High Level SunOS checklist
- SunOS system checklist
- Superuser access
- Login/password administration
- Monitoring suid/sgid programs
- System/user file/directory permission
Recommend installing Automated Security Enhancement Tool on SunOS4.x
systems and to use the tool in SunOS 5.x.
1. SunOS Environment Overview
- Record serial numbers of all systems, peripherals, network
interfaces and keep in a secure location.
- Make individual set of bootable tapes for each system and
store in a secure location. Tapes should be labelled
clearly for each system.
- Enable accounting per instructions found in Sun System
Management Guide.
- Run commands to determine system inventory:
- Use the 'sysinfo' package to get detailed kernel
information. This generates a complete report of the
system configurations with host, memory, OS and
device info. This package is available via anonymous
ftp and is provided with this report. NOTE: this
tool doesn't run under Solaris 2.0.
For these systems, use the sysdef or prtconf commands
- Standard sun command to do this is: devinfo
- List software inventory: ls -R /opt (SUNOS5.x)
pkginfo (SUNOS5.x)
Use Software Manager
tool (SUNOS5.x)
ls /usr (SUNOS4.x)
- Display system config info:
/usr/sbin/prtconf (SUNOS5.X)
/usr/sbin/sysdef (SUNOS5.x)
- List machine hardware name, node name,
operating system release, system name,
OS version:
uname -a
- Display architecture type: arch (SUNOS4.x)
- List all hardware connected to system:
devinfo, prtconf, sysdef, dkinfo, prtvtoc
hostid, lpstat commands(SUNOS5.x),
ls -l /devices (SUNOS5.x)
- list NFS status
ps ax |grep nfs (SUNOS4.x)
ps -ef |grep nfs (SUNOS5.x)
- list inet service:
cat /etc/inetd.conf (SUNOS4.x)
cat /etc/inetd.conf (SUNOS5.x)
- list host table entries: cat /etc/hosts
- list nameserver entries: cat /etc/resolv.conf
- list network status: netstat -i
netstat -nr
- examine failed logins:
grep failed /var/adm/messages
- examine user group definitions:
cat /etc/group
- examine user information:
more /etc/passwd
more /etc/passwd.adjunct(SUNOS4.x)
- Searches for .rhosts, .netrc files:
find / -name '.rhosts' -print
find / -name '.netrc' -print
- Searches for hosts that can use r-commands:
if [ -x /etc/inetd -a -f
/etc/hosts.equiv ]; then
echo " the following hosts are allowed to rsh, rcp, rlogin"
echo
cat /etc/hosts.equiv | grep -v "#"
echo " "
fi
- Checks to see who can submit remote print jobs
if [ -x /etc/inetd -a -f /etc/hosts.lpd ];
then echo " the following hosts are allowed to sbumit remote print jobs"
echo " ONLY"
cat /etc/hosts.lpd | grep -v "#"
echo " "
- Check NFS status
- use these commands to check the status of
your NIS/NFS subsystems.
- check to see if nfs/nis is active:
ps ax |grep nfs(SUNOS4.x)
ps ax |grep biod(SUNOS4.x)
ps -ef | grep nfs (SUNOS5.x)
ps -ef | grep biod (SUNOS5.x)
- checks to see if this system is an NFS server:
if [ -x /usr/etc/nfsd -a -f /etc/exports ]; then
echo "This machine is an NFS server"
- displays which directories are exported:
cat /etc/xtab(SUNOS4.x)
cat /etc/exports(SUNOS4.x)
cat /etc/dfs/dfstab (SUNOS5.x)
- displays hosts that are exporting directories:
/usr/etc/showmount
- if the host is a client, show what's mounted
from remote systems:
mount | grep -v "^ "
- checks to see if nis is active:
isypset=`domainname | /bin/grep "^[a-zA-Z]"`
- if so, display the NIS domainname:
/usr/bin/domainname
- List connected network interfaces:
devinfo
The ethernet interfaces usually start with the
letters "le".
- Display tcp/ip parameters for the ethernet i/f:
ifconfig le0
2. Superuser Access
- keep root users to a minimum
- audit su command.
- Make sure /etc/profile doesn't include current directory.
- check perms on /usr/bin/crontab (the cron control file).
Only root should have read access to this file.
- Disable direct logins for root by setting LOGIN=FALSE in the
Admintool User Management screen (SUNOS 5.x).
- Consider leaving Console entry in /etc/ttytab as not secure.
