Security Attributes Database Library Functions getauthattr(3SECDB)
NAME
getauthattr, getauthnam, free_authattr, setauthattr, endau-
thattr, chkauthattr - get authorization entry
SYNOPSIS
cc [ flag... ] file... -lsecdb -lsocket -lnsl [ library... ]
#include
#include
authattr_t *getauthattr(void);
authattr_t *getauthnam(const char *name);
void free_authattr(authattr_t *auth);
void setauthattr(void);
void endauthattr(void); int chkauthattr(const char *authname, const char *username);DESCRIPTION
The getauthattr() and getauthnam() functions each return anauth_attr(4) entry. Entries can come from any of the sources
specified in the nsswitch.conf(4) file.The getauthattr() function enumerates auth_attr entries. The
getauthnam() function searches for an auth_attr entry with a
given authorization name name. Successive calls to thesefunctions return either successive auth_attr entries or
NULL.Th internal representation of an auth_attr entry is an
authattr_t structure defined in
lowing members: char *name; /* name of the authorization */ char *res1; /* reserved for future use */ char *res2; /* reserved for future use */with the fol- char *short_desc; /* short description */
char *long_desc; /* long description */
kva_t *attr; /* array of key-value pair attributes */
SunOS 5.11 Last change: 3 Jun 2010 1
Security Attributes Database Library Functions getauthattr(3SECDB)The setauthattr() function "rewinds" to the beginning of the
enumeration of auth_attr entries. Calls to getauthnam() can
leave the enumeration in an indeterminate state. Therefore,setauthattr() should be called before the first call to
getauthattr(). The endauthattr() function may be called to indicate thatauth_attr processing is complete; the system may then close
any open auth_attr file, deallocate storage, and so forth.
The chkauthattr() function verifies whether or not a userhas a given authorization. It first reads the user_attr(4)
database and returns 1 if it finds a match for the givenauthorization. If it does not find a match in user_attr,
chkauthattr() reads the prof_attr(4) database using the list
of profiles assigned to the user and checks if any of the profiles assigned to the user has the given authorization. When chkauthattr() finds a profile called "Stop", furtherprofiles are ignored, the authorizations and profiles men-
tioned in /etc/security/policy.conf are ignored and itreturns 0. If it does not find a match in the user's pro-
files, chkauthattr() reads the AUTHS_GRANTED key in the
/etc/security/policy.conf file and returns 1 if it finds a match for the given authorization. If chkauthattr() does not find a match and the username is the name of the "console user", defined as the owner of /dev/console, it first readsthe CONSOLE_USER key in /etc/security/policy.conf and
returns 1 if the given authorization is in any of the pro-
files specified in the CONSOLE_USER keyword, then reads the
PROFS_GRANTED key in /etc/security/policy.conf and returns 1
if the given authorization is in any profiles specified withthe PROFS_GRANTED keyword. The chkauthattr() function
returns 0 if it does not find a match in any of the three sources or if the user does not exist. Authorization names consist of a hierarchical set of dot(.)-separated words, called the predicate, and an optional
object qualifier preceded by a slash character (/). Authori-
zations listed in user_attr and prof_attr may contain an
asterisk (*) following the final dot in the predicate to indicate a wildcard. The reserved word grant, used for delegating authorizations, is not matched by *. A user is considered to have been assigned an authorization if all of the following are true: o The authorization name matches exactly anySunOS 5.11 Last change: 3 Jun 2010 2
Security Attributes Database Library Functions getauthattr(3SECDB)authorization assigned in the user_attr or
prof_attr databases (authorization names are case-
sensitive). o The predicate of authname matches the predicate of an authorization completely, or the predicate does not end in grant and matches up to the * if present. o The authorization name suffix is not the key word grant and the authorization name matches any authorization up to the asterisk (*) characterassigned in the user_attr or prof_attr databases.
o If the authorization includes an object qualifier,then authname must include the same object qualif-
ier.The examples in the following table illustrate the condi-
tions under which a user is assigned an authorization.SunOS 5.11 Last change: 3 Jun 2010 3
Security Attributes Database Library Functions getauthattr(3SECDB)____________________________________________________________________________________
| | /etc/security/policy.conf or | Is user ||___________________________|_______________________________|_____________|
| Authorization name | user_attr or prof_attr entry| authorized?|
|___________________________|_______________________________|_____________|
| solaris.printer.postscript| solaris.printer.postscript | Yes ||___________________________|_______________________________|_____________|
| solaris.printer.postscript| solaris.printer.* | Yes ||___________________________|_______________________________|_____________|
| solaris.printer.grant | solaris.printer.* | No ||___________________________|_______________________________|_____________|
| solaris.zone.login/z1 | solaris.zone.* | Yes ||___________________________|_______________________________|_____________|
| solaris.zone.login | solaris.zone.*/z1 | No ||___________________________|_______________________________|_____________|
The free_authattr() function releases memory allocated by
the getauthnam() and getauthattr() functions.RETURN VALUES
The getauthattr() function returns a pointer to anauthattr_t if it successfully enumerates an entry; otherwise
it returns NULL, indicating the end of the enumeration. The getauthnam() function returns a pointer to anauthattr_t if it successfully locates the requested entry;
otherwise it returns NULL.The chkauthattr() function returns 1 if the user is author-
ized and 0 if the user does not exist or is not authorized.USAGE
The getauthattr() and getauthnam() functions both allocate memory for the pointers they return. This memory should bedeallocated with the free_authattr() call.
Individual attributes in the attr structure can be referredto by calling the kva_match(3SECDB) function.
WARNINGS Because the list of legal keys is likely to expand, codemust be written to ignore unknown key-value pairs without
error. FILESSunOS 5.11 Last change: 3 Jun 2010 4
Security Attributes Database Library Functions getauthattr(3SECDB) /etc/nsswitch.conf configuration file lookup information for the name server switch/etc/user_attr extended user attributes
/etc/security/auth_attr authorization attributes
/etc/security/policy.conf policy definitions/etc/security/prof_attr profile information
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| MT-Level | MT-Safe |
|_____________________________|_____________________________|
SEE ALSO
getexecattr(3SECDB), getprofattr(3SECDB),getuserattr(3SECDB), auth_attr(4), nsswitch.conf(4),
prof_attr(4), user_attr(4), attributes(5), rbac(5)
SunOS 5.11 Last change: 3 Jun 2010 5
Security Attributes Database Library Functions getauthattr(3SECDB)SunOS 5.11 Last change: 3 Jun 2010 6