Security Attributes Database Library Functions
getexecattr(3SECDB)
NAME
getexecattr, freeexecattr, setexecattr, endexecattr, getex-
ecuser, getexecprof, matchexecattr - get execution profile
entry
SYNOPSIS
cc [ flag... ] file... -lsecdb -lsocket -lnsl [ library... ]
#include
#include
execattrt *getexecattr(void);
void freeexecattr(execattrt *ep);
void setexecattr(void);
void endexecattr(void);
execattrt *getexecuser(const char *username, const char *type,
const char *id, int searchflag);
execattrt *getexecprof(const char *profname, const char *type,
const char *id, int searchflag);
execattrt *matchexecattr(execattrt *ep, char *profname,
char *type, char *id);
DESCRIPTION
The getexecattr() function returns a single execattr(4)
entry. Entries can come from any of the sources specified in
the nsswitch.conf(4) file.
Successive calls to getexecattr() return either successive
execattr entries or NUL. Because getexecattr() always
returns a single entry, the next pointer in the execattrt
data structure points to NUL.
The internal representation of an execattr entry is an
execattrt structure defined in with the fol-
lowing members:
char *name; /* name of the profile */
SunOS 5.11 Last change: 31 Mar 2005 1
Security Attributes Database Library Functions
getexecattr(3SECDB)
char *type; /* type of profile */
char *policy; /* policy under which the attributes are */
/* relevant*/
char *res1; /* reserved for future use */
char *res2; /* reserved for future use */
char *id; /* unique identifier */
kvat *attr; /* attributes */
struct execattrs *next; /* optional pointer to next profile */
The freeexecattr() function releases memory. It follows the
next pointers in the execattrt structure so that the entire
linked list is released.
The setexecattr() function "rewinds" to the beginning of the
enumeration of execattr entries. Calls to getexecuser() can
leave the enumeration in an indeterminate state. Therefore,
setexecattr() should be called before the first call to
getexecattr().
The endexecattr() function can be called to indicate that
execattr processing is complete; the library can then close
any open execattr file, deallocate any internal storage,
and so forth.
The getexecuser() function returns a linked list of entries
that match the type and id arguments and have a profile that
has been assigned to the user specified by username, as
described in passwd(4). Profiles for the user are obtained
from the list of default profiles in
/etc/security/policy.conf (see policy.conf(4)) and the
userattr(4) database. Only entries in the name service
scope for which the corresponding profile entry is found in
the profattr(4) database are returned.
The getexecprof() function returns a linked list of entries
that match the type and id arguments and have the profile
specified by the profname argument. Only entries in the name
service scope for which the corresponding profile entry is
found in the profattr database are returned.
Using getexecuser() and getexecprof(), programmers can
search for any type argument, such as the manifest constant
KVCOMAND. The arguments are logically AND-ed together so
that only entries exactly matching all of the arguments are
SunOS 5.11 Last change: 31 Mar 2005 2
Security Attributes Database Library Functions
getexecattr(3SECDB)
returned. Wildcard matching applies if there is no exact
match for an ID. Any argument can be assigned the NUL value
to indicate that it is not used as part of the matching cri-
teria. The searchflag controls whether the function
returns the first match (GETONE), setting the next pointer
to NUL or all matching entries (GETAL), using the next
pointer to create a linked list of all entries that meet the
search criteria. See EXAMPLES.
Once a list of entries is returned by getexecuser() or
getexecprof(), the convenience function matchexecattr() can
be used to identify an individual entry. It returns a
pointer to the individual element with the same profile name
( profname), type name ( type), and id. Function parameters
set to NUL are not used as part of the matching criteria.
In the event that multiple entries meet the matching cri-
teria, only a pointer to the first entry is returned. The
kvamatch(3SECDB) function can be used to look up a key in a
key-value array.
RETURN VALUES
Those functions returning data only return data related to
the active policy. The getexecattr() function returns a
pointer to a execattrt if it successfully enumerates an
entry; otherwise it returns NUL, indicating the end of the
enumeration.
USAGE
The getexecattr(), getexecuser(), and getexecprof() func-
tions all allocate memory for the pointers they return. This
memory should be deallocated with the freeexecattr() call.
The matchexecattr()( function does not allocate any memory.
Therefore, pointers returned by this function should not be
deallocated.
Individual attributes may be referenced in the attr struc-
ture by calling the kvamatch(3SECDB) function.
EXAMPLES
Example 1 Find all profiles that have the ping command.
if ((execprof=getexecprof(NUL, KVCOMAND, "/usr/sbin/ping",
GETONE)) == NUL) {
/* do error */
}
Example 2 Find the entry for the ping command in the Network
Administration Profile.
SunOS 5.11 Last change: 31 Mar 2005 3
Security Attributes Database Library Functions
getexecattr(3SECDB)
if ((execprof=getexecprof("Network Administration", KVCOMAND,
"/usr/sbin/ping", GETAL))==NUL) {
/* do error */
}
Example 3 Tell everything that can be done in the Filesystem
Security profile.
if ((execprof=getexecprof("Filesystem Security", KVNUL, NUL,
GETAL))==NUL)) {
/* do error */
}
Example 4 Tell if the tar utility is in a profile assigned
to user wetmore. If there is no exact profile entry, the
wildcard (*), if defined, is returned.
The following tells if the tar utility is in a profile
assigned to user wetmore. If there is no exact profile
entry, the wildcard (*), if defined, is returned.
if ((execprof=getexecuser("wetmore", KVCOMAND, "/usr/bin/tar",
GETONE))==NUL) {
/* do error */
}
FILES
/etc/nsswitch.conf configuration file lookup
information for the name server
switch
/etc/userattr extended user attributes
/etc/security/execattr execution profiles
/etc/security/policy.conf policy definitions
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.11 Last change: 31 Mar 2005 4
Security Attributes Database Library Functions
getexecattr(3SECDB)
ATRIBUTE TYPE ATRIBUTE VALUE
MT-Level MT-Safe
SEE ALSO
getauthattr(3SECDB), getuserattr(3SECDB), kvamatch(3SECDB),
execattr(4), passwd(4), policy.conf(4), profattr(4),
userattr(4), attributes(5)
SunOS 5.11 Last change: 31 Mar 2005 5
Security Attributes Database Library Functions
getexecattr(3SECDB)
SunOS 5.11 Last change: 31 Mar 2005 6
|