This will force entering the root password before booting the
system up in single-user mode. (SUNOS 4.x)
This prevents someone from entering L1-A abort sequence and
booting single-user. Enable this feature if systems are in
an "OPEN" area.(SUNOS 4.x)
- modify /etc/default/su as needed. Place sulog info in a
separate log from the standard syslog.
- Check to see which users are defined as root:
awk 'BEGIN { FS=":" } { if ($3 == "0" || $3 == "") print $1 }' < /etc/passwd
3. Login/password administration
- Define password/user characteristics in /etc/default/passwd,
/etc/default/login, /etc/default/su (SUNOS5.x)
- Minimum requirements (defined in
/etc/default/passwd):
- MAXWEEKS=12
- MINWEEKS
- PASSLENGTH=6
- Set minimum default values for admintool fields
used when adding a user (SUNOS5.x)
- login=true
- su=false
- daemon=true
- rlogin=false
- sugroups=ALL
- ttys=ALL
- umask=027
- expire=0
- Enable maximum password age:
/usr/bin/passwd -x #days username (SunOS 4.x)
- Enable minimum passwd age:
/usr/bin/passwd -n #days username (SunOS 4.x)
- Immediately expire a user password:
/usr/bin/passwd -e user (SunOS 4.x)
- Display Password aging info:
/usr/bin/passwd -d user (SunOS 4.x)
/usr/bin/passwd -d -a (SunOS 4.x)
-
- review /etc/passwd, /etc/passwd.adjunct (SUNOS4.x),
/etc/shadow (SUNOS5.x)
/etc/security/group regularly
- If systems are NIS'd, use 'ypcat passwd' to get passwd file
in standard format and then run CRACK against it to check
for weak passwords. Use npasswd for proactive checking. Run
CRACK regularly to check for weak passwords. Run COPS regularly.
- change the default group name from staff to something local.
- Make appropriate changes for system-wide envrionment variables
in /etc/profile (SUNOS 5.x). Timeout values (TMOUT) can be
should be set in this file also. Install other system
wide values in /etc/default/init.
- set default environment variables in /etc/skel/local.login,
/etc/skel/local.cshrc, /etc/skel/local.profile (SUNOS 5.X)
- CAUTION: when using NIS, the passwd file can be displayed
in standard unix format rather than in the shadow passwd
form. Make sure your NIS domain name is a well kept secret.
- SUNOS 5.x ONLY:
When removing a user from the system:
- delete user entry from NIS+ Passwd db, NIS passwd map,
or /etc/passwd
- delete user entru from NIS+ Group db, NIS group map,
or /etc/group
- remove user entry from any printer access/deny list
- Archive/delete user files
- delete user mail files in /var/spool/mail and any
alias in /etc/aliases
- remove user entry from Auto_home db.
4. SUID/SGID
- Review all suid/sgid programs owned by root, daemon, bin or
groups: bin, kmem, mail. Initial list should contain owner,
group, perms and checksum. All suid/sgid programs should be
mode 511 minimum
- use: find / -perm 1000 -print
find / -perm 2000 -print
find / -perm 4000 -print
alternatively to search for setuid, setgid and sticky bit files.
5. System/user file/directory permissions
- system dirs should have perm 755 minimum.
- system dirs used by root for programs should be owned by root.
- set sticky bit on /tmp, /usr/tmp
- UUCP, cron table, syslogs, system source code should be
closed to general users.
- monitor checksums for: login, su, passwd, cu, crypt, tip,
rlogin. Use sysck command to do this.
- Only one copy of system commands and these should be in the
system dir.
- Device file perms:
disk, storage, tape, network device files: 600, owned
by root.
tty device files: 622, owned by root.
/dev/null: 777
- list all hidden files in dirs (the .files)
- list all writable dirs. Use find command to do this.
- user HOME dirs should be mode 710. Mode 711 allows others
to inspect subdirs with permission.
- .profile, .login files should be mode 600 or 640.
- set appropriate umask in /etc/profile(SUNOS 5.x)o
- verify setup commands in $OPENWINHOME/lib/Xinitrc (SUNOS5.x),
/usr/openwin/lib/Xinitrc (SUNOS4.x)
- search for unowned files: find / -nouser -print
Do not remove files from /dev.
- Check for 'at' jobs owned by root and verify their function.
- Restrict r-command usage.
1. Advise users to not use rsh, rcp, rlogin, tftp unless
you have secured them. Do not use .rhosts,
/etc/hosts.equiv or .netrc files.
