subsystems(S-osr5)
subsystems --
manipulation routines for Subsystems database
Syntax
cc . . . -lprot -lx
int authorized_user (auth)
char *auth;
int primary_auth (name)
char *name;
char *primary_of_secondary_auth (name)
char *name;
int secondary_auth (name)
char *name;
int total_auths()
int widest_auth()
int write_authorizations (user, auth_list, list_len)
char *user;
char **auth_list;
int list_len;
Description
These routines manipulate and refer to the Subsystems database,
which is extracted from the Protected Password entries for all
users. The Subsystems database stores primary and secondary
authorizations for users with respect to protected subsystems on
the Security Module Package. A protected subsystem is associated
with a special group, and provides some service to users. It is
called protected because all its programs run SGID to
that group, and the files and devices that the subsystem
references are only accessible to that group, and therefore
through the protected subsystem's programs.
A primary authorization for a protected subsystem
allows a user to assume the administrator role for that
subsystem. The primary authorization name is the group name
whose effective identity is used by the subsystem programs to
protect subsystem files. If a user possesses a primary
authorization for a subsystem, he/she can do all actions within
that subsystem. The list of primary authorizations is as
follows:
audit-
Audit administrator.
auth-
Authentication database administrator.
backup-
Backup and file system maintenance administrator.
cron-
Cron subsystem administrator (at, batch, crontab).
lp-
Line printer spooling subsystem administrator.
mem-
Authorization to view information about other users (memory devices).
sysadmin-
System administrator functions that require root privilege.
terminal-
The authorization to send unfiltered information
between user terminals.
uucp-
The ability to run uucp (not currently supported).
A secondary authorization allows finer grain operations
within protected subsystems. These authorizations are often
granted either to specific users or to the entire user community
by appropriate setup of user Protected Password entries and the
Defaults database. Each secondary authorization is associated
with exactly one protected subsystem, and only allows operations
with respect to that subsystem. The secondary authorizations are
as follows:
printqueue-
Authorization to see other user's jobs in the print queues (lp).
printerstat-
Authorization to change printer status with
enable(C)
and
disable(C)
commands (lp).
queryspace-
Authorization to use
df(C)
to query file system space (backup).
The authorized_user routine returns non-zero if the
login user ID associated with the current process has the
specified authorization in the subsystem that is currently
running. This subsystem is identified by the effective group
under which the program began execution. The primary
authorization for any subsystem grants all secondary
authorizations for that subsystem.
The rest of the routines are for programs that manipulate user
entries directly, or that have to validate authorizations input
by users. They may not be supported in future releases of the
SMP. The primary_auth routine maps a primary
authorization name to a bit offset in a mask. This is used for
checking a user's authorizations against the Protected Password
entry. The primary_of_secondary_auth routine returns
the primary authorization name associated with the secondary
authorization. The primary authorization name is also the
subsystem name in which the secondary authorization is
recognized. The secondary_auth routine maps a
secondary authorization to a bit offset. The
total_auths routine returns the number of primary and
secondary authorizations recognized by the system. The
widest_auth routine returns the longest string name of
any authorization.
The write_authorizations routine updates the Subsystems
database for a given user. It takes list_len
authorizations from the auth_list array of string
pointers and associates those authorizations with the given
user. If the first character string pointer references the
string ``default,'' the user is given default authorizations.
This routine is used by the screen-oriented routine which updates
the user's Protected Password entry, and then must propagate the
user's authorizations to the Subsystems database.
NOTE:
These routines are also included in libsocket.
The libsocket
version provides the same functionality described here, in
addition to providing the NIS support.
Link with libsocket using cc ... -lsocket to
get the additional NIS (Network Information Service) functionality.
Diagnostics
The authorized_user routine returns non-zero if the user
possesses the specified authorization, otherwise zero. The
total_auths routine returns the sum of the number of
primary authorizations and the number of secondary
authorizations recognized by the system. The
widest_auth routine returns the length of the longest
string name of an authorization. This length does not include
the trailing null character. Both primary_auth and
secondary_auth return a negative value if the
authorization name is not supported; otherwise, they return the
bit offset of the authorization. The Protected Password database
stores both types of authorizations in the same mask. The
primary_of_secondary_auth routine returns a pointer to
a static area containing the primary authorization name
associated with the secondary authorization. The string must be
copied if it is to be modified. The
write_authorizations routine returns 0 on success,
non-zero on permission failures, I/O errors, etc.
See also
getprpwent(S-osr5)
Standards conformance
subsystems is not part of any currently supported standard;
it is an extension of AT&T System V provided by the Santa Cruz Operation.
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 02 June 2005