Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ cap_alias_defs(4M) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

aliasck(1M)



cap_alias_defs(4M)       DG/UX B2 Security R4.12MU02      cap_alias_defs(4M)


NAME
       capaliasdefs - capability alias definitions

DESCRIPTION
       The /etc/tcb/cap/capaliasdefs file contains definitions for
       capability list, set and class aliases.

       The capaliasdefs file has the following format:

                 *SYSTEM
                 [*caplist
                 [caplistaliases]]
                 [*capset
                 [capsetaliases]]
                 [*capclass
                 [capclassaliases]]
                 *SITE
                 [*caplist
                 [caplistaliases]]
                 [*capset
                 [capsetaliases]]
                 [*capclass
                 [capclassaliases]]

       The file has two separate sections for system-defined and site-
       defined capability alias definitions.  These sections are denoted by
       the markers *SYSTEM and *SITE.  The system section must occur before
       the site section in the file.  Either of these sections may be empty,
       but their markers must still be present in the file.

       Within each system and site section are the sub-sections *caplist,
       *capset and *capclass in which caplist, capset and capclass aliases
       are defined respectively.  All or none of these sub-sections (and
       their markers) can be present, but if they are present, the sub-
       sections must occur in the proper order, with the *caplist sub-
       section listed first, followed by the *capset sub-section which is
       followed by the *capclass section.  The smallest valid capaliasdefs
       file is

                *SYSTEM
                *SITE

       You can include comments anywhere in the file by beginning the line
       with a number sign (#).

       Aliases are composed of entries that are position dependent and have
       the following format:

              name    abbrev    definition

       These fields are separated by spaces or tabs.  All entry fields are
       case insensitive.  The entry fields are:

       name        This is the full name of the alias.  The name can contain
                   only alphanumeric characters or the low line (_).  It
                   must begin with an alphanumeric character.

       abbrev      This is a short name (abbreviation) for the alias.  The
                   abbreviation can contain only alphanumeric characters or
                   the low line (_).  It must begin with an alphanumeric
                   character.  A minus sign (-) in this field indicates that
                   no abbreviation is defined for this alias.

       definition  The definition of the alias.  Definitions can span
                   multiple lines.  The definition syntax varies for each
                   alias type (caplist, capset, capclass).  Alias
                   definitions can contain other aliases provided that the
                   aliases referenced in the definition have been previously
                   defined.

   caplist alias definitions
       The simplest form of a caplist alias definition is a numeric
       capability value.  A range of capabilities are reserved for the
       system and another for the site.  Capability values 1 through 256 are
       reserved for system-defined capabilities.

       Caplist alias definitions can also be a list of one or more
       capability values or caplist aliases.  This list must be enclosed in
       parentheses.  If the caplist is made up of more than one caplist, the
       caplists must be separated by commas.

       Addition and subtraction of caplists are also allowed.  Definitions
       using addition and subtraction are of the form

              caplist +|- caplist

       where caplist is a valid caplist alias or definition.

       There are two predefined caplist aliases:
              all    All the capabilities defined in the database
              none   No capabilities

       The following examples are valid caplist alias definitions:

              (1,2,3)
              (DGCAPSETUID, DGCAPCHOWN)
              DGCAPSETUID + DGCAPCHOWN

   capset alias definitions
       The simplest form which a capset alias definition can take is:

                   capsetqualifier : caplist

       caplist is any valid caplist alias or definition.  capsetqualifier
       specifies the capability set.  Valid values for capsetqualifier are:

              Capability Set   Qualifier
              bounding         b or bound or bounding
              effective        e or effect or effective
              permitted        p or permit or permitted
              inheritable      i or inherit or inheritable
              required         r or required

       The capset qualifiers are case insensitive.

       Addition and subtraction between capsets and addition and subtraction
       of caplists with capsets are also allowed.  Definitions using
       addition and subtraction are of the form

              capset +|- capset
              capset +|- caplist

       where capset and caplist are valid capset or caplist aliases or
       definitions.  Both sets must have the same qualifier if they are
       added or subtracted.

       The following examples are valid capset alias definitions:

              bound:(dgcapchown)
              i:all
              e:(DGCAPSETUID,DGCAPSETGID)+e:(DGCAPCHROOT)

   capclass alias definitions
       Capclass alias definitions are a list of one or more capset aliases
       or definitions.  This list must be enclosed in parentheses.  If the
       capclass is made up of more than one capset, the capsets must be
       separated by semicolons.

       Addition and subtraction between capclasses and addition and
       subtraction of capsets with capclasses are also allowed.  Definitions
       using addition and subtraction are of the form

                   capclass +|- capclass
                   capclass +|- capset

       where capclass and capset are valid capclass or capset aliases or
       definitions.  In the case of subtraction, any sets which are not
       common to both the first capclass and the second capclass or capset
       are ignored.

       The following examples are valid capclass alias definitions:

              (b:(2,4,6,8); i:all; p:(DGCAPSETGID,DGCAPSETUID))
              CLASS1 + CLASS2

       where CLASS_1 and CLASS_2 are previously defined capclass aliases.

EXAMPLES
       The following is a sample capaliasdefs file:

              *SYSTEM
              *caplist
              DGCAPCHOWN          -        1
              DGCAPOBJECTOWNER   -        2
              *capset
              SAMPLESET1         ss1       e:(DGCAPCHOWN)
              SAMPLESET2         ss2       e:(DGCAPOBJECTOWNER)
              *SITE
              *capclass
              SITECLASS1          -        (SAMPLESET1;
                                              SAMPLESET2)
              SITECLASS2          -        SAMPLESET1 +
                                             permit:(DGCAPCHOWN)

FILES
       /etc/tcb/cap/capaliasdefs        default capability alias
                                          definitions file
       /etc/tcb/cap/capaliasdefs.proto  prototype capability alias
                                          definitions file

SEE ALSO
       aliasck(1M), caplibrary(3).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026