| passwd.5 (50476) | passwd.5 (57695) |
|---|---|
| 1.\" Copyright (c) 1988, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 16 unchanged lines hidden (view full) --- 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93 | 1.\" Copyright (c) 1988, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 16 unchanged lines hidden (view full) --- 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" From: @(#)passwd.5 8.1 (Berkeley) 6/5/93 |
| 33.\" $FreeBSD: head/share/man/man5/passwd.5 50476 1999-08-28 00:22:10Z peter $ | 33.\" $FreeBSD: head/share/man/man5/passwd.5 57695 2000-03-02 14:54:02Z sheldonh $ |
| 34.\" 35.Dd September 29, 1994 36.Dt PASSWD 5 37.Os 38.Sh NAME 39.Nm passwd 40.Nd format of the password file 41.Sh DESCRIPTION --- 143 unchanged lines hidden (view full) --- 185done with other shells. 186.Sh YP/NIS INTERACTION 187.Ss Enabling access to NIS passwd data 188The system administrator can configure 189.Tn FreeBSD 190to use NIS/YP for 191its password information by adding special records to the 192.Pa /etc/master.passwd | 34.\" 35.Dd September 29, 1994 36.Dt PASSWD 5 37.Os 38.Sh NAME 39.Nm passwd 40.Nd format of the password file 41.Sh DESCRIPTION --- 143 unchanged lines hidden (view full) --- 185done with other shells. 186.Sh YP/NIS INTERACTION 187.Ss Enabling access to NIS passwd data 188The system administrator can configure 189.Tn FreeBSD 190to use NIS/YP for 191its password information by adding special records to the 192.Pa /etc/master.passwd |
| 193file. These entries should be added with | 193file. 194These entries should be added with |
| 194.Xr vipw 8 195so that the changes can be properly merged with the hashed 196password databases and the 197.Pa /etc/passwd 198file ( 199.Pa /etc/passwd 200should never be edited manually). Alternatively, the administrator 201can modify --- 13 unchanged lines hidden (view full) --- 215.Tn FreeBSD Ns 's 216standard C library to begin using the NIS passwd maps 217for lookups. 218.Pp 219Note that the entry shown above is known as a 220.Em wildcard 221entry, because it matches all users (the `+' without any other information 222matches everybody) and allows all NIS password data to be retrieved | 195.Xr vipw 8 196so that the changes can be properly merged with the hashed 197password databases and the 198.Pa /etc/passwd 199file ( 200.Pa /etc/passwd 201should never be edited manually). Alternatively, the administrator 202can modify --- 13 unchanged lines hidden (view full) --- 216.Tn FreeBSD Ns 's 217standard C library to begin using the NIS passwd maps 218for lookups. 219.Pp 220Note that the entry shown above is known as a 221.Em wildcard 222entry, because it matches all users (the `+' without any other information 223matches everybody) and allows all NIS password data to be retrieved |
| 223unaltered. However, by | 224unaltered. 225However, by |
| 224specifying a username or netgroup next to the `+' in the NIS 225entry, the administrator can affect what data are extracted from the | 226specifying a username or netgroup next to the `+' in the NIS 227entry, the administrator can affect what data are extracted from the |
| 226NIS passwd maps and how it is interpreted. Here are a few example | 228NIS passwd maps and how it is interpreted. 229Here are a few example |
| 227records that illustrate this feature (note that you can have several 228NIS entries in a single 229.Pa master.passwd 230file): 231.Bd -literal -offset indent 232-mitnick::::::::: 233+@staff::::::::: 234+@permitted-users::::::::: 235+dennis::::::::: 236+ken:::::::::/bin/csh 237+@rejected-users::32767:32767::::::/bin/false 238 239.Ed 240Specific usernames are listed explicitly while netgroups are signified 241by a preceding `@'. In the above example, users in the ``staff'' and 242``permitted-users'' netgroups will have their password information | 230records that illustrate this feature (note that you can have several 231NIS entries in a single 232.Pa master.passwd 233file): 234.Bd -literal -offset indent 235-mitnick::::::::: 236+@staff::::::::: 237+@permitted-users::::::::: 238+dennis::::::::: 239+ken:::::::::/bin/csh 240+@rejected-users::32767:32767::::::/bin/false 241 242.Ed 243Specific usernames are listed explicitly while netgroups are signified 244by a preceding `@'. In the above example, users in the ``staff'' and 245``permitted-users'' netgroups will have their password information |
| 243read from NIS and used unaltered. In other words, they will be allowed 244normal access to the machine. Users ``ken'' and ``dennis,'' who have | 246read from NIS and used unaltered. 247In other words, they will be allowed 248normal access to the machine. 249Users ``ken'' and ``dennis,'' who have |
