getauthattr(3SECSecurity Attributes Database Library Functigetauthattr(3SECDB)NAME
getauthattr, getauthnam, free_authattr, setauthattr, endauthattr,
chkauthattr - get authorization entry
SYNOPSIS
cc [ flag... ] file... -lsecdb-lsocket-lnsl [ library... ]
#include <auth_attr.h>
#include <secdb.h>
authattr_t *getauthattr(void);
authattr_t *getauthnam(const char *name);
void free_authattr(authattr_t *auth);
void setauthattr(void);
void endauthattr(void);
int chkauthattr(const char *authname, const char *username);
DESCRIPTION
The getauthattr() and getauthnam() functions each return an
auth_attr(4) entry. Entries can come from any of the sources specified
in the nsswitch.conf(4) file.
The getauthattr() function enumerates auth_attr entries. The getauth‐
nam() function searches for an auth_attr entry with a given authoriza‐
tion name name. Successive calls to these functions return either suc‐
cessive auth_attr entries or NULL.
Th internal representation of an auth_attr entry is an authattr_t
structure defined in <auth_attr.h> with the following members:
char *name; /* name of the authorization */
char *res1; /* reserved for future use */
char *res2; /* reserved for future use */
char *short_desc; /* short description */
char *long_desc; /* long description */
kva_t *attr; /* array of key-value pair attributes */
The setauthattr() function "rewinds" to the beginning of the enumera‐
tion of auth_attr entries. Calls to getauthnam() can leave the enumer‐
ation in an indeterminate state. Therefore, setauthattr() should be
called before the first call to getauthattr().
The endauthattr() function may be called to indicate that auth_attr
processing is complete; the system may then close any open auth_attr
file, deallocate storage, and so forth.
The chkauthattr() function verifies whether or not a user has a given
authorization. It first reads the AUTHS_GRANTED key in the /etc/secu‐
rity/policy.conf file and returns 1 if it finds a match for the given
authorization. If chkauthattr() does not find a match, it reads the
PROFS_GRANTED key in /etc/security/policy.conf and returns 1 if the
given authorization is in any profiles specified with the PROFS_GRANTED
keyword. If a match is not found from the default authorizations and
default profiles, chkauthattr() reads the user_attr(4) database. If it
does not find a match in user_attr, it reads the prof_attr(4) data‐
base, using the list of profiles assigned to the user, and checks if
any of the profiles assigned to the user has the given authorization.
The chkauthattr() function returns 0 if it does not find a match in
any of the three sources.
A user is considered to have been assigned an authorization if either
of the following are true:
· The authorization name matches exactly any authorization assigned
in the user_attr or prof_attr databases (authorization names are
case-sensitive).
· The authorization name suffix is not the key word grant and the
authorization name matches any authorization up to the asterisk
(*) character assigned in the user_attr or prof_attr databases.
The examples in the following table illustrate the conditions under
which a user is assigned an authorization.
┌───────────────────────────┬───────────────────────────────┬─────────────┐
│ │ /etc/security/policy.conf or │ Is user │
├───────────────────────────┼───────────────────────────────┼─────────────┤
│Authorization name │ user_attr or prof_attr entry │ authorized? │
├───────────────────────────┼───────────────────────────────┼─────────────┤
│solaris.printer.postscript │ solaris.printer.postscript │ Yes │
├───────────────────────────┼───────────────────────────────┼─────────────┤
│solaris.printer.postscript │ solaris.printer.* │ Yes │
├───────────────────────────┼───────────────────────────────┼─────────────┤
│solaris.printer.grant │ solaris.printer.* │ No │
└───────────────────────────┴───────────────────────────────┴─────────────┘
The free_authattr() function releases memory allocated by the getauth‐
nam() and getauthattr() functions.
RETURN VALUES
The getauthattr() function returns a pointer to an authattr_t if it
successfully enumerates an entry; otherwise it returns NULL, indicating
the end of the enumeration.
The getauthnam() function returns a pointer to an authattr_t if it
successfully locates the requested entry; otherwise it returns NULL.
The chkauthattr() function returns 1 if the user is authorized and 0
otherwise.
USAGE
The getauthattr() and getauthnam() functions both allocate memory for
the pointers they return. This memory should be de-allocated with the
free_authattr() call.
Individual attributes in the attr structure can be referred to by call‐
ing the kva_match(3SECDB) function.
WARNINGS
Because the list of legal keys is likely to expand, code must be writ‐
ten to ignore unknown key-value pairs without error.
FILES
/etc/nsswitch.conf configuration file lookup information
for the name server switch
/etc/user_attr extended user attributes
/etc/security/auth_attr authorization attributes
/etc/security/policy.conf policy definitions
/etc/security/prof_attr profile information
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│MT-Level │MT-Safe │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOgetexecattr(3SECDB), getprofattr(3SECDB), getuserattr(3SECDB),
auth_attr(4), nsswitch.conf(4), prof_attr(4), user_attr(4),
attributes(5), rbac(5)SunOS 5.10 31 Mar 2005 getauthattr(3SECDB)