cap_alias_defs(4M) DG/UX B2 Security R4.12MU02 cap_alias_defs(4M)
NAME
capaliasdefs - capability alias definitions
DESCRIPTION
The /etc/tcb/cap/capaliasdefs file contains definitions for
capability list, set and class aliases.
The capaliasdefs file has the following format:
*SYSTEM
[*caplist
[caplistaliases]]
[*capset
[capsetaliases]]
[*capclass
[capclassaliases]]
*SITE
[*caplist
[caplistaliases]]
[*capset
[capsetaliases]]
[*capclass
[capclassaliases]]
The file has two separate sections for system-defined and site-
defined capability alias definitions. These sections are denoted by
the markers *SYSTEM and *SITE. The system section must occur before
the site section in the file. Either of these sections may be empty,
but their markers must still be present in the file.
Within each system and site section are the sub-sections *caplist,
*capset and *capclass in which caplist, capset and capclass aliases
are defined respectively. All or none of these sub-sections (and
their markers) can be present, but if they are present, the sub-
sections must occur in the proper order, with the *caplist sub-
section listed first, followed by the *capset sub-section which is
followed by the *capclass section. The smallest valid capaliasdefs
file is
*SYSTEM
*SITE
You can include comments anywhere in the file by beginning the line
with a number sign (#).
Aliases are composed of entries that are position dependent and have
the following format:
name abbrev definition
These fields are separated by spaces or tabs. All entry fields are
case insensitive. The entry fields are:
name This is the full name of the alias. The name can contain
only alphanumeric characters or the low line (_). It
must begin with an alphanumeric character.
abbrev This is a short name (abbreviation) for the alias. The
abbreviation can contain only alphanumeric characters or
the low line (_). It must begin with an alphanumeric
character. A minus sign (-) in this field indicates that
no abbreviation is defined for this alias.
definition The definition of the alias. Definitions can span
multiple lines. The definition syntax varies for each
alias type (caplist, capset, capclass). Alias
definitions can contain other aliases provided that the
aliases referenced in the definition have been previously
defined.
caplist alias definitions
The simplest form of a caplist alias definition is a numeric
capability value. A range of capabilities are reserved for the
system and another for the site. Capability values 1 through 256 are
reserved for system-defined capabilities.
Caplist alias definitions can also be a list of one or more
capability values or caplist aliases. This list must be enclosed in
parentheses. If the caplist is made up of more than one caplist, the
caplists must be separated by commas.
Addition and subtraction of caplists are also allowed. Definitions
using addition and subtraction are of the form
caplist +|- caplist
where caplist is a valid caplist alias or definition.
There are two predefined caplist aliases:
all All the capabilities defined in the database
none No capabilities
The following examples are valid caplist alias definitions:
(1,2,3)
(DGCAPSETUID, DGCAPCHOWN)
DGCAPSETUID + DGCAPCHOWN
capset alias definitions
The simplest form which a capset alias definition can take is:
capsetqualifier : caplist
caplist is any valid caplist alias or definition. capsetqualifier
specifies the capability set. Valid values for capsetqualifier are:
Capability Set Qualifier
bounding b or bound or bounding
effective e or effect or effective
permitted p or permit or permitted
inheritable i or inherit or inheritable
required r or required
The capset qualifiers are case insensitive.
Addition and subtraction between capsets and addition and subtraction
of caplists with capsets are also allowed. Definitions using
addition and subtraction are of the form
capset +|- capset
capset +|- caplist
where capset and caplist are valid capset or caplist aliases or
definitions. Both sets must have the same qualifier if they are
added or subtracted.
The following examples are valid capset alias definitions:
bound:(dgcapchown)
i:all
e:(DGCAPSETUID,DGCAPSETGID)+e:(DGCAPCHROOT)
capclass alias definitions
Capclass alias definitions are a list of one or more capset aliases
or definitions. This list must be enclosed in parentheses. If the
capclass is made up of more than one capset, the capsets must be
separated by semicolons.
Addition and subtraction between capclasses and addition and
subtraction of capsets with capclasses are also allowed. Definitions
using addition and subtraction are of the form
capclass +|- capclass
capclass +|- capset
where capclass and capset are valid capclass or capset aliases or
definitions. In the case of subtraction, any sets which are not
common to both the first capclass and the second capclass or capset
are ignored.
The following examples are valid capclass alias definitions:
(b:(2,4,6,8); i:all; p:(DGCAPSETGID,DGCAPSETUID))
CLASS1 + CLASS2
where CLASS_1 and CLASS_2 are previously defined capclass aliases.
EXAMPLES
The following is a sample capaliasdefs file:
*SYSTEM
*caplist
DGCAPCHOWN - 1
DGCAPOBJECTOWNER - 2
*capset
SAMPLESET1 ss1 e:(DGCAPCHOWN)
SAMPLESET2 ss2 e:(DGCAPOBJECTOWNER)
*SITE
*capclass
SITECLASS1 - (SAMPLESET1;
SAMPLESET2)
SITECLASS2 - SAMPLESET1 +
permit:(DGCAPCHOWN)
FILES
/etc/tcb/cap/capaliasdefs default capability alias
definitions file
/etc/tcb/cap/capaliasdefs.proto prototype capability alias
definitions file
SEE ALSO
aliasck(1M), caplibrary(3).
Licensed material--property of copyright holder(s)