Print this page
9728 3secdb man pages need some tlc
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man3secdb/getauthattr.3secdb.man.txt
+++ new/usr/src/man/man3secdb/getauthattr.3secdb.man.txt
1 1 GETAUTHATTR(3SECDB) Security Attributes Database Library Functions
2 2
3 3
4 4
5 5 NAME
6 6 getauthattr, getauthnam, free_authattr, setauthattr, endauthattr,
7 7 chkauthattr - get authorization entry
8 8
9 9 SYNOPSIS
10 10 cc [ flag... ] file... -lsecdb -lsocket -lnsl [ library... ]
11 11 #include <auth_attr.h>
12 12 #include <secdb.h>
13 13
14 14 authattr_t *getauthattr(void);
15 15
16 16
17 17 authattr_t *getauthnam(const char *name);
18 18
19 19
20 20 void free_authattr(authattr_t *auth);
21 21
22 22
23 23 void setauthattr(void);
24 24
25 25
26 26 void endauthattr(void);
27 27
28 28
29 29 int chkauthattr(const char *authname, const char *username);
30 30
31 31
32 32 DESCRIPTION
33 33 The getauthattr() and getauthnam() functions each return an
34 34 auth_attr(4) entry. Entries can come from any of the sources specified
35 35 in the nsswitch.conf(4) file.
36 36
37 37
38 38 The getauthattr() function enumerates auth_attr entries. The
39 39 getauthnam() function searches for an auth_attr entry with a given
40 40 authorization name name. Successive calls to these functions return
41 41 either successive auth_attr entries or NULL.
42 42
43 43
44 44 Th internal representation of an auth_attr entry is an authattr_t
45 45 structure defined in <auth_attr.h> with the following members:
46 46
47 47 char *name; /* name of the authorization */
48 48 char *res1; /* reserved for future use */
49 49 char *res2; /* reserved for future use */
50 50 char *short_desc; /* short description */
51 51 char *long_desc; /* long description */
52 52 kva_t *attr; /* array of key-value pair attributes */
53 53
54 54
55 55
56 56 The setauthattr() function "rewinds" to the beginning of the
57 57 enumeration of auth_attr entries. Calls to getauthnam() can leave the
58 58 enumeration in an indeterminate state. Therefore, setauthattr() should
59 59 be called before the first call to getauthattr().
60 60
61 61
62 62 The endauthattr() function may be called to indicate that auth_attr
63 63 processing is complete; the system may then close any open auth_attr
64 64 file, deallocate storage, and so forth.
65 65
66 66
67 67 The chkauthattr() function verifies whether or not a user has a given
68 68 authorization. It first reads the AUTHS_GRANTED key in the
|
↓ open down ↓ |
68 lines elided |
↑ open up ↑ |
69 69 /etc/security/policy.conf file and returns 1 if it finds a match for
70 70 the given authorization. If chkauthattr() does not find a match and the
71 71 username is the name of the "console user", defined as the owner of
72 72 /dev/console, it first reads the CONSOLE_USER key in
73 73 /etc/security/policy.conf and returns 1 if the given authorization is
74 74 in any of the profiles specified in the CONSOLE_USER keyword, then
75 75 reads the PROFS_GRANTED key in /etc/security/policy.conf and returns 1
76 76 if the given authorization is in any profiles specified with the
77 77 PROFS_GRANTED keyword. If a match is not found from the default
78 78 authorizations and default profiles, chkauthattr() reads the
79 - user_attr(4) database. If it does not find a match in user_attr, it
79 + user_attr(4) database. If it does not find a match in user_attr, it
80 80 reads the prof_attr(4) database, using the list of profiles assigned to
81 81 the user, and checks if any of the profiles assigned to the user has
82 82 the given authorization. The chkauthattr() function returns 0 if it
83 83 does not find a match in any of the three sources or if the user does
84 84 not exist.
85 85
86 86
87 87 A user is considered to have been assigned an authorization if either
88 88 of the following are true:
89 89
90 90 o The authorization name matches exactly any authorization
91 - assigned in the user_attr or prof_attr databases
91 + assigned in the user_attr or prof_attr databases
92 92 (authorization names are case-sensitive).
