SUMMARY: Ways to restrict workstation access under YP/Solaris 2.5

From: Louis C. Liao (
Date: Thu Oct 03 1996 - 10:27:26 CDT

This is truly a wonderful list. Thanks to the following folks for
so quickly:

"Brian T. Wightman" <>
Erin Copeland <>
Phil Poole <>
Rasana Atreya <>
scott hollatz <> (Choi)
Waqar Hafiz <>

My question was:

> What's the easiest (and secure) way to restrict access to a particular
> group while running yp under Solaris 2.5?
> Specifically, I don't want to individually list each user in that group
> in the password file while running in compat mode. I just want a group
> entry so that whenever user gets deleted or added to the group list,
> I don't have to update all the client nodes.

Three distinct answers were given:
1) idled (suggested by Phil Poole),
2) tcp_wrappers (suggested by Erin Copeland),
3) netgroup in passwd file.

Although 1) and 2) were great packages, but did not suite our needs.
I opted for option 3, and here is what I did:

1) generate a netgroup entry for the specific group that wanted
   restricted access to their group's workstations, then push the
   map out.

2) On the workstation needing the restriction:
        a.) vi /etc/nsswitch.conf file, modified the "passwd:" entry to
                give it the compat option.
        b.) create a simple C program to display the login denied message
                and compiled it.
        c.) vi passwd file, and added at the bottom:
        d.) pwconv

That did it.

P.S.: I actually knew about the netgroup setup, but I was hoping to
avoid it,
because that means that I'll have to write a script later to update
netgroup file automatically whenever passwd, hosts, or group file gets
updated. But since there's no more suitable ideas, guess I'll just have
bite the bullet and write that script.

            \\\//  oOOo       
            |o -|   ||
| Louis Liao,ASE (  W:714-952-6485 |
|         EDS - Unigraphics         F:714-952-5758 |

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:11 CDT