Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

files(4) [osf1 man page]

files(4)						     Kernel Interfaces Manual							  files(4)

NAME
files - File control database (Enhanced Security) DESCRIPTION
The file control database (/etc/auth/system/files) is designed to help the Information System Security Officer (ISSO) maintain the integrity of the system. The database contains entries for system data files and executable files that require certain attributes. Some files require certain attributes to provide protection against unauthorized access, while others require a specific set of attributes to accomplish their intended function. The database is used by the library routine create_file_securely() to determine the set of attributes for a newly created file. Many pro- grams associated with the trusted computing base (TCB) use this library routine for file creation to ensure that file attributes are set correctly. A broad range of attributes can be specified in the file control database. Specific choices depend upon the exact system configuration. These choices are as follows: This field specifies the owner name for the entry. If an owner name is not specified and the entry is created using create_file_securely, the owner of the file will be the real user ID of the process creating the file. This field specifies the group name for the entry. If a group name is not specified and the entry is created using create_file_securely, the group of the file will be the real group ID of the process creating the file. This field specifies the mode word for the entry. If the mode word is not specified and create_file_securely is used to create the entry, a mode word of 0 (zero) is assigned to the new file. This field identifies the type of the entry. This field is not taken into account by create_file_securely when a file is being created. The library routine will only create regular files. Choices for the type field are as follows: Regular file Directory FIFO device (pipe) Character special device Block special device Socket EXAMPLES
The following example is a typical file control database entry for the program /sbin/newfs: /sbin/newfs:f_owner=root:f_group=bin: :f_type=r:f_mode#04111: :chkent: This entry specifies that the newfs program has bin as its owner and group, that it is a regular file, and that its mode is 0111 The following example shows an entry for a site-specific directory that contains help files for an application: /appl/help_files:f_owner=appadmin:f_group=appl: :f_type=d:f_mode#0750: :chkent; This entry specifies the owner of the /appl/help_files directory as appadmin, the group as appl, and the mode as 0750. FILES
Specifies the pathname of the file control database. RELATED INFORMATION
Functions: getprfient(3) Files: authcap(4) delim off files(4)

Check Out this Related Man Page

getesfient(3)						     Library Functions Manual						     getesfient(3)

NAME
getesfient, getesfinam, setprfient, endprfient, putesfinam, getprfient, getprfinam, putprfinam - Manipulate file control database entry (Enhanced Security) LIBRARY
Security Library (libsecurity.so) NOTE: In order to quickstart a program, the program must be linked as follows: -lsecurity -ldb -laud -lm See the shared library discussion in the Programmer's Guide for more information about using the quickstarting feature. SYNOPSIS
#include <sys/types.h> #include <sys/security.h> #include <prot.h> struct es_file *getesfient(void); struct es_file *getesfinam( char *name); void setprfient(void); void endprfient(void); int putesfinam( char *name, struct es_file *pr); NOTE: The getprfient(), getprfinam(), and putprfinam() routines have been replaced by getesfient(), getesfinam(), and putesfinam() respec- tively. PARAMETERS
Specifies a file control database entry name. Specifies a file control database entry structure. DESCRIPTION
The getesfient() and getesfinam() functions each return a pointer to an object with the following structure containing the separated-out fields of a line in the file control database. Each line in the database contains a es_file structure, declared in the prot.h header file as follows: /* File Control Database Entry */ struct esfi_field { char *fd_name; /* Holds full path name */ uid_t fd_uid; /* uid of owner */ gid_t fd_gid; /* gid of group */ mode_t fd_mode; /* permissions */ char *fd_type; /* file type (one of r,b,c,d,f,s,m) */ mand_ir_t *fd_slevel; /* sensitivity level for file */ acle_t *fd_acl; /* access control list for file */ int fd_acllen; /* number of entries in fd_acl */ priv_t *fd_pprivs; /* potential privileges */ priv_t *fd_gprivs; /* granted privileges */ }; struct esfi_flag { unsigned int fg_name:1, /* Is fd_name set? */ fg_uid:1, /* Is fd_uid set? */ fg_gid:1, /* Is fd_gid set? */ fg_mode:1, /* Is fd_mode set? */ fg_type:1, /* Is fd_type set? */ fg_slevel:1, /* Is fd_slevel set? */ fg_acl:1, /* Is fd_acl set? */ fg_pprivs:1, /* Is fd_pprivs set? */ fg_gprivs:1 /* Is fd_gprivs set? */ ; }; struct es_file { AUTH_ESCAP_COMMON size_t fieldlen; struct esfi_field *ufld; struct esfi_flag *uflg; }; The getesfient() function when first called returns a pointer to the first es_file structure in the database; thereafter, it returns a pointer to the next es_file structure in the database, so successive calls can be used to search the database. The getesfinam() function searches from the beginning of the database until a file name matching name is found, and returns a pointer to the particular structure in which it was found. If an end-of-file or an error is encountered on reading, these functions return a null pointer. A call to the setprfient() function has the effect of rewinding the file control database to allow repeated searches. The endprfient() function can be called to close the file control database when processing is complete. The putesfinam() function puts a new or replaced file control entry pr with key name into the database. If the uflg->fg_name field is a 0 (zero), the requested entry is deleted from the file control database. The putesfinam() function locks the database for all update opera- tions, and performs a endprfient() after the update or failed attempt. The file control database stores a list of entries for security relevant files. This database is used by the setfiles program to assign and maintain the security attributes of system files. The fd_name pointer refers to the file name, which can be an absolute pathname or a pathname whose last component is an * (asterisk), which is treated as a wildcard entry. Entries that refer to a specific file in a directory supersede the wildcard entry if the absolute pathname precedes the wildcard entry in the database. The fd_uid and fd_gid fields are the numeric owner and group of the file. The fd_mode field is the mode word, including owner, group, and other permissions, as well as the SUID and SGID bits. The fd_type field contains a one-char- acter file type indicator: r (regular), b (block-special), c (character-special), d (directory), f (FIFO), s (symbolic link), The fd_acl field, if set, references the textual representation of the file's access control list. The fd_acllen field is not currently used. NOTES
Programs using these functions must be compiled with -lsecurity. Structures returned by the database routines contain pointers to character strings and lists rather than being self-contained. The copy function must be used rather than doing a structure assignment to save a returned structure. The value returned by getesfinam() and getesfient() refers to a structure that is overwritten by calls to these functions. To retrieve an entry, modify it, and replace it in the database, you must copy the entry using copyesfient() and supply the modified buffer to putesfi- nam(). RETURN VALUES
The getesfient() and getesfinam() functions return null pointers on EOF or an error. The putesfinam() function returns a value of 0 (zero) if it cannot add or update the entry. FILES
Description file of directories, devices, control, and commands modified for security. General security databases file. RELATED INFORMATION
Files: authcap(4), files(4) Security delim off getesfient(3)
Man Page