Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

chkauthattr(3secdb) [bsd man page]

getauthattr(3SECDB)													       getauthattr(3SECDB)

NAME
getauthattr, getauthnam, free_authattr, setauthattr, endauthattr, chkauthattr - get authorization entry SYNOPSIS
cc [ flag... ] file... -lsecdb -lsocket -lnsl [ library... ] #include <auth_attr.h> #include <secdb.h> authattr_t *getauthattr(void); authattr_t *getauthnam(const char *name); void free_authattr(authattr_t *auth); void setauthattr(void); void endauthattr(void); int chkauthattr(const char *authname, const char *username); The getauthattr() and getauthnam() functions each return an auth_attr(4) entry. Entries can come from any of the sources specified in the nsswitch.conf(4) file. The getauthattr() function enumerates auth_attr entries. The getauthnam() function searches for an auth_attr entry with a given authoriza- tion name name. Successive calls to these functions return either successive auth_attr entries or NULL. Th internal representation of an auth_attr entry is an authattr_t structure defined in <auth_attr.h> with the following members: char *name; /* name of the authorization */ char *res1; /* reserved for future use */ char *res2; /* reserved for future use */ char *short_desc; /* short description */ char *long_desc; /* long description */ kva_t *attr; /* array of key-value pair attributes */ The setauthattr() function "rewinds" to the beginning of the enumeration of auth_attr entries. Calls to getauthnam() can leave the enumer- ation in an indeterminate state. Therefore, setauthattr() should be called before the first call to getauthattr(). The endauthattr() function may be called to indicate that auth_attr processing is complete; the system may then close any open auth_attr file, deallocate storage, and so forth. The chkauthattr() function verifies whether or not a user has a given authorization. It first reads the AUTHS_GRANTED key in the /etc/secu- rity/policy.conf file and returns 1 if it finds a match for the given authorization. If chkauthattr() does not find a match, it reads the PROFS_GRANTED key in /etc/security/policy.conf and returns 1 if the given authorization is in any profiles specified with the PROFS_GRANTED keyword. If a match is not found from the default authorizations and default profiles, chkauthattr() reads the user_attr(4) database. If it does not find a match in user_attr, it reads the prof_attr(4) database, using the list of profiles assigned to the user, and checks if any of the profiles assigned to the user has the given authorization. The chkauthattr() function returns 0 if it does not find a match in any of the three sources. A user is considered to have been assigned an authorization if either of the following are true: o The authorization name matches exactly any authorization assigned in the user_attr or prof_attr databases (authorization names are case-sensitive). o The authorization name suffix is not the key word grant and the authorization name matches any authorization up to the asterisk (*) character assigned in the user_attr or prof_attr databases. The examples in the following table illustrate the conditions under which a user is assigned an authorization. +---------------------------+-------------------------------+-------------+ | | /etc/security/policy.conf or | Is user | +---------------------------+-------------------------------+-------------+ |Authorization name | user_attr or prof_attr entry | authorized? | +---------------------------+-------------------------------+-------------+ |solaris.printer.postscript | solaris.printer.postscript | Yes | +---------------------------+-------------------------------+-------------+ |solaris.printer.postscript | solaris.printer.* | Yes | +---------------------------+-------------------------------+-------------+ |solaris.printer.grant | solaris.printer.* | No | +---------------------------+-------------------------------+-------------+ The free_authattr() function releases memory allocated by the getauthnam() and getauthattr() functions. The getauthattr() function returns a pointer to an authattr_t if it successfully enumerates an entry; otherwise it returns NULL, indicat- ing the end of the enumeration. The getauthnam() function returns a pointer to an authattr_t if it successfully locates the requested entry; otherwise it returns NULL. The chkauthattr() function returns 1 if the user is authorized and 0 otherwise. The getauthattr() and getauthnam() functions both allocate memory for the pointers they return. This memory should be de-allocated with the free_authattr() call. Individual attributes in the attr structure can be referred to by calling the kva_match(3SECDB) function. Because the list of legal keys is likely to expand, code must be written to ignore unknown key-value pairs without error. /etc/nsswitch.conf configuration file lookup information for the name server switch /etc/user_attr extended user attributes /etc/security/auth_attr authorization attributes /etc/security/policy.conf policy definitions /etc/security/prof_attr profile information See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |MT-Level |MT-Safe | +-----------------------------+-----------------------------+ getexecattr(3SECDB), getprofattr(3SECDB), getuserattr(3SECDB), auth_attr(4), nsswitch.conf(4), prof_attr(4), user_attr(4), attributes(5), rbac(5) 31 Mar 2005 getauthattr(3SECDB)
Man Page