| blob | 1489bc4e68495447f0c193ee75796f0a3b1a0fd2 |
1 '\" te
2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH GETAUTHATTR 3SECDB "Feb 20, 2009"
7 .SH NAME
8 getauthattr, getauthnam, free_authattr, setauthattr, endauthattr, chkauthattr
9 \- get authorization entry
10 .SH SYNOPSIS
11 .LP
12 .nf
13 cc [ \fIflag\fR... ] \fIfile\fR... -lsecdb [ \fIlibrary\fR... ]
14 #include <auth_attr.h>
15 #include <secdb.h>
17 \fBauthattr_t *\fR\fBgetauthattr\fR(\fBvoid\fR);
18 .fi
20 .LP
21 .nf
22 \fBauthattr_t *\fR\fBgetauthnam\fR(\fBconst char *\fR\fIname\fR);
23 .fi
25 .LP
26 .nf
27 \fBvoid\fR \fBfree_authattr\fR(\fBauthattr_t *\fR\fIauth\fR);
28 .fi
30 .LP
31 .nf
32 \fBvoid\fR \fBsetauthattr\fR(\fBvoid\fR);
33 .fi
35 .LP
36 .nf
37 \fBvoid\fR \fBendauthattr\fR(\fBvoid\fR);
38 .fi
40 .LP
41 .nf
42 \fBint\fR \fBchkauthattr\fR(\fBconst char *\fR\fIauthname\fR, \fBconst char *\fR\fIusername\fR);
43 .fi
45 .SH DESCRIPTION
46 .sp
47 .LP
48 The \fBgetauthattr()\fR and \fBgetauthnam()\fR functions each return an
49 \fBauth_attr\fR(4) entry. Entries can come from any of the sources specified in
50 the \fBnsswitch.conf\fR(4) file.
51 .sp
52 .LP
53 The \fBgetauthattr()\fR function enumerates \fBauth_attr\fR entries. The
54 \fBgetauthnam()\fR function searches for an \fBauth_attr\fR entry with a given
55 authorization name \fIname\fR. Successive calls to these functions return
56 either successive \fBauth_attr\fR entries or \fINULL\fR.
57 .sp
58 .LP
59 Th internal representation of an \fBauth_attr\fR entry is an \fBauthattr_t\fR
60 structure defined in <\fBauth_attr.h\fR> with the following members:
61 .sp
62 .in +2
63 .nf
64 char *name; /* name of the authorization */
65 char *res1; /* reserved for future use */
66 char *res2; /* reserved for future use */
67 char *short_desc; /* short description */
68 char *long_desc; /* long description */
69 kva_t *attr; /* array of key-value pair attributes */
70 .fi
71 .in -2
73 .sp
74 .LP
75 The \fBsetauthattr()\fR function "rewinds" to the beginning of the enumeration
76 of \fBauth_attr\fR entries. Calls to \fBgetauthnam()\fR can leave the
77 enumeration in an indeterminate state. Therefore, \fBsetauthattr()\fR should be
78 called before the first call to \fBgetauthattr()\fR.
79 .sp
80 .LP
81 The \fBendauthattr()\fR function may be called to indicate that \fBauth_attr\fR
82 processing is complete; the system may then close any open \fBauth_attr\fR
83 file, deallocate storage, and so forth.
84 .sp
85 .LP
86 The \fBchkauthattr()\fR function verifies whether or not a user has a given
87 authorization. It first reads the \fBAUTHS_GRANTED\fR key in the
88 \fB/etc/security/policy.conf\fR file and returns 1 if it finds a match for the
89 given authorization. If \fBchkauthattr()\fR does not find a match and the
90 \fIusername\fR is the name of the "console user", defined as the owner of
91 \fB/dev/console\fR, it first reads the \fBCONSOLE_USER\fR key in
92 \fB/etc/security/policy.conf\fR and returns 1 if the given authorization is in
93 any of the profiles specified in the \fBCONSOLE_USER\fR keyword, then reads the
94 \fBPROFS_GRANTED\fR key in \fB/etc/security/policy.conf\fR and returns 1 if the
95 given authorization is in any profiles specified with the \fBPROFS_GRANTED\fR
96 keyword. If a match is not found from the default authorizations and default
97 profiles, \fBchkauthattr()\fR reads the \fBuser_attr\fR(4) database. If it does
98 not find a match in \fBuser_attr\fR, it reads the \fBprof_attr\fR(4) database,
99 using the list of profiles assigned to the user, and checks if any of the
100 profiles assigned to the user has the given authorization. The
101 \fBchkauthattr()\fR function returns 0 if it does not find a match in any of
102 the three sources or if the user does not exist.
