chkauthattr man page on SmartOS

Man page or keyword search:  
man Server   16655 pages
apropos Keyword Search (all sections)
Output format
SmartOS logo
[printable version]


       getauthattr,   getauthnam,   free_authattr,  setauthattr,  endauthattr,
       chkauthattr - get authorization entry

       cc [ flag... ] file... -lsecdb  -lsocket	 -lnsl	[ library... ]
       #include <auth_attr.h>
       #include <secdb.h>

       authattr_t *getauthattr(void);

       authattr_t *getauthnam(const char *name);

       void free_authattr(authattr_t *auth);

       void setauthattr(void);

       void endauthattr(void);

       int chkauthattr(const char *authname, const char *username);

       The  getauthattr()  and	 getauthnam()	functions   each   return   an
       auth_attr(4)  entry. Entries can come from any of the sources specified
       in the nsswitch.conf(4) file.

       The getauthattr() function enumerates auth_attr entries.	 The  getauth‐
       nam()  function searches for an auth_attr entry with a given authoriza‐
       tion name name. Successive calls to these functions return either  suc‐
       cessive auth_attr entries or NULL.

       Th  internal  representation  of	 an  auth_attr	entry is an authattr_t
       structure defined in  <auth_attr.h> with the following members:

	 char	*name;	      /* name of the authorization */
	 char	*res1;	      /* reserved for future use */
	 char	*res2;	      /* reserved for future use */
	 char	*short_desc;  /* short description */
	 char	*long_desc;   /* long description */
	 kva_t	*attr;	      /* array of key-value pair attributes */

       The setauthattr() function "rewinds" to the beginning of	 the  enumera‐
       tion of auth_attr entries.  Calls to getauthnam() can leave the enumer‐
       ation in an indeterminate state.	 Therefore,  setauthattr()  should  be
       called before the first call to getauthattr().

       The  endauthattr()  function  may  be called to indicate that auth_attr
       processing is complete; the system may then close  any  open  auth_attr
       file, deallocate storage, and so forth.

       The  chkauthattr()  function verifies whether or not a user has a given
       authorization. It first reads the AUTHS_GRANTED key in  the  /etc/secu‐
       rity/policy.conf	 file  and returns 1 if it finds a match for the given
       authorization. If chkauthattr() does not find a match and the  username
       is  the	name  of the "console user", defined as the owner of /dev/con‐
       sole, it first reads the CONSOLE_USER key in  /etc/security/policy.conf
       and  returns  1	if  the	 given authorization is in any of the profiles
       specified in the CONSOLE_USER keyword, then reads the PROFS_GRANTED key
       in  /etc/security/policy.conf  and returns 1 if the given authorization
       is in any profiles specified with the PROFS_GRANTED keyword. If a match
       is  not	found  from  the  default authorizations and default profiles,
       chkauthattr() reads the user_attr(4) database. If it does  not  find  a
       match in	 user_attr, it reads the prof_attr(4) database, using the list
       of profiles assigned to the user, and checks if	any  of	 the  profiles
       assigned	 to  the  user has the given authorization.  The chkauthattr()
       function returns 0 if it does not find a match  in  any	of  the	 three
       sources or if the user does not exist.

       A  user	is considered to have been assigned an authorization if either
       of the following are true:

	   o	  The authorization name  matches  exactly  any	 authorization
		  assigned  in	the  user_attr or  prof_attr databases (autho‐
		  rization names are case-sensitive).

	   o	  The authorization name suffix is not the key word  grant and
		  the  authorization  name matches any authorization up to the
		  asterisk  (*)	 character  assigned  in  the	user_attr   or
		  prof_attr databases.

       The  examples  in  the  following table illustrate the conditions under
       which a user is assigned an authorization.

       │			   │ /etc/security/policy.conf or  │   Is user	 │
       │    Authorization name	   │ user_attr or  prof_attr entry │ authorized? │
       │solaris.printer.postscript │  solaris.printer.postscript   │	 Yes	 │
       │solaris.printer.postscript │	   solaris.printer.*	   │	 Yes	 │
       │  solaris.printer.grant	   │	   solaris.printer.*	   │	 No	 │

       The free_authattr() function releases memory allocated by the  getauth‐
       nam() and  getauthattr() functions.

       The  getauthattr()  function  returns a pointer to an  authattr_t if it
       successfully enumerates an entry; otherwise it returns NULL, indicating
       the end of the enumeration.

       The  getauthnam()  function  returns  a pointer to an  authattr_t if it
       successfully locates the requested entry; otherwise it returns NULL.

       The chkauthattr() function returns 1 if the user is authorized and 0 if
       the user does not exist or is not authorized.

       The  getauthattr()  and getauthnam() functions both allocate memory for
       the pointers they return. This memory should be	deallocated  with  the
       free_authattr() call.

       Individual attributes in the attr structure can be referred to by call‐
       ing the kva_match(3SECDB) function.

       Because the list of legal keys is likely to expand, code	 must be writ‐
       ten to ignore unknown key-value pairs without error.

				    configuration  file lookup information for
				    the name server switch

				    extended user attributes

				    authorization attributes

				    policy definitions

				    profile information

       See attributes(5) for descriptions of the following attributes:

       │MT-Level       │ MT-Safe	 │

       getexecattr(3SECDB),	getprofattr(3SECDB),	  getuserattr(3SECDB),
       auth_attr(4),	 nsswitch.conf(4),     prof_attr(4),	 user_attr(4),
       attributes(5), rbac(5)

				 Feb 20, 2009		   GETAUTHATTR(3SECDB)

List of man pages available for SmartOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net