2. Disable the tip and cu commands to prevent connections to other
machines via phone lines.
3. set /etc/hosts to 660. Review its contents regularly. .netrc should never be used because They contain unencrypted password info.
4. verify active inetd services by examining /etc/inetd.conf (SUNOS 4.x)
or /etc/inetd/* (SUNOS5.x). Comment out unnecessary services
Consider disabling the following services unless needed:
rshd, rlogind, tftpd, rlogin, rcp, rsh, tftp, trpt. It is
reversible. Note that Sun diskless systems may use tftp to download
code to them.
5. check .rhosts, .netrc, /etc/hosts.equiv, /etc/hosts,
/etc/inetd.conf regularly against checklist version.
6. use netstat -p to look for failed connection attempts.
7. verify contents of /etc/exports and run exportfs -a
to implements the changes.(SUNOS4.x) Verify the contents of
/etc/dfs/dfstab (SUNOS5.x)
8. change ftp entry in /etc/inetd.conf to ftpd -l to enable logging.
9. set permission of exported dirs to be as limited as
possible. Do NOT export high level dirs unless necessary.
10. Recommend using Automated Security Enhancement Tool (ASET). This
is an unbundled package for v4 systems and is built in v5 systems.
It allows you to define a low/medium/high security level for your
systems and does the following:
- verifies system file permissions, contents.
- checks the integrity of group file entries
- Checks system configuration files
- checks environment files - .logn, .profile, .cshrc
- verifies EEPROM settings to restrict console access
- Aids in setting up a firewall system.
FOR SUNOS 4.x
- verify file permission for:
/dev/kmem - read from group 'kmem'
/dev/mem - ""
/dev/rxy*
/dev/xy* - read from group 'operator'
- Standard suid programs to root:
/usr/bin/at*
/usr/bin/chfm, chsh
/usr/bin/mail, login, su, newgrp,cu,tip
- Standard system dir perms: owner: root, mode 755
/, /dev, /etc, /usr, /var, /usr/etc, /usr/lib, /usr/bin,
/usr/spool, /usr/kvm, /etc/security
- /etc/passwd: owner: root, mode 644
Verify all users have passwords:
grep -v "##" /etc/passwd
***
SUNOS 4.x AUDIT Setup
- Determine the occurences to be audited.
- audit event types: per process - to audit each process a user
runs, per object - to audit object accesses and the mode of
access (r, Rw, success/fail). objects are defined in objects.
Defined audit classes are:
dr, data_read: Read data, Open for read
dw, data_write: Write/modify data
dc, data_create: Creation/deletion of any object
da, data_access_change: Change in object permissions
lo, login_logout: login/logout, at job creation
ad, administrative: Normal admin operations
p0, minor_privilege: Privileged operation
p1, major_privilege: Unusual privileged operation
- Define the audit flag for these events. The default is to
report on success OR failure.
- the audit file is kept in /etc/security/audit/(server)
The default perms on these files is: owner: audit, perm: 0700
- NOTE: userid 'audit' is the only id NOT audited. Check its
status regularly.
- Determine the system audit value, user audit values. This
defines the system audit state.
- audit classes are defined in config.
- audit record formats are found in /usr/include/sys/audit.h
General Steps to change System and User Audit state:
- System audit state:
change flags in /etc/security/audit/audit_control
Enter: audit -s
- User audit state:
Permanent change: change audit field in userid entry
in /etc/security/passwd.adjunct.
Enter: audit -d
Immediate change:
Enter: audit -u
- Switch audit files: audit -n
- Force reread of audit control files: audit -s
- Stop auditing: audit -t
- Use 'praudit' command to report in long format.
- Report each audited event in a single line:
praudit -l
- to monitor audit trail continuously:
tail t0f | praudit -l -s
The is usually
/etc/security/audit/audit_state
- Recommend doing a minimal amount of auditing until a
problem occurs. Ramp up auditing as needed to contain
an incident. Save logs in a separate, secure place,
Time-tagged.
- Review the output after a certain period of time
to make sure it's what you want.
11. use the 'watch' command to observe audit events for a program you're
not sure of.
12. Verify contents of crontab files in /var/spool/crontabs.
List them using the crontab editor, /usr/bin/crontab .
Verify /var/spool/cron/crontabs/root files are owned by root.
13. Carefully manage which users are to be members of the 'sysadmin'
group (GID 14).
