authcap(4)authcap(4)NAMEauthcap - Format of security databases (Enhanced Security)
The security-relevant databases used by the enhanced security subsets
include the user profile databases (and by extension thier optional NIS
map source files), the file control database, the terminal control and
device assignment databases, and the system default database.
This reference page describes the location and general format of these
databases. A specific reference page for each database describes its
The user profile databases (sometimes referred to as the protected
password database) reside in /tcb/files/auth.db and
/var/tcb/files/auth.db. The /tcb/files/auth.db database contains infor‐
mation for UIDs from 0 to 99. The /var/tcb/files/auth.db database con‐
tains information for UIDs 100 and up.
All other databases reside in /etc/auth/system. These include: System
default database of global (or template) values for users and devices.
File control database Terminal control database Device assignment data‐
Files with extensions are in database format for efficiency. Others are
ASCII files. All the databases can be manipulated by the edauth util‐
A file entry consists of a key followed by a colon (:), a set of
field/value pairs each followed by a colon, and a terminator, chkent:.
The following is an example of a user profile entry as a single, con‐
For readability, an entry can optionally be split into multiple lines
by inserting a backslash (\) character at the end of each line and an
extra colon at the beginning of the continuation line. Continuation
lines are indented by a tab character. The split cannot separate a
field/value pair, including its terminating colon.
The following is the same entry as above, broken into multiple lines:
jones:u_name=jones:u_id#16:\ :u_pwd=a78/a1.eitfn6:\ :u_lock@:chkent:
Multiple entries are separated by a new line that is not preceded by a
continuation character. For example:
Each entry is referenced by the key followed by the colon (:).
At the end of each entry is the chkent field. The "chkent:" string
indicates that the entry is complete. This is used as an integrity
check on each entry by the programs that read the databases.
The field names, or capabilities, begin with an identifying prefix that
depends upon the database type. The following list of prefixes also
lists the reference page that explains the associated database: Termi‐
nal control database field. See the ttys(4) reference page. User pro‐
file (protected password) database field. See the prpasswd(4) reference
page. Device assignment database field. See the devassign(4) reference
page. System default database field. Note that the system default
database can contain fields with any of the above prefixes. See the
default(4) reference page.
Fields can have numeric, Boolean, or string values: Numeric fields take
the form fieldname#number, where number is a decimal number, an octal
number (indicated by a leading 0), or a hexadecimal number (indicated
by a leading 0X). Boolean fields take the form fieldname for true or
fieldname@ for false. String fields take the form fieldname=string,
where string is 0 (zero) or more characters. To include the backslash
(\) or colon (:) characters in a string, surround them with the back‐
slash (\) character.
All databases use a lock file, the existence of which means that the
file is currently being rewritten. Occasionally, the files remain after
a system crash and must be removed manually. The lock file is formed by
appending :t to the database file name.
Fields and Flags
A program reads a database entry as a structure composed of two sub-
structures: a field sub-structure and a flag sub-structure. Each sub-
structure has one member for each potential field. A one-bit flag indi‐
cates the presence or absence of its corresponding field in a particu‐
lar entry. The field structure contains the field values (for example,
a number, a Boolean flag, a directory string, or a mask).
Protected password database for UIDs from 0 to 99. Protected password
database for UIDs 100 and up. Contains the global system settings
Functions: getprpwent(3), getdvagent(3), getprdfent(3), getprtcent(3),
Files: default(4), devassign(4), files(4), prpasswd(4), ttys(4)authcap(4)