Security Attributes Database Library Functions
getauthattr(3SECDB)
NAME
getauthattr, getauthnam, freeauthattr, setauthattr, endau-
thattr, chkauthattr - get authorization entry
SYNOPSIS
cc [ flag... ] file... -lsecdb -lsocket -lnsl [ library... ]
#include
#include
authattrt *getauthattr(void);
authattrt *getauthnam(const char *name);
void freeauthattr(authattrt *auth);
void setauthattr(void);
void endauthattr(void);
int chkauthattr(const char *authname, const char *username);
DESCRIPTION
The getauthattr() and getauthnam() functions each return an
authattr(4) entry. Entries can come from any of the sources
specified in the nsswitch.conf(4) file.
The getauthattr() function enumerates authattr entries. The
getauthnam() function searches for an authattr entry with a
given authorization name name. Successive calls to these
functions return either successive authattr entries or
NUL.
Th internal representation of an authattr entry is an
authattrt structure defined in with the fol-
lowing members:
char *name; /* name of the authorization */
char *res1; /* reserved for future use */
char *res2; /* reserved for future use */
char *shortdesc; /* short description */
char *longdesc; /* long description */
kvat *attr; /* array of key-value pair attributes */
SunOS 5.11 Last change: 20 Feb 2009 1
Security Attributes Database Library Functions
getauthattr(3SECDB)
The setauthattr() function "rewinds" to the beginning of the
enumeration of authattr entries. Calls to getauthnam() can
leave the enumeration in an indeterminate state. Therefore,
setauthattr() should be called before the first call to
getauthattr().
The endauthattr() function may be called to indicate that
authattr processing is complete; the system may then close
any open authattr file, deallocate storage, and so forth.
The chkauthattr() function verifies whether or not a user
has a given authorization. It first reads the AUTHSGRANTED
key in the /etc/security/policy.conf file and returns 1 if
it finds a match for the given authorization. If chkau-
thattr() does not find a match and the username is the name
of the "console user", defined as the owner of /dev/console,
it first reads the CONSOLEUSER key in
/etc/security/policy.conf and returns 1 if the given author-
ization is in any of the profiles specified in the
CONSOLEUSER keyword, then reads the PROFSGRANTED key in
/etc/security/policy.conf and returns 1 if the given author-
ization is in any profiles specified with the PROFSGRANTED
keyword. If a match is not found from the default authoriza-
tions and default profiles, chkauthattr() reads the
userattr(4) database. If it does not find a match in
userattr, it reads the profattr(4) database, using the
list of profiles assigned to the user, and checks if any of
the profiles assigned to the user has the given authoriza-
tion. The chkauthattr() function returns 0 if it does not
find a match in any of the three sources or if the user does
not exist.
A user is considered to have been assigned an authorization
if either of the following are true:
o The authorization name matches exactly any authori-
zation assigned in the userattr or profattr
databases (authorization names are case-sensitive).
o The authorization name suffix is not the key word
grant and the authorization name matches any
authorization up to the asterisk (*) character
assigned in the userattr or profattr databases.
The examples in the following table illustrate the condi-
tions under which a user is assigned an authorization.
SunOS 5.11 Last change: 20 Feb 2009 2
Security Attributes Database Library Functions
getauthattr(3SECDB)
/etc/security/policy.conf or Is user
Authorization name userattr or profattr entry authorized?
solaris.printer.postscript solaris.printer.postscript Yes
solaris.printer.postscript solaris.printer.* Yes
solaris.printer.grant solaris.printer.* No
The freeauthattr() function releases memory allocated by
the getauthnam() and getauthattr() functions.
RETURN VALUES
The getauthattr() function returns a pointer to an
authattrt if it successfully enumerates an entry; otherwise
it returns NUL, indicating the end of the enumeration.
The getauthnam() function returns a pointer to an
authattrt if it successfully locates the requested entry;
otherwise it returns NUL.
The chkauthattr() function returns 1 if the user is author-
ized and 0 if the user does not exist or is not authorized.
USAGE
The getauthattr() and getauthnam() functions both allocate
memory for the pointers they return. This memory should be
deallocated with the freeauthattr() call.
Individual attributes in the attr structure can be referred
to by calling the kvamatch(3SECDB) function.
WARNINGS
Because the list of legal keys is likely to expand, code
must be written to ignore unknown key-value pairs without
error.
FILES
/etc/nsswitch.conf configuration file lookup
information for the name server
switch
/etc/userattr extended user attributes
SunOS 5.11 Last change: 20 Feb 2009 3
Security Attributes Database Library Functions
getauthattr(3SECDB)
/etc/security/authattr authorization attributes
/etc/security/policy.conf policy definitions
/etc/security/profattr profile information
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
MT-Level MT-Safe
SEE ALSO
getexecattr(3SECDB), getprofattr(3SECDB),
getuserattr(3SECDB), authattr(4), nsswitch.conf(4),
profattr(4), userattr(4), attributes(5), rbac(5)
SunOS 5.11 Last change: 20 Feb 2009 4
Security Attributes Database Library Functions
getauthattr(3SECDB)
SunOS 5.11 Last change: 20 Feb 2009 5
|