| 245been named explicitly rather than through a netgroup, will also have 246their password data read from NIS, _except_ that user ``ken'' will 247have his shell remapped to 248.Pa /bin/csh . 249This means that value for his shell specified in the NIS password map 250will be overridden by the value specified in the special NIS entry in 251the local 252.Pa master.passwd | 250been named explicitly rather than through a netgroup, will also have 251their password data read from NIS, _except_ that user ``ken'' will 252have his shell remapped to 253.Pa /bin/csh . 254This means that value for his shell specified in the NIS password map 255will be overridden by the value specified in the special NIS entry in 256the local 257.Pa master.passwd |
| 253file. User ``ken'' may have been assigned the csh shell because his | 258file. 259User ``ken'' may have been assigned the csh shell because his |
| 254NIS password entry specified a different shell that may not be 255installed on the client machine for political or technical reasons. 256Meanwhile, users in the ``rejected-users'' netgroup are prevented 257from logging in because their UIDs, GIDs and shells have been overridden 258with invalid values. 259.Pp 260User ``mitnick'' will be be ignored entirely because his entry is 261specified with a `-' instead of a `+'. A minus entry can be used 262to block out certain NIS password entries completely; users who's 263password data has been excluded in this way are not recognized by | 260NIS password entry specified a different shell that may not be 261installed on the client machine for political or technical reasons. 262Meanwhile, users in the ``rejected-users'' netgroup are prevented 263from logging in because their UIDs, GIDs and shells have been overridden 264with invalid values. 265.Pp 266User ``mitnick'' will be be ignored entirely because his entry is 267specified with a `-' instead of a `+'. A minus entry can be used 268to block out certain NIS password entries completely; users who's 269password data has been excluded in this way are not recognized by |
| 264the system at all. (Any overrides specified with minus entries are | 270the system at all. 271(Any overrides specified with minus entries are |
| 265also ignored since there is no point in processing override information 266for a user that the system isn't going to recognize in the first place.) 267In general, a minus entry is used to specifically exclude a user 268who might otherwise be granted access because he happens to be a | 272also ignored since there is no point in processing override information 273for a user that the system isn't going to recognize in the first place.) 274In general, a minus entry is used to specifically exclude a user 275who might otherwise be granted access because he happens to be a |
| 269member of an authorized netgroup. For example, if ``mitnick'' is | 276member of an authorized netgroup. 277For example, if ``mitnick'' is |
| 270a member of the ``permitted-users'' netgroup and must, for whatever 271the reason, be permitted to remain in that netgroup (possibly to 272retain access to other machines within the domain), the administrator 273can still deny him access to a particular system with a minus entry. 274Also, it is sometimes easier to explicitly list those users who aren't 275allowed access rather than generate a possibly complicated list of 276users who are allowed access and omit the rest. 277.Pp 278Note that the plus and minus entries are evaluated in order from | 278a member of the ``permitted-users'' netgroup and must, for whatever 279the reason, be permitted to remain in that netgroup (possibly to 280retain access to other machines within the domain), the administrator 281can still deny him access to a particular system with a minus entry. 282Also, it is sometimes easier to explicitly list those users who aren't 283allowed access rather than generate a possibly complicated list of 284users who are allowed access and omit the rest. 285.Pp 286Note that the plus and minus entries are evaluated in order from |
| 279first to last with the first match taking precedence. This means | 287first to last with the first match taking precedence. 288This means |
| 280the system will only use the first entry that matches a particular user. 281If, for instance, we have a user ``foo'' who is a member of both the ``staff'' 282netgroup and the ``rejected-users'' netgroup, he will be admitted to 283the system because the above example lists the entry for ``staff'' | 289the system will only use the first entry that matches a particular user. 290If, for instance, we have a user ``foo'' who is a member of both the ``staff'' 291netgroup and the ``rejected-users'' netgroup, he will be admitted to 292the system because the above example lists the entry for ``staff'' |
