secstat(1) DG/UX B2 Security R4.12MU02 secstat(1)
NAME
secstat - list security attribute status
SYNOPSIS
secstat [-alpqr] [-c | -b] object ...
where:
object A pathname
DESCRIPTION
The secstat command displays the status of the security attributes on
a file object, based upon the information in the file object's
internal data structures. The information returned indicates:
· whether a device is allocable or allocated
· whether a file has an implicit or an explicit MAC label, or is
governed by a range.
· whether a regular file that is governed by a range has a temporary
MAC label
· whether a regular file governed by a permanent MAC label also has
a MAC range
· whether a file has an extended ACL
· whether a directory has a default ACL
· whether a file has any capability sets
· whether a directory is an multilevel directory parent, a hidden
directory, or a regular directory
Options
-a Display status information of all files, including those
beginning with ., when the -r option is selected.
-b Display security attribute status information in binary form.
-c Display security attribute status information in character
format (the default).
-l If target is a symbolic link, operate on the link. The default
behavior is to operate on the object that the link references.
-p Display the absolute pathname of the file with all symbolic
links resolved (assuming the absence of the -l option).
-q Do not write diagnostic messages. The usage error message is
always written.
-r Recursively descend through directory file objects, displaying
the security attribute status of each file object.
-c and -b cannot both be specified.
The user must have MAC read access to an object that does not have a
governing MAC range to determine its security attributes status, or
must have appropriate privilege. If the file object has a MAC range,
then the invoking process's clearance must dominate the low end of
the MAC range to receive information about the MAC range. To
determine that a directory is an MLD (i.e., the parent directory of
hidden directories), the user must be in real directory mode.
Output Format
If no output format is specified, or -c is specified, then the
secstat command displays the security attribute status information in
character format.
The first line will list the object type (directory, MLD, HD, file,
pipe), followed by a colon and a space, followed by the object name.
If the object is an allocable or allocated device, the next line will
show this status.
The next line will indicate what the governing MAC entity is
(explicit MAC label, implicit MAC label, explicit MAC label with MAC
range, MAC range, MAC range with temporary MAC label).
The next line indicates whether the file object has a minimum ACL or
an extended ACL (minimum ACL, extended ACL). If the file object is a
directory that has a default ACL, this line also includes a second,
space-separated field so indicating (default ACL).
If the object has any capability set besides a required set, the next
line will read "capability."
If the object has a required capability set, the next line will read
"required capability."
If binary output format is specified (-b), then the secstat command
displays the object type, followed by a colon, a space, and the
object name, followed by a colon, a space and the hexadecimal value
of the secpattrs field (see dgsecstat(2)). If the object is a
directory, this information is followed by a space and the
hexadecimal value of the directory subtype field.
The output for each object is followed by a blank line.
EXAMPLES
A directory /regdir has a MAC label and a MAC range but no extended
ACL.
$ secstat regdir
directory file: reg_dir
explicit MAC label with MAC range
minimum ACL
A regular file /regfile is governed by a MAC range, but has a
temporary MAC label, and it has an extended ACL.
$ secstat regfile
file: reg_file
MAC range with temporary MAC label
extended ACL
Both file objects above are specified on the same command line.
$ secstat regdir regfile
directory file: reg_dir
explicit MAC label with MAC range
minimum ACL
file: reg_file
MAC range with temporary MAC label
extended ACL
DIAGNOSTICS
Secstat writes all diagnostic messages to stderr (standard error).
The secstat command exits with one of the following values:
0 The security attribute status of all file objects was
successfully reported.
2 secstat could not access one or more file objects.
3 secstat usage is wrong
SEE ALSO
dgsecstat(2).
NOTES
It is of little interest to see the security attributes of symbolic
links. These attributes play no role in the trusted access control
policy or mechanism.
The absence of any security attribute that would occupy space in the
ufia (e.g., a file with an implicit MAC label and a minimum ACL) does
not assure that the file has no ufia. There are other entities that
can be placed in the ufia, such as by the dgsetftamattrs(2) system
call, or by site-specific commands or device drivers.
Licensed material--property of copyright holder(s)