Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ secstat(1) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought



secstat(1)               DG/UX B2 Security R4.12MU02              secstat(1)


NAME
       secstat - list security attribute status

SYNOPSIS
       secstat [-alpqr] [-c | -b] object ...

   where:
       object A pathname

DESCRIPTION
       The secstat command displays the status of the security attributes on
       a file object, based upon the information in the file object's
       internal data structures.  The information returned indicates:

       ·  whether a device is allocable or allocated

       ·  whether a file has an implicit or an explicit MAC label, or is
          governed by a range.

       ·  whether a regular file that is governed by a range has a temporary
          MAC label

       ·  whether a regular file governed by a permanent MAC label also has
          a MAC range

       ·  whether a file has an extended ACL

       ·  whether a directory has a default ACL

       ·  whether a file has any capability sets

       ·  whether a directory is an multilevel directory parent, a hidden
          directory, or a regular directory

   Options
       -a   Display status information of all files, including those
            beginning with ., when the -r option is selected.

       -b   Display security attribute status information in binary form.

       -c   Display security attribute status information in character
            format (the default).

       -l   If target is a symbolic link, operate on the link.  The default
            behavior is to operate on the object that the link references.

       -p   Display the absolute pathname of the file with all symbolic
            links resolved (assuming the absence of the -l option).

       -q   Do not write diagnostic messages.  The usage error message is
            always written.

       -r   Recursively descend through directory file objects, displaying
            the security attribute status of each file object.

       -c and -b cannot both be specified.

       The user must have MAC read access to an object that does not have a
       governing MAC range to determine its security attributes status, or
       must have appropriate privilege.  If the file object has a MAC range,
       then the invoking process's clearance must dominate the low end of
       the MAC range to receive information about the MAC range.  To
       determine that a directory is an MLD (i.e., the parent directory of
       hidden directories), the user must be in real directory mode.

   Output Format
       If no output format is specified, or -c is specified, then the
       secstat command displays the security attribute status information in
       character format.

       The first line will list the object type (directory, MLD, HD, file,
       pipe), followed by a colon and a space, followed by the object name.

       If the object is an allocable or allocated device, the next line will
       show this status.

       The next line will indicate what the governing MAC entity is
       (explicit MAC label, implicit MAC label, explicit MAC label with MAC
       range, MAC range, MAC range with temporary MAC label).

       The next line indicates whether the file object has a minimum ACL or
       an extended ACL (minimum ACL, extended ACL).  If the file object is a
       directory that has a default ACL, this line also includes a second,
       space-separated field so indicating (default ACL).

       If the object has any capability set besides a required set, the next
       line will read "capability."

       If the object has a required capability set, the next line will read
       "required capability."

       If binary output format is specified (-b), then the secstat command
       displays the object type, followed by a colon, a space, and the
       object name, followed by a colon, a space and the hexadecimal value
       of the secpattrs field (see dgsecstat(2)).  If the object is a
       directory, this information is followed by a space and the
       hexadecimal value of the directory subtype field.

       The output for each object is followed by a blank line.

EXAMPLES
       A directory /regdir has a MAC label and a MAC range but no extended
       ACL.

       $ secstat regdir
       directory file: reg_dir
       explicit MAC label with MAC range
       minimum ACL

       A regular file /regfile is governed by a MAC range, but has a
       temporary MAC label, and it has an extended ACL.

       $ secstat regfile
       file: reg_file
       MAC range with temporary MAC label
       extended ACL

       Both file objects above are specified on the same command line.

       $ secstat regdir regfile
       directory file: reg_dir
       explicit MAC label with MAC range
       minimum ACL

       file: reg_file
       MAC range with temporary MAC label
       extended ACL

DIAGNOSTICS
       Secstat writes all diagnostic messages to stderr (standard error).
       The secstat command exits with one of the following values:

       0   The security attribute status of all file objects was
           successfully reported.

       2   secstat could not access one or more file objects.

       3   secstat usage is wrong

SEE ALSO
       dgsecstat(2).

NOTES
       It is of little interest to see the security attributes of symbolic
       links.  These attributes play no role in the trusted access control
       policy or mechanism.

       The absence of any security attribute that would occupy space in the
       ufia (e.g., a file with an implicit MAC label and a minimum ACL) does
       not assure that the file has no ufia.  There are other entities that
       can be placed in the ufia, such as by the dgsetftamattrs(2) system
       call, or by site-specific commands or device drivers.


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026