| 284before the entry for ``rejected-users.'' If we reversed the order, | 293before the entry for ``rejected-users.'' 294If we reversed the order, |
| 285user ``foo'' would be flagged as a ``rejected-user'' instead and 286denied access. 287.Pp 288Lastly, any NIS password database records that do not match against 289at least one of the users or netgroups specified by the NIS access 290entries in the 291.Pa /etc/master.passwd 292file will be ignored (along with any users specified using minus 293entries). In our example shown above, we do not have a wildcard 294entry at the end of the list; therefore, the system will not recognize 295anyone except 296``ken,'' ``dennis,'' the ``staff'' netgroup and the ``permitted-users'' | 295user ``foo'' would be flagged as a ``rejected-user'' instead and 296denied access. 297.Pp 298Lastly, any NIS password database records that do not match against 299at least one of the users or netgroups specified by the NIS access 300entries in the 301.Pa /etc/master.passwd 302file will be ignored (along with any users specified using minus 303entries). In our example shown above, we do not have a wildcard 304entry at the end of the list; therefore, the system will not recognize 305anyone except 306``ken,'' ``dennis,'' the ``staff'' netgroup and the ``permitted-users'' |
| 297netgroup as authorized users. The ``rejected-users'' netgroup will | 307netgroup as authorized users. 308The ``rejected-users'' netgroup will |
| 298be recognized but all members will have their shells remapped and 299therefore be denied access. 300All other NIS password records | 309be recognized but all members will have their shells remapped and 310therefore be denied access. 311All other NIS password records |
| 301will be ignored. The administrator may add a wildcard entry to the | 312will be ignored. 313The administrator may add a wildcard entry to the |
| 302end of the list such as: 303.Bd -literal -offset indent 304+:::::::::/usr/local/bin/go_away 305 306.Ed 307This entry acts as a catch-all for all users that don't match against 308any of the other entries. 309.Pa /usr/local/bin/go_away 310can be a short shell script or program 311that prints a message telling the user that he is not allowed access | 314end of the list such as: 315.Bd -literal -offset indent 316+:::::::::/usr/local/bin/go_away 317 318.Ed 319This entry acts as a catch-all for all users that don't match against 320any of the other entries. 321.Pa /usr/local/bin/go_away 322can be a short shell script or program 323that prints a message telling the user that he is not allowed access |
| 312to the system. This technique is sometimes useful when it is | 324to the system. 325This technique is sometimes useful when it is |
| 313desirable to have the system be able to recognize all users in a 314particular NIS domain without necessarily granting them login access. 315See the above text on the shell field regarding security concerns when using 316a shell script as the login shell. 317.Pp 318The primary use of this 319.Pa override 320feature is to permit the administrator | 326desirable to have the system be able to recognize all users in a 327particular NIS domain without necessarily granting them login access. 328See the above text on the shell field regarding security concerns when using 329a shell script as the login shell. 330.Pp 331The primary use of this 332.Pa override 333feature is to permit the administrator |
| 321to enforce access restrictions on NIS client systems. Users can be | 334to enforce access restrictions on NIS client systems. 335Users can be |
| 322granted access to one group of machines and denied access to other 323machines simply by adding or removing them from a particular netgroup. 324Since the netgroup database can also be accessed via NIS, this allows 325access restrictions to be administered from a single location, namely 326the NIS master server; once a host's access list has been set in 327.Pa /etc/master.passwd , 328it need not be modified again unless new netgroups are created. 329.Sh NOTES 330.Ss Shadow passwords through NIS 331.Tn FreeBSD 332uses a shadow password scheme: users' encrypted passwords 333are stored only in 334.Pa /etc/master.passwd 335and 336.Pa /etc/spwd.db , | 336granted access to one group of machines and denied access to other 337machines simply by adding or removing them from a particular netgroup. 338Since the netgroup database can also be accessed via NIS, this allows 339access restrictions to be administered from a single location, namely 340the NIS master server; once a host's access list has been set in 341.Pa /etc/master.passwd , 342it need not be modified again unless new netgroups are created. 343.Sh NOTES 344.Ss Shadow passwords through NIS 345.Tn FreeBSD 346uses a shadow password scheme: users' encrypted passwords 347are stored only in 348.Pa /etc/master.passwd 349and 350.Pa /etc/spwd.db , |
