getauthattr(3SECDB) getauthattr(3SECDB)
NAME
getauthattr, getauthnam, free_authattr, setauthattr, endauthattr, chkauthattr - get authorization entry
SYNOPSIS
cc [ flag... ] file... -lsecdb -lsocket -lnsl [ library... ]
#include <auth_attr.h>
#include <secdb.h>
authattr_t *getauthattr(void);
authattr_t *getauthnam(const char *name);
void free_authattr(authattr_t *auth);
void setauthattr(void);
void endauthattr(void);
int chkauthattr(const char *authname, const char *username);
The getauthattr() and getauthnam() functions each return an auth_attr(4) entry. Entries can come from any of the sources specified in the
nsswitch.conf(4) file.
The getauthattr() function enumerates auth_attr entries. The getauthnam() function searches for an auth_attr entry with a given authoriza-
tion name name. Successive calls to these functions return either successive auth_attr entries or NULL.
Th internal representation of an auth_attr entry is an authattr_t structure defined in <auth_attr.h> with the following members:
char *name; /* name of the authorization */
char *res1; /* reserved for future use */
char *res2; /* reserved for future use */
char *short_desc; /* short description */
char *long_desc; /* long description */
kva_t *attr; /* array of key-value pair attributes */
The setauthattr() function "rewinds" to the beginning of the enumeration of auth_attr entries. Calls to getauthnam() can leave the enumer-
ation in an indeterminate state. Therefore, setauthattr() should be called before the first call to getauthattr().
The endauthattr() function may be called to indicate that auth_attr processing is complete; the system may then close any open auth_attr
file, deallocate storage, and so forth.
The chkauthattr() function verifies whether or not a user has a given authorization. It first reads the AUTHS_GRANTED key in the /etc/secu-
rity/policy.conf file and returns 1 if it finds a match for the given authorization. If chkauthattr() does not find a match, it reads the
PROFS_GRANTED key in /etc/security/policy.conf and returns 1 if the given authorization is in any profiles specified with the PROFS_GRANTED
keyword. If a match is not found from the default authorizations and default profiles, chkauthattr() reads the user_attr(4) database. If it
does not find a match in user_attr, it reads the prof_attr(4) database, using the list of profiles assigned to the user, and checks if any
of the profiles assigned to the user has the given authorization.
The chkauthattr() function returns 0 if it does not find a match in any of the three sources.
A user is considered to have been assigned an authorization if either of the following are true:
o The authorization name matches exactly any authorization assigned in the user_attr or prof_attr databases (authorization names are
case-sensitive).
o The authorization name suffix is not the key word grant and the authorization name matches any authorization up to the asterisk (*)
character assigned in the user_attr or prof_attr databases.
The examples in the following table illustrate the conditions under which a user is assigned an authorization.
+---------------------------+-------------------------------+-------------+
| | /etc/security/policy.conf or | Is user |
+---------------------------+-------------------------------+-------------+
|Authorization name | user_attr or prof_attr entry | authorized? |
+---------------------------+-------------------------------+-------------+
|solaris.printer.postscript | solaris.printer.postscript | Yes |
+---------------------------+-------------------------------+-------------+
|solaris.printer.postscript | solaris.printer.* | Yes |
+---------------------------+-------------------------------+-------------+
|solaris.printer.grant | solaris.printer.* | No |
+---------------------------+-------------------------------+-------------+
The free_authattr() function releases memory allocated by the getauthnam() and getauthattr() functions.
The getauthattr() function returns a pointer to an authattr_t if it successfully enumerates an entry; otherwise it returns NULL, indicat-
ing the end of the enumeration.
The getauthnam() function returns a pointer to an authattr_t if it successfully locates the requested entry; otherwise it returns NULL.
The chkauthattr() function returns 1 if the user is authorized and 0 otherwise.
The getauthattr() and getauthnam() functions both allocate memory for the pointers they return. This memory should be de-allocated with the
free_authattr() call.
Individual attributes in the attr structure can be referred to by calling the kva_match(3SECDB) function.
Because the list of legal keys is likely to expand, code must be written to ignore unknown key-value pairs without error.
/etc/nsswitch.conf configuration file lookup information for the name server switch
/etc/user_attr extended user attributes
/etc/security/auth_attr authorization attributes
/etc/security/policy.conf policy definitions
/etc/security/prof_attr profile information
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|MT-Level |MT-Safe |
+-----------------------------+-----------------------------+
getexecattr(3SECDB), getprofattr(3SECDB), getuserattr(3SECDB), auth_attr(4), nsswitch.conf(4), prof_attr(4), user_attr(4), attributes(5),
rbac(5)
31 Mar 2005 getauthattr(3SECDB)