14. Solaris 2.x systems come with some builtin Kerberos support:
- Kerberos client application library support
- keberized secure RPC option
- kerberized NFS application
- Kerberos ticket administration commands: kadmin, kedit,
kinit, kdestroy.
15. List all files in your system:
cd /
ls -Racl > filename
save the output offline.
16. check for failed logins by: who -a /etc/security/failedlogin
17. Do not allow IFS (input field separator) to be changed in
/etc/profile and monitor its usage in user profiles.
18. Default file permissions are 644 for files and 755 for dirs.
- set user profile files to 740
- System dirs should have other perms = 0
19. Keep track of these adminstrative files and archive as necessary:
- usr/adm/cron/log
- /usr/adm/wtmp
- /usr/adm/pacct
- /var/adm/messages
- /var/adm/acct/nite/*
- /var/adm/dtmp
- /var/adm/qacct
- /var/adm/acct/sum/*
- /var/adm/acct/fiscal/*
- /usr/mail/*
- /etc/utmp
- /etc/security/failedlogin
20. Do not use UUCP unless absolutely necessary.
21. Use the 'strings' command to check any suspicious binaries.
22. Install unbundled C2 security product for SunOS 5.x systems.
Upgrade to C2 level security (SunOS 4.x).
- Required Kernel Option: SYSAUDIT, UFS, QUOTA
- if not in the kernel, then add and rebuild kernel according
to instructions in Sun System Management guide.
- If no DES chip is installed, then add CRYPT option to kernel.
- Entire NIS domain must be under C2. Add -s option to
the ypbind command in /etc/rc.local
- boot system as single-user
- run /usr/etc/c2conv
- if in NIS environment, change rpc.yppasswdd entry
in /etc/rc.local to point to /etc/passwd.adjunct.
- Verify uid/gid for username 'audit' are unique
- Uncomment 'auditd' line in /etc/rc.local
23. route copies of syslogs to a central machine. Edit /etc/syslog.conf
and do the following:
1. Add the following line:
*.debug @host
where host is the hostname of the central machine.
2. Place authentication messages in a separate syslog file, for
example, /var/adm/seclog:
auth.debug /var/adm/seclog
3. Place others in a file other than the standard syslog
file, /var/adm/messages.
24. Archive system logs by creating a shell script that does the
following:
1. cd /var/adm
2. mv -f messages messages.old
3. cp /dev/null messages
4. chmod 644 messages
5. ps ax |grep syslog
6. kill -1 (syslog pid # from step 5)
7. move messages.old to the archive site.
note: make sure you use the name of the syslog file in these steps.
The name 'messages' is the standard syslog name and if you
changed the default name (per step 23), make sure you use that name.
25. Enable logging on ftp by adding '-l' option to 'ftp' entry in
/etc/inetd.conf
26. Install NTP on every machine in the network.
27. If the system is compromised:
- shutdown, reboot as single user
- mount /usr, copy /usr/bin, /usr/lib to a temp directory.
- mount the original distribution tape/cd and reinstall the
system.
- compare /usr/bin, /usr/lib with originals. If different,
you have problems.
- Alternate step: obtain checklist of system and compare with
original checklist.
- mount /home, run find, ncheck to search for setuid, trojan
horse programs
- change ALL passwords, notify users and ask them to check their
files.
- If the CISO/LISO determines the attack is sever, obtain the
necessary information and notify the Computer Emergency
Response Team (CERT). Contacting CERT lets you determine
if the attack is Internet-wide or an isolated incident.
You should provide the following info:
- compromised host names
- OS system/version of compromised systems
- Security patches that have been installed on th
compromised systems.
- user account names that have been compromised.
- other hosts involved
- Contact info of any other affected sites.
- permission to allow CERT to give out your name
to other affected sites.
- has law enforcement been contacted?
- system log summaries
- what type of assistance you want from CERT
- The following is a contact list of people to notify in the
event of an incident:
This is a list of contact information for incident response teams
participating in FIRST, the Forum of Incident Response and Security
Teams. This list is updated periodically; a master copy of this
list is available from the FIRST Secretariat via anonymous ftp at
csrc.ncsl.nist.gov (129.6.54.11), file pub/first/first-contacts,
or by sending e-mail to docserver@first.org with the message:
send first-contacts
If you can't figure out who to call, contact a response team or the
FIRST Secretariat at (301) 975-5200 or first-sec@first.org
The following list is alphabetized by constituency. '24/7' == phone
is monitored 24 hours, 7 days/week. E-mail addresses are reachable
via the Internet. All telephone numbers are preceded with the
appropriate county code; U.S. callers add "011" to call non-U.S.
and non-Canada numbers.