| 337which are readable and writable only by the superuser. This is done | 351which are readable and writable only by the superuser. 352This is done |
| 338to prevent users from running the encrypted passwords through 339password-guessing programs and gaining unauthorized access to | 353to prevent users from running the encrypted passwords through 354password-guessing programs and gaining unauthorized access to |
| 340other users' accounts. NIS does not support a standard means of | 355other users' accounts. 356NIS does not support a standard means of |
| 341password shadowing, which implies that placing your password data 342into the NIS passwd maps totally defeats the security of 343.Tn FreeBSD Ns 's 344password shadowing system. 345.Pp 346.Tn FreeBSD 347provides a few special features to help get around this | 357password shadowing, which implies that placing your password data 358into the NIS passwd maps totally defeats the security of 359.Tn FreeBSD Ns 's 360password shadowing system. 361.Pp 362.Tn FreeBSD 363provides a few special features to help get around this |
| 348problem. It is possible to implement password shadowing between | 364problem. 365It is possible to implement password shadowing between |
| 349.Tn FreeBSD 350NIS clients and 351.Tn FreeBSD | 366.Tn FreeBSD 367NIS clients and 368.Tn FreeBSD |
| 352NIS servers. The | 369NIS servers. 370The |
| 353.Xr getpwent 3 354routines will search for a 355.Pa master.passwd.byname 356and 357.Pa master.passwd.byuid 358maps which should contain the same data found in the 359.Pa /etc/master.passwd | 371.Xr getpwent 3 372routines will search for a 373.Pa master.passwd.byname 374and 375.Pa master.passwd.byuid 376maps which should contain the same data found in the 377.Pa /etc/master.passwd |
| 360file. If the maps exist, | 378file. 379If the maps exist, |
| 361.Tn FreeBSD 362will attempt to use them for user 363authentication instead of the standard 364.Pa passwd.byname 365and 366.Pa passwd.byuid 367maps. 368.Tn FreeBSD Ns 's 369.Xr ypserv 8 370will also check client requests to make sure they originate on a | 380.Tn FreeBSD 381will attempt to use them for user 382authentication instead of the standard 383.Pa passwd.byname 384and 385.Pa passwd.byuid 386maps. 387.Tn FreeBSD Ns 's 388.Xr ypserv 8 389will also check client requests to make sure they originate on a |
| 371privileged port. Since only the superuser is allowed to bind to | 390privileged port. 391Since only the superuser is allowed to bind to |
| 372a privileged port, the server can tell if the requesting user 373is the superuser; all requests from non-privileged users to access 374the 375.Pa master.passwd | 392a privileged port, the server can tell if the requesting user 393is the superuser; all requests from non-privileged users to access 394the 395.Pa master.passwd |
| 376maps will be refused. Since all user authentication programs run | 396maps will be refused. 397Since all user authentication programs run |
| 377with superuser privilege, they should have the required access to 378users' encrypted password data while normal users will only 379be allowed access to the standard 380.Pa passwd 381maps which contain no password information. 382.Pp 383Note that this feature cannot be used in an environment with 384.No non- Ns Tn FreeBSD | 398with superuser privilege, they should have the required access to 399users' encrypted password data while normal users will only 400be allowed access to the standard 401.Pa passwd 402maps which contain no password information. 403.Pp 404Note that this feature cannot be used in an environment with 405.No non- Ns Tn FreeBSD |
| 385systems. Note also that a truly determined user with | 406systems. 407Note also that a truly determined user with |
| 386unrestricted access to your network could still compromise the 387.Pa master.passwd 388maps. 389.Ss UID and GID remapping with NIS overrides 390Unlike 391.Tn SunOS 392and other operating systems that use Sun's NIS code, 393.Tn FreeBSD --- 8 unchanged lines hidden (view full) --- 402.Bd -literal -offset indent 403+@foo-users:???:666:666:0:0:0:Bogus user:/home/bogus:/bin/bogus 404 405.Ed 406This entry will cause all users in the `foo-users' netgroup to 407have 408.Pa all 409of their password information overridden, including UIDs, | 408unrestricted access to your network could still compromise the 409.Pa master.passwd 410maps. 411.Ss UID and GID remapping with NIS overrides 412Unlike 413.Tn SunOS 414and other operating systems that use Sun's NIS code, 415.Tn FreeBSD --- 8 unchanged lines hidden (view full) --- 424.Bd -literal -offset indent 425+@foo-users:???:666:666:0:0:0:Bogus user:/home/bogus:/bin/bogus 426 427.Ed 428This entry will cause all users in the `foo-users' netgroup to 429have 430.Pa all 431of their password information overridden, including UIDs, |