93 93
94 - o The authorization name suffix is not the key word grant and
94 + o The authorization name suffix is not the key word grant and
95 95 the authorization name matches any authorization up to the
96 96 asterisk (*) character assigned in the user_attr or
97 97 prof_attr databases.
98 98
99 99
100 100 The examples in the following table illustrate the conditions under
101 101 which a user is assigned an authorization.
102 102
103 103
104 104
105 105
106 - +---------------------------+-------------------------------+-------------+
107 - | | /etc/security/policy.conf or | Is user |
108 - +---------------------------+-------------------------------+-------------+
109 - | Authorization name | user_attr or prof_attr entry | authorized? |
110 - +---------------------------+-------------------------------+-------------+
111 - |solaris.printer.postscript | solaris.printer.postscript | Yes |
112 - |solaris.printer.postscript | solaris.printer.* | Yes |
113 - | solaris.printer.grant | solaris.printer.* | No |
114 - +---------------------------+-------------------------------+-------------+
106 + +---------------------------+------------------------------+-------------+
107 + | | /etc/security/policy.conf or | Is user |
108 + | Authorization name | user_attr or prof_attr entry | authorized? |
109 + +---------------------------+------------------------------+-------------+
110 + |solaris.printer.postscript | solaris.printer.postscript | Yes |
111 + |solaris.printer.postscript | solaris.printer.* | Yes |
112 + | solaris.printer.grant | solaris.printer.* | No |
113 + +---------------------------+------------------------------+-------------+
115 114
116 115
117 116 The free_authattr() function releases memory allocated by the
118 - getauthnam() and getauthattr() functions.
117 + getauthnam() and getauthattr() functions.
119 118
120 119 RETURN VALUES
121 - The getauthattr() function returns a pointer to an authattr_t if it
120 + The getauthattr() function returns a pointer to an authattr_t if it
122 121 successfully enumerates an entry; otherwise it returns NULL, indicating
123 122 the end of the enumeration.
124 123
125 124
126 - The getauthnam() function returns a pointer to an authattr_t if it
125 + The getauthnam() function returns a pointer to an authattr_t if it
127 126 successfully locates the requested entry; otherwise it returns NULL.
128 127
129 128
130 129 The chkauthattr() function returns 1 if the user is authorized and 0 if
131 130 the user does not exist or is not authorized.
132 131
133 132 USAGE
134 133 The getauthattr() and getauthnam() functions both allocate memory for
135 134 the pointers they return. This memory should be deallocated with the
136 135 free_authattr() call.
137 136
138 137
139 138 Individual attributes in the attr structure can be referred to by
140 139 calling the kva_match(3SECDB) function.
141 140
142 141 WARNINGS
143 - Because the list of legal keys is likely to expand, code must be
142 + Because the list of legal keys is likely to expand, code must be
144 143 written to ignore unknown key-value pairs without error.
145 144
146 145 FILES
147 146 /etc/nsswitch.conf
148 147 configuration file lookup information for
149 - the name server switch
148 + the name service switch
150 149
151 150
152 151 /etc/user_attr
153 152 extended user attributes
154 153
155 154
156 155 /etc/security/auth_attr
157 156 authorization attributes
158 157
159 158
160 159 /etc/security/policy.conf
161 160 policy definitions
162 161
163 162
164 163 /etc/security/prof_attr
165 164 profile information
166 165
167 166
168 167 ATTRIBUTES
169 168 See attributes(5) for descriptions of the following attributes:
170 169
171 170
|
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
172 171
173 172
174 173 +---------------+-----------------+
175 174 |ATTRIBUTE TYPE | ATTRIBUTE VALUE |
176 175 +---------------+-----------------+
177 176 |MT-Level | MT-Safe |
178 177 +---------------+-----------------+
179 178
180 179 SEE ALSO
181 180 getexecattr(3SECDB), getprofattr(3SECDB), getuserattr(3SECDB),
182 - auth_attr(4), nsswitch.conf(4), prof_attr(4), user_attr(4),
183 - attributes(5), rbac(5)
181 + kva_match(3SECDB), auth_attr(4), nsswitch.conf(4), policy.conf(4),
182 + prof_attr(4), user_attr(4), attributes(5), rbac(5)
184 183
185 184
186 185
187 - February 20, 2009 GETAUTHATTR(3SECDB)
186 + August 13, 2018 GETAUTHATTR(3SECDB)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX