GETAUTHATTR(3SECDB) Security Attributes Database Library Functions
NAME
getauthattr, getauthnam, free_authattr, setauthattr, endauthattr,
chkauthattr - get authorization entry
SYNOPSIS
cc [
flag... ]
file... -lsecdb -lsocket -lnsl [
library... ]
#include <auth_attr.h>
#include <secdb.h>
authattr_t *getauthattr(
void);
authattr_t *getauthnam(
const char *name);
void free_authattr(
authattr_t *auth);
void setauthattr(
void);
void endauthattr(
void);
int chkauthattr(
const char *authname,
const char *username);
DESCRIPTION
The
getauthattr() and
getauthnam() functions each return an
auth_attr(5) entry. Entries can come from any of the sources
specified in the
nsswitch.conf(5) file.
The
getauthattr() function enumerates
auth_attr entries. The
getauthnam() function searches for an
auth_attr entry with a given
authorization name
name. Successive calls to these functions return
either successive
auth_attr entries or
NULL.
The internal representation of an
auth_attr entry is an
authattr_t structure defined in <
auth_attr.h> with the following members:
char *name; /* name of the authorization */
char *res1; /* reserved for future use */
char *res2; /* reserved for future use */
char *short_desc; /* short description */
char *long_desc; /* long description */
kva_t *attr; /* array of key-value pair attributes */
The
setauthattr() function "rewinds" to the beginning of the
enumeration of
auth_attr entries. Calls to
getauthnam() can leave
the enumeration in an indeterminate state. Therefore,
setauthattr() should be called before the first call to
getauthattr().
The
endauthattr() function may be called to indicate that
auth_attr processing is complete; the system may then close any open
auth_attr file, deallocate storage, and so forth.
The
chkauthattr() function verifies whether or not a user has a given
authorization. It first reads the
AUTHS_GRANTED key in the
/etc/security/policy.conf file and returns 1 if it finds a match for
the given authorization. If
chkauthattr() does not find a match and
the
username is the name of the "console user", defined as the owner
of
/dev/console, it first reads the
CONSOLE_USER key in
/etc/security/policy.conf and returns 1 if the given authorization is
in any of the profiles specified in the
CONSOLE_USER keyword, then
reads the
PROFS_GRANTED key in
/etc/security/policy.conf and returns
1 if the given authorization is in any profiles specified with the
PROFS_GRANTED keyword. If a match is not found from the default
authorizations and default profiles,
chkauthattr() reads the
user_attr(5) database. If it does not find a match in
user_attr, it
reads the
prof_attr(5) database, using the list of profiles assigned
to the user, and checks if any of the profiles assigned to the user
has the given authorization. The
chkauthattr() function returns 0 if
it does not find a match in any of the three sources or if the user
does not exist.
A user is considered to have been assigned an authorization if either
of the following are true:
o The authorization name matches exactly any authorization
assigned in the
user_attr or
prof_attr databases
(authorization names are case-sensitive).
o The authorization name suffix is not the key word
grant and the authorization name matches any authorization up to
the asterisk (*) character assigned in the
user_attr or
prof_attr databases.
The examples in the following table illustrate the conditions under
which a user is assigned an authorization.
+---------------------------+------------------------------+-------------+
| |
/etc/security/policy.conf or | Is user |
|
Authorization name |
user_attr or
prof_attr entry | authorized? |
+---------------------------+------------------------------+-------------+
|solaris.printer.postscript | solaris.printer.postscript | Yes |
|solaris.printer.postscript | solaris.printer.* | Yes |
| solaris.printer.grant | solaris.printer.* | No |
+---------------------------+------------------------------+-------------+
The
free_authattr() function releases memory allocated by the
getauthnam() and
getauthattr() functions.
RETURN VALUES
The
getauthattr() function returns a pointer to an
authattr_t if it
successfully enumerates an entry; otherwise it returns
NULL,
indicating the end of the enumeration.
The
getauthnam() function returns a pointer to an
authattr_t if it
successfully locates the requested entry; otherwise it returns
NULL.
The
chkauthattr() function returns 1 if the user is authorized and 0
if the user does not exist or is not authorized.
USAGE
The
getauthattr() and
getauthnam() functions both allocate memory for
the pointers they return. This memory should be deallocated with the
free_authattr() call.
Individual attributes in the
attr structure can be referred to by
calling the
kva_match(3SECDB) function.
WARNINGS
Because the list of legal keys is likely to expand, code must be
written to ignore unknown key-value pairs without error.
FILES
/etc/nsswitch.conf configuration file lookup information
for the name service switch
/etc/user_attr extended user attributes
/etc/security/auth_attr authorization attributes
/etc/security/policy.conf policy definitions
/etc/security/prof_attr profile information
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+---------------+-----------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+-----------------+
|MT-Level | MT-Safe |
+---------------+-----------------+
SEE ALSO
getexecattr(3SECDB),
getprofattr(3SECDB),
getuserattr(3SECDB),
kva_match(3SECDB),
auth_attr(5),
nsswitch.conf(5),
policy.conf(5),
prof_attr(5),
user_attr(5),
attributes(7),
rbac(7) August 13, 2018 GETAUTHATTR(3SECDB)