| 410GIDs and passwords. The result is that all `foo-users' will be | 432GIDs and passwords. 433The result is that all `foo-users' will be |
| 411locked out of the system, since their passwords will be remapped 412to invalid values. 413.Pp 414This is important to remember because most people are accustomed to 415using an NIS wildcard entry that looks like this: 416.Bd -literal -offset indent 417+:*:0:0::: 418 --- 27 unchanged lines hidden (view full) --- 446When Sun originally added NIS support to their 447.Xr getpwent 3 448routines, they took into account the fact that the 449.Tn SunOS 450password 451.Pa /etc/passwd 452file is in plain 453.Tn ASCII | 434locked out of the system, since their passwords will be remapped 435to invalid values. 436.Pp 437This is important to remember because most people are accustomed to 438using an NIS wildcard entry that looks like this: 439.Bd -literal -offset indent 440+:*:0:0::: 441 --- 27 unchanged lines hidden (view full) --- 469When Sun originally added NIS support to their 470.Xr getpwent 3 471routines, they took into account the fact that the 472.Tn SunOS 473password 474.Pa /etc/passwd 475file is in plain 476.Tn ASCII |
| 454format. The | 477format. 478The |
| 455.Tn SunOS 456documentation claims that 457adding a '+' entry to the password file causes the contents of 458the NIS password database to be 'inserted' at the position in | 479.Tn SunOS 480documentation claims that 481adding a '+' entry to the password file causes the contents of 482the NIS password database to be 'inserted' at the position in |
| 459the file where the '+' entry appears. If, for example, the | 483the file where the '+' entry appears. 484If, for example, the |
| 460administrator places the +:::::: entry in the middle of 461.Pa /etc/passwd, 462then the entire contents of the NIS password map would appear 463as though it had been copied into the middle of the password | 485administrator places the +:::::: entry in the middle of 486.Pa /etc/passwd, 487then the entire contents of the NIS password map would appear 488as though it had been copied into the middle of the password |
| 464file. If the administrator places the +:::::: entry at both the | 489file. 490If the administrator places the +:::::: entry at both the |
| 465middle and the end of 466.Pa /etc/passwd , 467then the NIS password map would appear twice: once in the middle | 491middle and the end of 492.Pa /etc/passwd , 493then the NIS password map would appear twice: once in the middle |
| 468of the file and once at the end. (By using override entries | 494of the file and once at the end. 495(By using override entries |
| 469instead of simple wildcards, other combinations could be achieved.) 470.Pp 471By contrast, 472.Tn FreeBSD 473does not have a single 474.Tn ASCII 475password file: it | 496instead of simple wildcards, other combinations could be achieved.) 497.Pp 498By contrast, 499.Tn FreeBSD 500does not have a single 501.Tn ASCII 502password file: it |
| 476has a hashed password database. This database does not have an | 503has a hashed password database. 504This database does not have an |
| 477easily-defined beginning, middle or end, which makes it very hard 478to design a scheme that is 100% compatible with 479.Tn SunOS . 480For example, 481the 482.Fn getpwnam 483and 484.Fn getpwuid 485functions in 486.Tn FreeBSD 487are designed to do direct queries to the | 505easily-defined beginning, middle or end, which makes it very hard 506to design a scheme that is 100% compatible with 507.Tn SunOS . 508For example, 509the 510.Fn getpwnam 511and 512.Fn getpwuid 513functions in 514.Tn FreeBSD 515are designed to do direct queries to the |
| 488hash database rather than a linear search. This approach is faster 489on systems where the password database is large. However, when | 516hash database rather than a linear search. 517This approach is faster 518on systems where the password database is large. 519However, when |