103 .sp
104 .LP
105 A user is considered to have been assigned an authorization if either of the
106 following are true:
107 .RS +4
108 .TP
109 .ie t \(bu
110 .el o
111 The authorization name matches exactly any authorization assigned in the
112 \fBuser_attr\fR or \fBprof_attr\fR databases (authorization names are
113 case-sensitive).
114 .RE
115 .RS +4
116 .TP
117 .ie t \(bu
118 .el o
119 The authorization name suffix is not the key word \fBgrant\fR and the
120 authorization name matches any authorization up to the asterisk (*) character
121 assigned in the \fBuser_attr\fR or \fBprof_attr\fR databases.
122 .RE
123 .sp
124 .LP
125 The examples in the following table illustrate the conditions under which a
126 user is assigned an authorization.
127 .sp
129 .sp
130 .TS
131 box;
132 c | c | c
133 c | c | c .
134 \f(CW/etc/security/policy.conf\fR or Is user
135 _
136 \fBAuthorization name\fR \fBuser_attr\fR or \fB\fR \fBprof_attr\fR entry authorized?
137 _
138 solaris.printer.postscript solaris.printer.postscript Yes
139 solaris.printer.postscript solaris.printer.* Yes
140 solaris.printer.grant solaris.printer.* No
141 .TE
143 .sp
144 .LP
145 The \fBfree_authattr()\fR function releases memory allocated by the
146 \fBgetauthnam()\fR and \fBgetauthattr()\fR functions.
147 .SH RETURN VALUES
148 .sp
149 .LP
150 The \fBgetauthattr()\fR function returns a pointer to an \fBauthattr_t\fR if
151 it successfully enumerates an entry; otherwise it returns \fINULL\fR,
152 indicating the end of the enumeration.
153 .sp
154 .LP
155 The \fBgetauthnam()\fR function returns a pointer to an \fBauthattr_t\fR if it
156 successfully locates the requested entry; otherwise it returns \fINULL\fR.
157 .sp
158 .LP
159 The \fBchkauthattr()\fR function returns 1 if the user is authorized and 0 if
160 the user does not exist or is not authorized.
161 .SH USAGE
162 .sp
163 .LP
164 The \fBgetauthattr()\fR and \fBgetauthnam()\fR functions both allocate memory
165 for the pointers they return. This memory should be deallocated with the
166 \fBfree_authattr()\fR call.
167 .sp
168 .LP
169 Individual attributes in the \fBattr\fR structure can be referred to by calling
170 the \fBkva_match\fR(3SECDB) function.
171 .SH WARNINGS
172 .sp
173 .LP
174 Because the list of legal keys is likely to expand, code must be written to
175 ignore unknown key-value pairs without error.
176 .SH FILES
177 .sp
178 .ne 2
179 .na
180 \fB\fB/etc/nsswitch.conf\fR\fR
181 .ad
182 .RS 29n
183 configuration file lookup information for the name server switch
184 .RE
186 .sp
187 .ne 2
188 .na
189 \fB\fB/etc/user_attr\fR\fR
190 .ad
191 .RS 29n
192 extended user attributes
193 .RE
195 .sp
196 .ne 2
197 .na
198 \fB\fB/etc/security/auth_attr\fR\fR
199 .ad
200 .RS 29n
201 authorization attributes
202 .RE
204 .sp
205 .ne 2
206 .na
207 \fB\fB/etc/security/policy.conf\fR\fR
208 .ad
209 .RS 29n
210 policy definitions
211 .RE
213 .sp
214 .ne 2
215 .na
216 \fB\fB/etc/security/prof_attr\fR\fR
217 .ad
218 .RS 29n
219 profile information
220 .RE
222 .SH ATTRIBUTES
223 .sp
224 .LP
225 See \fBattributes\fR(5) for descriptions of the following attributes:
226 .sp
228 .sp
229 .TS
230 box;
231 c | c
232 l | l .
233 ATTRIBUTE TYPE ATTRIBUTE VALUE
234 _
235 MT-Level MT-Safe
236 .TE
238 .SH SEE ALSO
239 .sp
240 .LP
241 \fBgetexecattr\fR(3SECDB), \fBgetprofattr\fR(3SECDB),
242 \fBgetuserattr\fR(3SECDB), \fBauth_attr\fR(4), \fBnsswitch.conf\fR(4),
243 \fBprof_attr\fR(4), \fBuser_attr\fR(4), \fBattributes\fR(5), \fBrbac\fR(5)