---
Constituency: Air Force - U.S. Air Force
Response Team: AFCERT
E-mail: rimason@dockmaster.ncsc.mil
Telephone: +1-800-854-0187, 24/7
FAX: +1-512-925-1814
---
Constituency: Department of Defense (Services and Command)
Response Team: DoD's ASSIST (Automated Systems Security Incident
Support Team)
E-mail: dod-cert@ddn-conus.ddn.mil
Telephone: +1-703-696-1904, 9-5PM, EST
Emergency Phone: +1-800-SKY-PAGE, pin #2133937 (pager)
FAX: +1-202-373-2673
---
Constituency: Digital Equipment Corporation and Customers
Response Team: SSRT (Software Security Response Team)
E-mail: rich.boren@cxo.mts.dec.com
Telephone: +1-800-354-9000
Emergency Phone: +1-719-592-4689
FAX: +1-719-592-4121
---
Constituency: DOW USA
Response Team: DOW USA
E-mail:
Telephone: +1-517-636-8738
Emergency Phone: +1-517-832-0029
FAX: +1-517-638-7705
---
Constituency: Energy - U.S. Department of Energy sites and Energy
Sciences Network (ESnet)
Response Team: CIAC (Computer Incident Advisory Capability)
E-mail: ciac@llnl.gov
Telephone: +1-510-422-8193, 24/7
FAX: +1-510-423-8002
---
Constituency: Germany - Southern Area
Response Team: Micro-BIT Virus Center
E-mail: ry15@rz.uni-karlsruhe.de
Telephone: +49-721-37-64-22
FAX: +49-721-32-55-0
---
Constituency: Internet
Response Team: CERT/CC (Computer Emergency Response
Team/Coordination Center)
E-mail: cert@cert.org
Telephone: +1-412-268-7090, 24/7
FAX: +1-412-268-6989
---
Constituency: Motorola
Response Team: Motorola Computer Emergency Response Team (MCERT)
E-mail: mcert@mot.com
Telephone: +1-708-576-0669
Emergency Phone: +1-708-576-1616
FAX: +1-708-576-2259
---
Constituency: MILNET
Response Team: DDN (Defense Data Network)
E-mail: scc@nic.ddn.mil
TeLephone: +1-800-365-3642, 8-5PM, EST
Emergency Phone: +1-202-692-2714, 24/7
FAX: +1-703-692-5071
---
Constituency: NASA - NASA and NASA-Sponsored Wide-Area TCP/IP
and DECnet Systems
Response Team: NASA Science Internet (NSI) Security Office
E-mail: security@nsinic.gsfc.nasa.gov
Secondary E-mail: tencati@nsi-security.gsfc.nasa.gov
Telephone: +1-202-434-4541, 9-5PM, EST
Emergency Phone: +1-800-SKY-PAGE, pin #5460866 (pager)
Fax: +1-202-434-4599
---
Constituency: NASA - NASA Ames Reseach Center
Response Team: NASA Ames
E-mail: yee@ames.arc.nasa.gov
Telephone: +1-415-604-3812, 8-5PM, PST
After Hours: +1-415-807-1821 (pager)
FAX: +1-415-604-6999
---
Constituency: NAVY - U.S. Department of the Navy
Response Team: NAVCIRT (Naval Computer Incident Response Team)
E-mail: navcirt@dockmaster.ncsc.mil
Telephone: +1-202-282-2601, 7-5PM, EST
Emergency Phone: +1-800-759-8255, pin #+1-2021306 (pager)
FAX: +1-202-282-0411
---
Constituency: Penn State - The Pennsylvania State University
Response Team: Penn State
E-mail: lambert@cs.psu.edu
Telephone: +1-814-863-1241, 8-5PM, EST
After Hours: +1-814-238-6881
FAX: +1-814-865-3176
---
Constituency: Purdue University
Response Team: PCERT
E-mail: pcert@cs.purdue.edu
Telephone: +1-317-494-3561
After Hours: +1-317-474-7094
FAX: +1-317-494-6440
---
Constituency: SPAN-France
Response Team: SPAN France
E-mail: harvey%meudon.dnet@east.gsfc.nasa.gov
Telephone: +33-1-4-507-2805
FAX: +33-1-4-507-2806
---
Constituency: Sprint - U.S. Sprint
Response Team: Sprint DNSU
E-mail: /PN=DATANETWORK.SECURITY/O=US.SPRINT/ADMD=TELEMAIL
/C=US/@sprint.com
E-mail: /PN=CORPINFO.SECURITY/O=US.SPRINT/ADMD=TELEMAIL
/C=US/@sprint.com
Telephone: +1-703-689-7317, 8-5PM, EST
After Hours: +1-800-SKY-PAGE, pin #44260 (pager)
FAX: +1-703-689-7380
---
Constituency: Customers of Sun Microsystems
Response Team: Sun Microsystem's Customer Warning System (CWS)
E-mail: security-alert@sun.com
Telephone: +1-415-688-9080
Emergency Phone: +1-415-688-9081
FAX: +1-415-688-9101
---
Constituency: SURFnet connect sites, Netherlands