| 490using direct database queries, the system does not know or care 491about the order of the original password file, and therefore 492it cannot easily apply the same override logic used by 493.Tn SunOS . 494.Pp 495Instead, 496.Tn FreeBSD 497groups all the NIS override entries together | 520using direct database queries, the system does not know or care 521about the order of the original password file, and therefore 522it cannot easily apply the same override logic used by 523.Tn SunOS . 524.Pp 525Instead, 526.Tn FreeBSD 527groups all the NIS override entries together |
| 498and constructs a filter out of them. Each NIS password entry | 528and constructs a filter out of them. 529Each NIS password entry |
| 499is compared against the override filter exactly once and 500treated accordingly: if the filter allows the entry through 501unaltered, it's treated unaltered; if the filter calls for remapping 502of fields, then fields are remapped; if the filter calls for 503explicit exclusion (i.e. the entry matches a '-' override), 504the entry is ignored; if the entry doesn't match against any 505of the filter specifications, it's discarded. 506.Pp --- 24 unchanged lines hidden (view full) --- 531the password space. 532.El 533.Pp 534In %99 of all 535.Tn FreeBSD 536configurations, NIS client behavior will be 537indistinguishable from that of 538.Tn SunOS | 530is compared against the override filter exactly once and 531treated accordingly: if the filter allows the entry through 532unaltered, it's treated unaltered; if the filter calls for remapping 533of fields, then fields are remapped; if the filter calls for 534explicit exclusion (i.e. the entry matches a '-' override), 535the entry is ignored; if the entry doesn't match against any 536of the filter specifications, it's discarded. 537.Pp --- 24 unchanged lines hidden (view full) --- 562the password space. 563.El 564.Pp 565In %99 of all 566.Tn FreeBSD 567configurations, NIS client behavior will be 568indistinguishable from that of 569.Tn SunOS |
| 539or other similar systems. Even | 570or other similar systems. 571Even |
| 540so, users should be aware of these architectural differences. 541.Pp 542.Ss Using groups instead of netgroups for NIS overrides 543.Tn FreeBSD 544offers the capability to do override matching based on | 572so, users should be aware of these architectural differences. 573.Pp 574.Ss Using groups instead of netgroups for NIS overrides 575.Tn FreeBSD 576offers the capability to do override matching based on |
| 545user groups rather than netgroups. If, for example, an NIS entry | 577user groups rather than netgroups. 578If, for example, an NIS entry |
| 546is specified as: 547.Bd -literal -offset indent 548+@operator::::::::: 549 550.Ed 551the system will first try to match users against a netgroup called 552`operator'. If an `operator' netgroup doesn't exist, the system 553will try to match users against the normal `operator' group --- 8 unchanged lines hidden (view full) --- 562.It 563In versions prior to 2.0.5, reverse lookups (i.e. using 564.Fn getpwuid ) 565would not have overrides applied, which is to say that it 566was possible for 567.Fn getpwuid 568to return a login name that 569.Fn getpwnam | 579is specified as: 580.Bd -literal -offset indent 581+@operator::::::::: 582 583.Ed 584the system will first try to match users against a netgroup called 585`operator'. If an `operator' netgroup doesn't exist, the system 586will try to match users against the normal `operator' group --- 8 unchanged lines hidden (view full) --- 595.It 596In versions prior to 2.0.5, reverse lookups (i.e. using 597.Fn getpwuid ) 598would not have overrides applied, which is to say that it 599was possible for 600.Fn getpwuid 601to return a login name that 602.Fn getpwnam |
| 570would not recognize. This has been fixed: overrides specified | 603would not recognize. 604This has been fixed: overrides specified |
| 571in 572.Pa /etc/master.passwd 573now apply to all 574.Xr getpwent 3 575functions. 576.It 577Prior to 578.Fx 2.0.5 , 579netgroup overrides did not work at 580all, largely because 581.Tn FreeBSD 582did not have support for reading | 605in 606.Pa /etc/master.passwd 607now apply to all 608.Xr getpwent 3 609functions. 610.It 611Prior to 612.Fx 2.0.5 , 613netgroup overrides did not work at 614all, largely because 615.Tn FreeBSD 616did not have support for reading |
| 583netgroups through NIS. Again, this has been fixed, and | 617netgroups through NIS. 618Again, this has been fixed, and |
| 584netgroups can be specified just as in 585.Tn SunOS 586and similar NIS-capable 587systems. 588.It 589.Tn FreeBSD 590now has NIS server capabilities and supports the use 591of --- 97 unchanged lines hidden --- | 619netgroups can be specified just as in 620.Tn SunOS 621and similar NIS-capable 622systems. 623.It 624.Tn FreeBSD 625now has NIS server capabilities and supports the use 626of --- 97 unchanged lines hidden --- |