NETGROUP(5) Standards, Environments, and Macros NETGROUP(5)
netgroup - list of network groups
defines a network-wide group of hosts and users. Use a netgroup
to restrict access to shared NFS
filesystems and to restrict
remote login and shell access.
Network groups are usually stored in network information services, such
, or NIS
, but may alternatively be stored in the local /etc/netgroup
file. The netgroup
line of the nsswitch.conf(5)
determines which of those sources are used.
This manual page describes the format for a file that is used to supply
input to a program such as ldapaddent(8)
for LDAP, or makedbm(8)
The same file format is used in the local /etc/netgroup
Each line of the file defines the name and membership of a network group.
The line should have the format: groupname member
The items on a line can be separated by a combination of one or more
spaces or tabs.
is the name of the group being defined. This is followed by
a list of members of the group. Each member
is either another group name,
all of whose members are to be included in the group being defined, or a
triple of the form: (hostname,username,domainname)
In each triple, any of the three fields hostname
, and domainname
, can be empty. An empty field signifies a wildcard that
matches any value in that field. Thus:
defines a group named "everything" for the domain "this.domain" to which
every host and user belongs.
field refers to the domain in which the triple is valid,
not the domain containing the host or user. In fact, applications using netgroup
generally do not check the domainname
. Therefore, using
is equivalent to
You can also use netgroups to control NFS
mount access (see share_nfs(8)
and to control remote login and shell access (see hosts.equiv(5)
can also use them to control local login access (see passwd(5)
, and compat
When used for these purposes, a host is considered a member of a netgroup
if the netgroup
contains any triple in which the hostname
the name of the host requesting access and the domainname
the domain of the host controlling access.
Similarly, a user is considered a member of a netgroup
if the netgroup
contains any triple in which the username
field matches the name of the user
requesting access and the domainname
field matches the domain of the
host controlling access.
Note that when netgroups are used to control NFS mount access, access is
granted depending only on whether the requesting host is a member of the netgroup
. Remote login and shell access can be controlled both on the
basis of host and user membership in separate netgroups.
Used by a network information service's utility to
construct a map or table that contains netgroup
information. For example, ldapaddent(8)
to construct an LDAP container.
Alternatively, the /etc/netgroup
file may be used
directly if the files
source is specified in nsswitch.conf(5)
for the netgroup
SEE ALSO innetgr(3C)
Applications may make general membership tests using the innetgr()
function. See innetgr(3C)
Because the "-" character will not match any specific username or
hostname, it is commonly used as a placeholder that will match only
wildcarded membership queries. So, for example:
onlyhosts (host1,-,our.domain) (host2,-,our.domain)
onlyusers (-,john,our.domain) (-,linda,our.domain)
effectively define netgroups containing only hosts and only users,
respectively. Any other string that is guaranteed not to be a legal
username or hostname will also suffice for this purpose.
Use of placeholders will improve search performance.
When a machine with multiple interfaces and multiple names is defined as
a member of a netgroup
, one must list all of the names. See hosts(5)
manageable way to do this is to define a netgroup
containing all of the
machine names. For example, for a host "gateway" that has names "gateway-
subnet1" and "gateway-subnet2" one may define the netgroup
gateway (gateway-subnet1,,our.domain) (gateway-subnet2,,our.domain)
and use this netgroup
" whenever the host is to be included in
June 17, 2021 NETGROUP(5)