Response Team: SURFnet Computer Emergency Response Team
E-mail: cert-nl@surfnet.nl
Telephone: +31-30-310290
Emergency Phone: +31-6-5287-9282
FAX: +31-30-340903
---
Constituency: TRW Network Area and System Administrators
Response Team: TRW's CERCUS (Computer Emergency Response Committee
for Unclassified Systems
E-mail: cercus@gumby.dsd.trw.com
Telephone: +1-310-812-1839, 9-5PM, PST
Emergency Phone: +1-310-841-8943 (pager)
FAX: +1-310-813-4621
---
Constituency: UK - all government departments and agencies
Response Team: CCTA IT Security & Infrastructure Group
E-mail: carr@csrc.ncsl.nist.gov
Telephone: +44-71-217-3053
Emergency Phone: +44-71-217-3023
FAX: +44-71-217-3449
---
Constituency: Unisys Internal and External Users
Response Team: UCERT
E-mail: garb@dockmaster.ncsc.mil
Telephone: +1-215-986-4038
Emergency Phone: +1-215-757-1862
FAX: +1-212-986-4409
---
Constituency: Westinghouse Electric Corporation
Response Team: (W)CERT
E-mail:
Telephone: +1-412-642-3097
Emergency Phone: +1-412-642-3444
FAX: +1-412-642-3871
---
28. Recommend installing the 'securelib' software from Northwestern U.
This package installs wrapper code around shared C library kernel
calls: accept, recvfrom, recvmsg (by default).
29. Recommend installing the 'Socks' package from NASA. This package
is an Internet socket service that facilitates creation of a
firewall system. It establishes a connection to a daemon at the
firewall site and transmits information to it. The firewall daemon
acts as if it were the originator of the request.
30. Recommend installing the 'swatch' system log monitoring facility
from Stanford Univ. This utility filters syslog entries for user
specified actions and if an event occurs, 1) mails a note to a
user 2) executes a script 3) does some user specified action.
31. Recommend examining the 'tcpr' package which allows you to run ftp
and telnet commands across a firewall.
NOTE: the software recommended in steps 28-31 is public domain software.
32. Recommend installing SunNet Manager. I don't have any detailed
experience with this particular packages, however, my experience with
other SNMP packages such as Netview, tells me this is an important tool
to have running in your environment.
33. Recomment obtaining 'CrackLib' C library routine which will allow
you to insert proactive passwd checking to any application.
Future versions can be be applied to VMS systems. This set of
libraries is based on Crack version 5.
33. Possible NFS security issues:
- netgroups are combinations of hostnames/usernames specified
in /etc/netgroup (generally)
- Things to remember with /etc/exports
If the access list for a directory contains:
1. nothing - the dir can be mounted by anyone who can
access the host. This includes off-site
hosts.
2. hostname - the directory can be mounted by anyone
on the host who can mount the directory.
This includes PC systems!
3. netgroup - if the netgroup is empty, same as point 1.
4. "(,,)" - same as previous point
5. "(host,,) - same as point 2.
6. "(,username,)" - username from ANY HOST can access
the dir.
7. a MISSPELLED word - if the word doesn't match a
valid host, then the word is
assumed to be a null netgroup.
see point 3.
The recommended way to define a null netgroup is:
netgroup-name (-,-,-)
34. NIS - mail aliases
- Under NIS, be very careful with aliases NIS maps.
- This is because if mail can't been resolved locally, the
NIS mail.aliasses map is checked.
- You can use the pipe facility (sending files to programs)
under mail.
- If an unknown alias appears in the map then someone could
send mail to that id.
Virginia Tech Computing Center
Send Suggestions or Comments to Page Maintainer
Last updated: April 9, 1996