers entries into an NIS+ table

• nistbladm--Creates entries in an NIS+ table

To specify security values other than the default values, insert the -D option into the syntax of those commands, as described in Specifying Access Rights in Commands.

As when setting defaults, you can combine two or more arguments into one line. Remember that column and entry's owner and group are always the same as the table, so you cannot override them.

For example, to use the nismkdir command to create a sales.doc.com directory and override the default access right by granting the owner only read rights you would type:

client% nismkdir -D access=o+r sales.doc.com

Changing Object and Entry Access Rights

The nischmod command operates on the access rights of an NIS+ object or table entry. It does not operate on the access rights of a table column; for columns, use the nistbladm command with the -D option. For all nischmod operations, you must already have modify rights to the object or entry.

Using nischmod to Add Rights

To add rights for an object or entry use:

For object

nischmod class+right object-name

For table entry

nischmod class+right [column-name=value],table-name

For example, to add read and modify rights to the group of the sales.doc.com. directory object you would type:

client% nischmod g+rm sales.doc.com.

For example to add read and modify rights to group for the name=abe entry in the hosts.org_dir.doc.com. table you would type:

client% nischmod g+rm '[name=abe],hosts.org_dir.doc.com.'

Using nischmod to Remove Rights

To remove rights for an object or entry use:

For object

nischmod class-right object-name

For entry

nischmod class-right [column-name=value],table-name

For example, to remove create and destroy rights from the group of the sales.doc.com. directory object you would type:

client% nischmod g-cd sales.doc.com.

For example to remove destroy rights from group for the name=abe entry in the hosts.org_dir.doc.com. table, you would type:

client% nischmod g-d '[name=abe],hosts.org_dir.doc.com.'

Specifying Column Access Rights

The nistbladm command performs a variety of operations on NIS+ tables. Most of these tasks are described in The nistbladm Command. However, two of its options, -c and -u, enable you to perform some security-related tasks:

• The -c option. The -c option allows you to specify initial column access rights when creating a table with the nistbladm command.

• The -u option. The -u option allows you to change column access rights with the nistbladm command.

Setting Column Rights When Creating a Table

When a table is created, its columns are assigned the same rights as the table object. These table level, rights are derived from the NIS_DEFAULTS environment variable, or are specified as part of the command that creates the table. You can also use the nistbladm -c option to specify initial column access rights when creating a table with nistbladm. To use this option you must have create rights to the directory in which you will be creating the table. To set column rights when creating a table use:

nistbladm -c type `columname=[flags] [,access]... tablename'

Where:

• type is a character string identifying the kind of table. A table's type can be anything you want it to be.

• columnname is the name of the column.

• flags is the type of column. Valid flags are:

  • S for searchable

  • I for case insensitive

  • C for encrypted

  • B for binary data

  • X for XDR encoded data

• access is the access rights for this column that you specify using the syntax described in Specifying Access Rights in Commands.

• ... indicates that you can specify multiple columns each of the own type and with their own set of rights.

• tablename is the fully qualified name of the table you are creating.