Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
getexecattr(3SECDB)    Introduction to Library Functions   getexecattr(3SECDB)

       getexecattr,  free_execattr, setexecattr, endexecattr, getexecuser, ge-
       texecprof, match_execattr - get execution profile entry

       cc [ flag... ] file... -lsecdb  -lsocket	 -lnsl	-lintl [ library... ]
       #include	<exec_attr.h>
       #include	<secdb.h>

       execattr_t *getexecattr(void);

       void free_execattr(execattr_t *ep);

       void setexecattr(void);

       void endexecattr(void);

       execattr_t *getexecuser(const char *username, const char	 *type,	 const
       char *id, int search_flag);

       execattr_t  *getexecprof(const  char *profname, const char *type, const
       char *id, int search_flag);

       execattr_t *match_execattr(execattr_t *ep, char *profname, char	*type,
       char *id);

       The  getexecattr()  function  returns a single exec_attr	entry. Entries
       can come	from any of the	 sources  specified  in	 the  nsswitch.conf(4)

       Successive  calls  to  getexecattr() return either successive exec_attr
       entries or NULL.	Because	getexecattr() always returns a	single	entry,
       the next	pointer	in the	execattr_t data	structure points to NULL.

       The  internal  representation  of  an  exec_attr	entry is an execattr_t
       structure defined in  <exec_attr.h> with	the following members:

       char		 *name;	  /* name of the profile */
       char		 *type;	  /* type of profile */
       char		 *policy; /* policy under which	the attributes are */
				  /* relevant*/
       char		 *res1;	  /* reserved for future use */
       char		 *res2;	  /* reserved for future use */
       char		 *id;	  /* unique identifier */
       kva_t		 *attr;	  /* attributes	*/
       struct execattr_s *next;	  /* optional pointer to next profile */

       The free_execattr() function  releases  memory.	It  follows  the  next
       pointers	 in the	execattr_t structure so	that the entire	linked list is

       The setexecattr() function "rewinds" to the beginning of	 the  enumera-
       tion of exec_attr entries.
	Calls  to  getexecuser() can leave the enumeration in an indeterminate
       state. Therefore,  setexecattr()	should be called before	the first call
       to getexecattr().

       The  endexecattr()  function  can  be called to indicate	that exec_attr
       processing is complete; the library can then close any  open  exec_attr
       file, deallocate	any internal
	storage, and so	forth.

       The getexecuser() function returns a linked list	of entries filtered by
       the function's arguments. Only entries assigned to the specified	 user-
       name, as	described in the passwd(4) database, and containing the	speci-
       fied type and id, as described in the exec_attr(4) database, are	placed
       in  the	list.  The  getexecuser() function is different	from the other
       functions in its	family because it spans	two databases. It first	 looks
       up  the	list  of profiles assigned to a	user in	the user_attr database
       and the list of default	profiles  in  /etc/security/policy.conf,  then
       looks up	each profile in	the exec_attr database.

       The  getexecprof()  function returns a linked list of entries that have
       components matching the function's arguments. Only entries in the data-
       base  matching  the  argument  profname,	as described in	exec_attr, and
       containing the type and id, also	described in exec_attr,	are placed  in
       the list.

       Using  getexecuser() and	getexecprof(), programmers can search  for any
       type argument, such as the manifest constant KV_COMMAND.	The  arguments
       are logically AND-ed together so	that only entries exactly matching all
       of the arguments	are returned. Wildcard matching	applies	if there is no
       exact  match  for an ID.	Any argument can be assigned the NULL value to
       indicate	that it	is not used as part  of	 the  matching	criteria.  The
       search_flag  controls  whether  the  function  returns  the first match
       (GET_ONE), setting the next pointer to NULL  or	all  matching  entries
       (GET_ALL),  using  the  next pointer to create a	linked list of all en-
       tries that meet the search criteria.  See  EXAMPLES.

       Once a list of entries is returned by getexecuser()  or	getexecprof(),
       the  convenience	 function  match_execattr() can	be used	to identify an
       individual entry. It returns a pointer to the individual	 element  with
       the same	profile	name ( profname), type name ( type),  and id. Function
       parameters set to NULL are not used as part of the  matching  criteria.
       In  the	event that multiple entries meet the matching criteria,	only a
       pointer to the first entry is returned. The kva_match(3SECDB)  function
       can be used to look up a	key in a key-value array.

       Those  functions	 returning data	only return data related to the	active
       policy. The getexecattr() function returns a pointer to	a   execattr_t
       if  it successfully enumerates an entry;	otherwise it returns NULL, in-
       dicating	the end	of the enumeration.

       The getexecattr(), getexecuser(), and getexecprof() functions all allo-
       cate memory for the pointers they return. This memory should be deallo-
       cated with the free_execattr()  call.  The  match_execattr()(  function
       does  not  allocate  any	 memory.  Therefore, pointers returned by this
       function	should not be deallocated.

       Applications that use the interfaces described in this manual page can-
       not be  linked statically, since	the implementations of these functions
       employ  dynamic loading and linking of  shared  objects	at  run	 time.
       Note  that   these interfaces are reentrant even	though they do not use
       the _r suffix  naming convention.

       Individual attributes may be referenced in the attr structure by	 call-
       ing the kva_match(3SECDB) function.

       Example	1:  The	 following finds all profiles that have	the  ping com-

       if ((execprof=getexecprof(NULL, KV_COMMAND, "/usr/sbin/ping",
	   GET_ONE)) ==	NULL) {
	       /* do error */

       Example 2: The following	finds the entry	for the	ping  command  in  the
       Network Administration Profile.

       if ((execprof=getexecprof("Network Administration", KV_COMMAND,
	   "/usr/sbin/ping", GET_ALL))==NULL) {
	       /* do error */

       Example	3:  The	 following  tells  everything  that can	be done	in the
       Filesystem Security  profile.

       if ((execprof=getexecprof("Filesystem Security",	KV_NULL, NULL,
	   GET_ALL))==NULL)) {
	       /* do error */

       Example 4: The following	tells if the tar command is in a  profile  as-
       signed  to  user	wetmore. If there is no	exact profile entry, the wild-
       card (*), if defined, is	returned.

       if ((execprof=getexecuser("wetmore", KV_COMMAND,	"/usr/bin/tar",
	   GET_ONE))==NULL) {
	       /* do error */

	     configuration file	lookup information for the name	server switch

	     extended user attributes

	     execution profiles

	     policy definitions

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |MT-Level		     |MT-Safe			   |

       getauthattr(3SECDB),	 getuserattr(3SECDB),	    kva_match(3SECDB),
       exec_attr(4), policy.conf(4), user_attr(4), attributes(5)

SunOS 5.9			  13 Mar 2000		   getexecattr(3SECDB)


Want to link to this manual page? Use this URL:

home | help