getesdfent(3) Library Functions Manual getesdfent(3)
NAME
getesdfent, getesdfnam, setprdfent, endprdfent, putesdfnam, getprdfent, getprdfnam, putprdfnam - Manipulate system default database entry
(Enhanced Security)
LIBRARY
Security Library (libsecurity.so)
NOTE: In order to quickstart a program, the program must be linked as follows:
-lsecurity -ldb -laud -lm
See the shared library discussion in the Programmer's Guide for more information about using the quickstarting feature.
SYNOPSIS
#include <sys/types.h>
#include <sys/security.h>
#include <prot.h>
struct es_default *getesdfent(void);
struct es_default *getesdfnam( char *name);
void setprdfent(void);
void endprdfent(void);
int putesdfnam( char *name, struct es_default *pr);
NOTE: The getprdfent(), getprdfnam(), and putprdfnam() routines have been replaced by getesdfent(),getesdfnam(), and putesdfnam() respec-
tively.
PARAMETERS
Specifies a system default database entry name. Specifies a system default database control entry structure.
DESCRIPTION
The getesdfent() and getesdfnam() functions each return a pointer to an object with the following structure containing the separated-out
fields of a line in the system default database. Each line in the database contains a es_default structure, declared in the <prot.h> file
as follows: struct es_default {
AUTH_ESCAP_COMMON
char *dd_name; /* copy of sfld->fd_name */
int dg_name; /* copy of sflg->fg_name */
size_t esprof_flen;
struct espw_field *prd;
struct espw_flag *prg;
size_t estc_flen;
struct estc_field *tcd;
struct estc_flag *tcg;
size_t esdev_flen;
struct esdev_field *devd;
struct esdev_flag *devg;
size_t fieldlen;
struct es_default_fields *sfld;
struct es_default_flags *sflg; } ;
struct system_default_fields
{
time_t fd_inactivity_timeout;
time_t fd_pw_expire_warning;
char fd_pw_site_callout[MAXPATHLEN];
mask_t fd_secclass[AUTH_SECCLASSVEC_SIZE];
/* System security class */
char fd_boot_authenticate;
char fd_audit_enable;
} ;
struct system_default_flags
{
unsigned int
fg_inactivity_timeout : 1,
fg_pw_expire_warning : 1,
fg_pw_site_callout : 1,
fg_boot_authenticate : 1,
fg_audit_enable : 1,
fg_secclass : 1 ;
} ;
struct es_default_fields
{
char *fd_name;
time_t fd_inactivity_timeout;
time_t fd_pw_expire_warning;
char *fd_pw_site_callout;
mand_ir_t *fd_single_user_sl;
mask_t *fd_secclass; /* System security class */
char fd_boot_authenticate;
char fd_audit_enable;
char fd_preexpire; /* admin-set psw should be expired */
char fd_skip_ttys_update; /* skip putprtcnam in login path */
char fd_auto_migrate_u; /* auto-create 'missing' profiles */
time_t fd_max_vac_future; /* how far into future can vac. be? */
time_t fd_max_vac_len; /* how long can vac. be (by user)? */ /* if either of the above fields is 0, user-originated 'vacation'
* scheduling is disabled. */
char fd_accept_vouch; /* accept 'vouching' in SIA */
} ;
struct es_default_flags
{
unsigned int
fg_name : 1,
fg_inactivity_timeout : 1,
fg_pw_expire_warning : 1,
fg_pw_site_callout : 1,
fg_single_user_sl : 1, /* sens. level for single-user*/
fg_boot_authenticate : 1,
fg_audit_enable : 1,
fg_secclass : 1,
fg_preexpire : 1, /* Is fd_preexpire set? */
fg_skip_ttys_update : 1, /* Have fd_skip_ttys_update? */
fg_auto_migrate_u : 1, /* Have fd_auto_migrate_u? */
fg_max_vac_future : 1, /* Have fd_max_vac_future? */
fg_max_vac_len : 1, /* Have fd_max_vac_len? */
fg_accept_vouch : 1 /* Have fd_accept_vouch? */
;
} ;
Currently there is only one entry in the system default database, referenced by the name "default".
The system default database contains default values for all parameters in the protected password, terminal control, and device assignment
databases, as well as configurable system-wide parameters. The fields from the other databases are described in the corresponding reference
pages.
fd_pw_expire_warning
This field is the time, in seconds, before a password's expiration that the system begins printing expiration warnings when the user
logs in.
fd_secclass
Although not used in the software, this field is an indicator of the system's TCSEC (Orange Book) class of trust.
fd_boot_authenticate
This field is a Boolean flag that indicates whether an authorized user must authenticate before the system begins operation. This
field is reserved for future use.
fd_audit_enable
This field and the fd_audit_flag are always 0 (zero).
fd_name
Name of the entry.
fd_inactivity_timeout
Reserved for future use/
fd_pw_site_callout
Pathname for the password policy callout script (or program, if replaced by the site). It is currently shipped as "/tcb/bin/pwpol-
icy".
fd_preexpire
Flag determining whether passwords set by system administrators should be pre-expired. Honored by the dxchpwd program (and thus by
dxaccounts), as well as by the auto-migration code in the login sequence (see fd_auto_migrate_u).
fd_skip_ttys_update
Flag which, if set, disables break-in evasion for terminals by skipping the update of the ttys database during logins.
fd_auto_migrate_u
Flag determining whether user accounts which have valid accounts according to getpwnam() but which have no entry visible to getespw-
nam() should have an extended profile created automatically during login processing.
fd_max_vac_future
Time interval (in seconds) specifying the maximum time from the current time at which a user-initiated vacation can start. (Adminis-
tratively-set vacations are not subject to this limit.) If 0, no user-initiated vacationing is possible.
fd_max_vac_len
Maximum time interval (in seconds) which can be set as the duration of a user-initiated vacation request. (Administratively-set vaca-
tions are not subject to this limit.) If 0, no user-initiated vacationing is possible.
fd_accept_vouch
Flag determining whether the enhanced security login sequence accepts password validation from another SIA mechanism, such as DCE.
The getesdfent() function returns a pointer to the first es_default structure in the database when first called. Thereafter, it returns a
pointer to the next es_default structure in the database, so successive calls can be used to search the database (not currently supported).
The getesdfnam() function searches from the beginning of the file until a default entry matching name is found, and returns a pointer to
the particular structure in which it was found. If an end-of-file or an error is encountered on reading, these functions return a null
pointer. Currently, all programs access the default database by calling getesdfnam() (the default).
A call to the setprdfent() function has the effect of rewinding the default control file to allow repeated searches. The endprdfent()
function can be called to close the database when processing is complete.
The putesdfnam() function puts a new or replaced default control entry pr with key name into the database. If the sflg->fg_name field con-
tains a value of 0 (zero), the requested entry is deleted from the system default database. The putesdfnam() function locks the database
for all update operations, and performs an endprdfent() after the update or failed attempt.
CAUTIONS
Structures returned by the database routines contain pointers to character strings and lists rather than being self-contained. The copy
functions must be used rather than doing a structure assignment to save a returned structure.
Do not delete the system default entry. This renders the system unusable.
RETURN VALUES
The getesdfent() and getesdfnam() functions return null pointers on EOF or an error. The putesdfnam() function returns a value of 0 (zero)
if it cannot add or update the entry.
FILES
System defaults database.
RELATED INFORMATION
Functions: getespwent(3), getestcent(3), getesdvent(3)
Files: authcap(4), default(4)
Security delim off
getesdfent(3)