Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
getauthattr(3SECDB)					   getauthattr(3SECDB)

       getauthattr,   getauthnam,   free_authattr,  setauthattr,  endauthattr,
       chkauthattr - get authorization entry

       cc [ flag... ] file... -lsecdb  -lsocket	 -lnsl	[ library... ]
       #include	<auth_attr.h>
       #include	<secdb.h>

       authattr_t *getauthattr(void);

       authattr_t *getauthnam(const char *name);

       void free_authattr(authattr_t *auth);

       void setauthattr(void);

       void endauthattr(void);

       int chkauthattr(const char *authname, const char	*username);

       The  getauthattr()  and	 getauthnam()	functions   each   return   an
       auth_attr(4)  entry. Entries can	come from any of the sources specified
       in the nsswitch.conf(4) file.

       The getauthattr() function enumerates auth_attr entries.	 The  getauth-
       nam()  function searches	for an auth_attr entry with a given authoriza-
       tion name name. Successive calls	to these functions return either  suc-
       cessive auth_attr entries or NULL.

       Th  internal  representation  of	 an  auth_attr	entry is an authattr_t
       structure defined in  <auth_attr.h> with	the following members:

       char   *name;	    /* name of the authorization */
       char   *res1;	    /* reserved	for future use */
       char   *res2;	    /* reserved	for future use */
       char   *short_desc;  /* short description */
       char   *long_desc;   /* long description	*/
       kva_t  *attr;	    /* array of	key-value pair attributes */

       The setauthattr() function "rewinds" to the beginning of	 the  enumera-
       tion of auth_attr entries.  Calls to getauthnam() can leave the enumer-
       ation in	an indeterminate state.	 Therefore,  setauthattr()  should  be
       called before the first call to getauthattr().

       The  endauthattr()  function  may  be called to indicate	that auth_attr
       processing is complete; the system may then close  any  open  auth_attr
       file, deallocate	storage, and so	forth.

       The  chkauthattr()  function verifies whether or	not a user has a given
       authorization. It first reads the AUTHS_GRANTED key in  the  /etc/secu-
       rity/policy.conf	 file  and returns 1 if	it finds a match for the given
       authorization. If chkauthattr() does not	find a	match,	it  reads  the
       PROFS_GRANTED  key  in  /etc/security/policy.conf  and returns 1	if the
       given authorization is in any profiles specified	with the PROFS_GRANTED
       keyword.	 If  a	match is not found from	the default authorizations and
       default profiles, chkauthattr() reads the user_attr(4) database.	If  it
       does  not  find	a match	in  user_attr, it reads	the prof_attr(4) data-
       base, using the list of profiles	assigned to the	user,  and  checks  if
       any of the profiles assigned to the user	has the	given authorization.
	The  chkauthattr()  function  returns 0	if it does not find a match in
       any of the three	sources.

       A user is considered to have been assigned an authorization  if	either
       of the following	are true:

	 o  The	 authorization name matches exactly any	authorization assigned
	    in the  user_attr or  prof_attr databases (authorization names are

	 o  The	 authorization	name suffix is not the key word	 grant and the
	    authorization name matches any authorization up  to	 the  asterisk
	    (*)	character assigned in the user_attr or prof_attr databases.

       The  examples  in  the  following table illustrate the conditions under
       which a user is assigned	an authorization.

       |			   | /etc/security/policy.conf or  | Is	user	 |
       |Authorization name	   | user_attr or  prof_attr entry | authorized? |
       |solaris.printer.postscript | solaris.printer.postscript	   | Yes	 |
       |solaris.printer.postscript | solaris.printer.*		   | Yes	 |
       |solaris.printer.grant	   | solaris.printer.*		   | No		 |

       The free_authattr() function releases memory allocated by the  getauth-
       nam() and  getauthattr()	functions.

       The  getauthattr()  function  returns a pointer to an  authattr_t if it
       successfully enumerates an entry; otherwise it returns NULL, indicating
       the end of the enumeration.

       The  getauthnam()  function  returns  a pointer to an  authattr_t if it
       successfully locates the	requested entry; otherwise it returns NULL.

       The chkauthattr() function returns 1 if the user	is  authorized	and  0

       The  getauthattr()  and getauthnam() functions both allocate memory for
       the pointers they return. This memory should be de-allocated  with  the
       free_authattr() call.

       Individual attributes in	the attr structure can be referred to by call-
       ing the kva_match(3SECDB) function.

       Because the list	of legal keys is likely	to expand, code	 must be writ-
       ten to ignore unknown key-value pairs without error.

       /etc/nsswitch.conf	       configuration  file  lookup information
				       for the name server switch

       /etc/user_attr		       extended	user attributes

       /etc/security/auth_attr	       authorization attributes

       /etc/security/policy.conf       policy definitions

       /etc/security/prof_attr	       profile information

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |MT-Level		     |MT-Safe			   |

       getexecattr(3SECDB),	getprofattr(3SECDB),	  getuserattr(3SECDB),
       auth_attr(4),   nsswitch.conf(4),   prof_attr(4),   user_attr(4),   at-
       tributes(5), rbac(5)

				  31 Mar 2005		   getauthattr(3SECDB)


Want to link to this manual page? Use this URL:

home | help