endauthattr(3secdb)

1getauthattr(3SECDSBe)curity Attributes Database Library Functiognestauthattr(3SECDB)
2
3
4

NAME

6       getauthattr,   getauthnam,   free_authattr,  setauthattr,  endauthattr,
7       chkauthattr - get authorization entry
8

SYNOPSIS

10       cc [ flag... ] file... -lsecdb  -lsocket  -lnsl  [ library... ]
11       #include <auth_attr.h>
12       #include <secdb.h>
13
14       authattr_t *getauthattr(void);
15
16
17       authattr_t *getauthnam(const char *name);
18
19
20       void free_authattr(authattr_t *auth);
21
22
23       void setauthattr(void);
24
25
26       void endauthattr(void);
27
28
29       int chkauthattr(const char *authname, const char *username);
30
31

DESCRIPTION

33       The  getauthattr()  and   getauthnam()   functions   each   return   an
34       auth_attr(4)  entry. Entries can come from any of the sources specified
35       in the nsswitch.conf(4) file.
36
37
38       The getauthattr() function enumerates auth_attr entries.  The  getauth‐
39       nam()  function searches for an auth_attr entry with a given authoriza‐
40       tion name name. Successive calls to these functions return either  suc‐
41       cessive auth_attr entries or NULL.
42
43
44       Th  internal  representation  of  an  auth_attr  entry is an authattr_t
45       structure defined in  <auth_attr.h> with the following members:
46
47         char   *name;        /* name of the authorization */
48         char   *res1;        /* reserved for future use */
49         char   *res2;        /* reserved for future use */
50         char   *short_desc;  /* short description */
51         char   *long_desc;   /* long description */
52         kva_t  *attr;        /* array of key-value pair attributes */
53
54
55
56       The setauthattr() function "rewinds" to the beginning of  the  enumera‐
57       tion of auth_attr entries.  Calls to getauthnam() can leave the enumer‐
58       ation in an indeterminate state.  Therefore,  setauthattr()  should  be
59       called before the first call to getauthattr().
60
61
62       The  endauthattr()  function  may  be called to indicate that auth_attr
63       processing is complete; the system may then close  any  open  auth_attr
64       file, deallocate storage, and so forth.
65
66
67       The  chkauthattr()  function verifies whether or not a user has a given
68       authorization. It first reads the AUTHS_GRANTED key in  the  /etc/secu‐
69       rity/policy.conf  file  and returns 1 if it finds a match for the given
70       authorization. If chkauthattr() does not find a match and the  username
71       is  the  name  of the "console user", defined as the owner of /dev/con‐
72       sole, it first reads the CONSOLE_USER key in  /etc/security/policy.conf
73       and  returns  1  if  the  given authorization is in any of the profiles
74       specified in the CONSOLE_USER keyword, then reads the PROFS_GRANTED key
75       in  /etc/security/policy.conf  and returns 1 if the given authorization
76       is in any profiles specified with the PROFS_GRANTED keyword. If a match
77       is  not  found  from  the  default authorizations and default profiles,
78       chkauthattr() reads the user_attr(4) database. If it does  not  find  a
79       match in  user_attr, it reads the prof_attr(4) database, using the list
80       of profiles assigned to the user, and checks if  any  of  the  profiles
81       assigned  to  the  user has the given authorization.  The chkauthattr()
82       function returns 0 if it does not find a match  in  any  of  the  three
83       sources or if the user does not exist.
84
85
86       A  user  is considered to have been assigned an authorization if either
87       of the following are true:
88
89           o      The authorization name  matches  exactly  any  authorization
90                  assigned  in  the  user_attr or  prof_attr databases (autho‐
91                  rization names are case-sensitive).
92
93           o      The authorization name suffix is not the key word  grant and
94                  the  authorization  name matches any authorization up to the
95                  asterisk  (*)  character  assigned  in  the   user_attr   or
96                  prof_attr databases.
97
98
99       The  examples  in  the  following table illustrate the conditions under
100       which a user is assigned an authorization.
101
102
103
104
105       ┌───────────────────────────┬───────────────────────────────┬─────────────┐
106       │                           │ /etc/security/policy.conf or  │   Is user   │
107       ├───────────────────────────┼───────────────────────────────┼─────────────┤
108       │    Authorization name     │ user_attr or  prof_attr entry │ authorized? │
109       ├───────────────────────────┼───────────────────────────────┼─────────────┤
110       │solaris.printer.postscript │  solaris.printer.postscript   │     Yes     │
111       │solaris.printer.postscript │       solaris.printer.*       │     Yes     │
112       │  solaris.printer.grant    │       solaris.printer.*       │     No      │
113       └───────────────────────────┴───────────────────────────────┴─────────────┘
114
115
116       The free_authattr() function releases memory allocated by the  getauth‐
117       nam() and  getauthattr() functions.
118

RETURN VALUES

120       The  getauthattr()  function  returns a pointer to an  authattr_t if it
121       successfully enumerates an entry; otherwise it returns NULL, indicating
122       the end of the enumeration.
123
124
125       The  getauthnam()  function  returns  a pointer to an  authattr_t if it
126       successfully locates the requested entry; otherwise it returns NULL.
127
128
129       The chkauthattr() function returns 1 if the user is authorized and 0 if
130       the user does not exist or is not authorized.
131

USAGE

133       The  getauthattr()  and getauthnam() functions both allocate memory for
134       the pointers they return. This memory should be  deallocated  with  the
135       free_authattr() call.
136
137
138       Individual attributes in the attr structure can be referred to by call‐
139       ing the kva_match(3SECDB) function.
140

WARNINGS

142       Because the list of legal keys is likely to expand, code  must be writ‐
143       ten to ignore unknown key-value pairs without error.
144

FILES

146       /etc/nsswitch.conf           configuration  file lookup information for
147                                    the name server switch
148
149
150       /etc/user_attr               extended user attributes
151
152
153       /etc/security/auth_attr      authorization attributes
154
155
156       /etc/security/policy.conf    policy definitions
157
158
159       /etc/security/prof_attr      profile information
160
161

ATTRIBUTES

163       See attributes(5) for descriptions of the following attributes:
164
165
166
167
168       ┌─────────────────────────────┬─────────────────────────────┐
169       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
170       ├─────────────────────────────┼─────────────────────────────┤
171       │MT-Level                     │MT-Safe                      │
172       └─────────────────────────────┴─────────────────────────────┘
173