svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
getauthattr(3c)
Standard C Library Functions getauthattr(3C)
NAME
getauthattr, getauthnam, free_authattr, setauthattr, endauthattr,
chkauthattr, chkauthattr_ucred - get authorization entry
SYNOPSIS
#include <auth_attr.h>
authattr_t *getauthattr(void);
authattr_t *getauthnam(const char *name);
void free_authattr(authattr_t *auth);
void setauthattr(void);
void endauthattr(void);
int chkauthattr(const char *authname, const char *username);
int chkauthattr_ucred(const char *authname, const char *username, ucred_t ucred);
DESCRIPTION
The getauthattr() and getauthnam() functions each return an
auth_attr(5) entry. Entries can come from any of the sources specified
in the nsswitch.conf(5) file.
The getauthattr() function enumerates auth_attr entries. The getauth‐
nam() function searches for an auth_attr entry with a given authoriza‐
tion name name. Successive calls to these functions return either suc‐
cessive auth_attr entries or NULL.
The internal representation of an auth_attr entry is an authattr_t
structure defined in <auth_attr.h> with the following members:
char *name; /* name of the authorization */
char *res1; /* reserved for future use */
char *res2; /* reserved for future use */
char *short_desc; /* short description */
char *long_desc; /* long description */
kva_t *attr; /* array of key-value pair attributes */
The setauthattr() function "rewinds" to the beginning of the enumera‐
tion of auth_attr entries. Calls to getauthnam() can leave the enumera‐
tion in an indeterminate state. Therefore, setauthattr() should be
called before the first call to getauthattr().
The endauthattr() function may be called to indicate that auth_attr
processing is complete; the system may then close any open auth_attr
file, deallocate storage, and so forth.
The chkauthattr() function verifies whether or not a user has a given
authorization. It first reads the user_attr(5) database and returns 1
if it finds a match for the given authorization. If it does not find a
match in user_attr, chkauthattr() reads the prof_attr(5) database using
the list of profiles assigned to the user and checks if any of the pro‐
files assigned to the user has the given authorization.
For each user, there are two sets of profiles, an authenticated set and
an unauthenticated set. Authorizations in the authenticated set or
always effective, but those in the unauthenticated set only become
effective after a successful response to an authentication challenge.
Such challenges are automatically issued when the user executes a com‐
mand matching an entry in the authenticated profiles set. See
pfexec(1).
When chkauthattr() finds a profile called "Stop", further profiles are
ignored, the authorizations and profiles mentioned in /etc/secu‐
rity/policy.conf are ignored and it returns 0. If it does not find a
match in the user's profiles, chkauthattr() reads the AUTHS_GRANTED key
in the /etc/security/policy.conf file and returns 1 if it finds a match
for the given authorization. If chkauthattr() does not find a match and
the username is the name of the "console user", defined as the owner of
/dev/console, it first reads the CONSOLE_USER key in /etc/security/pol‐
icy.conf and returns 1 if the given authorization is in any of the pro‐
files specified in the CONSOLE_USER keyword, then reads the
PROFS_GRANTED key in /etc/security/policy.conf and returns 1 if the
given authorization is in any profiles specified with the PROFS_GRANTED
keyword. The chkauthattr() function returns 0 if it does not find a
match in any of the three sources or if the user does not exist.
The chkauthattr_ucred() function is identical to the chkauthattr()
function, except for its interpretation of authorizations specified in
the authenticated profiles set. In determining whether the authenti‐
cated profiles are effective, it uses the ucred pointer instead of the
process flags of the calling process. This function should be used for
local services that run on behalf of clients. The ucred of the client
can be obtained by getpeerucred(3C) or door_ucred(3C).
The <auth_list.h> header file contains manifest constants for most of
the defined authorizations. It is provided as a programming convenience
to minimize typing errors and to allow tools such as cscope(1) and
other source browsers to quickly identify where a particular authoriza‐
tion is checked.
Authorization names consist of a hierarchical set of dot (.)-separated
words, called the predicate, and an optional object qualifier preceded
by a slash character (/). Authorizations listed in user_attr and
prof_attr may contain an asterisk (*) following the final dot in the
predicate to indicate a wildcard. The reserved word grant, used for
delegating authorizations, is not matched by *. Object qualifiers may
use the fnmatch syntax to match multiple objects based on the provided
pattern. The pattern is evaluated with the FNM_PATHNAME and FNM_LEAD‐
ING_DIR flags. For more information, see the fnmatch(7) man page.
A user is considered to have been assigned an authorization if all of
the following are true:
o The authorization name matches exactly any authorization
assigned in the user_attr or prof_attr databases (authoriza‐
tion names are case-sensitive).
o The predicate of authname matches the predicate of an autho‐
rization completely, or the predicate does not end in grant
and matches up to the * if present.
o The authorization name suffix is not the key word grant and
the authorization name matches any authorization up to the
asterisk (*) character assigned in the user_attr or
prof_attr databases.
o If the authorization includes an object qualifier, then
authname must include the same object qualifier.
The examples in the following table illustrate the conditions under
which a user is assigned an authorization.
tab(); lw(2.62i) lw(2.44i) lw(0.44i) lw(2.62i) lw(2.44i) lw(0.44i)
Authorization nameT{ /etc/security/policy.conf, user_attr, or prof_attr
entry T}Authorized? _ solaris.printer.postscriptso‐
laris.printer.postscriptYes solaris.printer.postscriptso‐
laris.printer.*Yes solaris.printer.grantsolaris.printer.*No
solaris.zone.login/z1solaris.zone.*Yes
solaris.admin.edit/etc/inet/ntp.confsolaris.admin.edit/etc/inet/*.con‐
fYes solaris.admin.edit/etc/pam.confso‐
laris.admin.edit/etc/p[!a]*.confNo solaris.admin.edit/etc/proftpd.conf‐
solaris.admin.edit/etc/p[!a]*.confYes
solaris.admin.edit/etc/ntp/ntp.confsolaris.admin.edit/etc/ntpYes
The free_authattr() function releases memory allocated by the getauth‐
nam() and getauthattr() functions.
RETURN VALUES
The getauthattr() function returns a pointer to an authattr_t if it
successfully enumerates an entry; otherwise it returns NULL, indicating
the end of the enumeration.
The getauthnam() function returns a pointer to an authattr_t if it suc‐
cessfully locates the requested entry; otherwise it returns NULL.
The chkauthattr() function returns 1 if the user is authorized and 0 if
the user does not exist or is not authorized.
USAGE
The getauthattr() and getauthnam() functions both allocate memory for
the pointers they return. This memory should be deallocated with the
free_authattr() call.
Individual attributes in the attr structure can be referred to by call‐
ing the kva_match(3C) function.
WARNINGS
Because the list of legal keys is likely to expand, code must be writ‐
ten to ignore unknown key-value pairs without error.
FILES
/etc/nsswitch.conf configuration file lookup information for
the name service switch
/etc/user_attr extended user attributes
/etc/security/auth_attr authorization attributes
/etc/security/policy.conf policy definitions
/etc/security/prof_attr profile information
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Interface StabilityCommitted _ MT-LevelMT-Safe
SEE ALSO
getexecattr(3C), getprofattr(3C), getuserattr(3C), auth_attr(5), nss‐
witch.conf(5), prof_attr(5), user_attr(5), attributes(7), rbac(7),
fnmatch(7)
Oracle Solaris 11.4 17 Aug 2018 getauthattr(3C)