Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
getauthattr(3SECDB)    Introduction to Library Functions   getauthattr(3SECDB)

       getauthattr,   getauthnam,   free_authattr,  setauthattr,  endauthattr,
       chkauthattr - get authorization entry

       cc [ flag... ] file... -lsecdb  -lsocket	 -lnsl	-lintl [ library... ]
       #include	<auth_attr.h>
       #include	<secdb.h>

       authattr_t *getauthattr(void);

       authattr_t *getauthnam(const char *name);

       void free_authattr(authattr_t *auth);

       void setauthattr(void);

       void endauthattr(void);

       int chkauthattr(const char *authname, const char	*username);

       The  getauthattr()  and	 getauthnam()	functions   each   return   an
       auth_attr(4)  entry. Entries can	come from any of the sources specified
       in the nsswitch.conf(4) file.

       The getauthattr() function enumerates auth_attr entries.	 The  getauth-
       nam()  function searches	for an auth_attr entry with a given authoriza-
       tion name name. Successive calls	to these functions return either  suc-
       cessive auth_attr entries or NULL.

       Th  internal  representation  of	 an  auth_attr	entry is an authattr_t
       structure defined in  <auth_attr.h> with	the following members:

       char   *name;	    /* name of the authorization */
       char   *res1;	    /* reserved	for future use */
       char   *res2;	    /* reserved	for future use */
       char   *short_desc;  /* short description */
       char   *long_desc;   /* long description	*/
       kva_t  *attr;	    /* array of	key-value pair attributes */

       The setauthattr() function "rewinds" to the beginning of	 the  enumera-
       tion of auth_attr entries.
	Calls  to  getauthnam()	 can leave the enumeration in an indeterminate
       state. Therefore, setauthattr() should be called	before the first  call
       to getauthattr().

       The  endauthattr()  function  may  be called to indicate	that auth_attr
       processing is complete; the system may then close  any  open  auth_attr
       file, deallocate	storage, and so	forth.

       The  chkauthattr()  function verifies whether or	not a user has a given
       authorization. It first reads the AUTHS_GRANTED key in  the  /etc/secu-
       rity/policy.conf	 file  and returns 1 if	it finds a match for the given
       authorization. If chkauthattr() does not	find a	match,	it  reads  the
       PROFS_GRANTED  key  in  /etc/security/policy.conf  and returns 1	if the
       given authorization is in any profiles specified	with the PROFS_GRANTED
       keyword.	  If  a	match is not found from	the default authorizations and
       default profiles, chkauthattr() reads the user_attr(4) database.	If  it
       does  not  find	a match	in  user_attr, it reads	the prof_attr(4) data-
       base, using the list of profiles	assigned to the	user,  and  checks  if
       any  of	the profiles assigned to the user has the given	authorization.
       The chkauthattr() function returns 0 if it does not find	a match	in any
       of the three sources.

       A  user	is considered to have been assigned an authorization if	either
       of the following	are true:

	  o  The authorization name matches exactly any	authorization assigned
	     in	 the   user_attr  or  prof_attr	databases (authorization names
	     are case-sensitive).

	  o  The authorization name suffix is not the key word	grant and  the
	     authorization  name  matches any authorization up to the asterisk
	     (*) character assigned in the user_attr or	prof_attr databases.

       The examples in the following table  illustrate	the  conditions	 under
       which a user is assigned	an authorization.

       |			   | /etc/security/policy.conf or  | Is	user	 |
       |Authorization name	   | user_attr or  prof_attr entry | authorized? |
       |com.sun.printer.postscript | com.sun.printer.postscript	   | Yes	 |
       |com.sun.printer.postscript | com.sun.printer.*		   | Yes	 |
       |com.sun.printer.grant	   | com.sun.printer.*		   | No		 |

       The  free_authattr() function releases memory allocated by the getauth-
       nam() and  getauthattr()	functions.

       The getauthattr() function returns a pointer to an   authattr_t	if  it
       successfully enumerates an entry; otherwise it returns NULL, indicating
       the end of the enumeration.

       The getauthnam()	function returns a pointer to  an   authattr_t	if  it
       successfully locates the	requested entry; otherwise it returns NULL.

       The  chkauthattr()  function  returns 1 if the user is authorized and 0

       The getauthattr() and getauthnam() functions both allocate  memory  for
       the  pointers  they return. This	memory should be de-allocated with the
       free_authattr() call.

       Applications that use the interfaces described in this manual page can-
       not  be linked statically, since	the implementations of these functions
       employ dynamic loading and linking of shared objects at run time.  Note
       that  these interfaces are reentrant even though	they do	not use	the _r
       suffix naming convention.

       Individual attributes in	the attr structure can be referred to by call-
       ing the kva_match(3SECDB) function.

       Because the list	of legal keys is likely	to expand, code	 must be writ-
       ten to ignore unknown key-value pairs without error.

	     configuration file	lookup information for the name	server switch

	     extended user attributes

	     authorization attributes

	     policy definitions

	     profile information

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |MT-Level		     |MT-Safe			   |

       getexecattr(3SECDB),	getprofattr(3SECDB),	  getuserattr(3SECDB),
       auth_attr(4),   nsswitch.conf(4),   prof_attr(4),   user_attr(4),   at-
       tributes(5), rbac(5)

SunOS 5.9			  7 Mar	2000		   getauthattr(3SECDB)


Want to link to this manual page? Use this URL:

home | help