Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ authcap(F) — OpenDesktop 3.0.0

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

getprpwent(S)

getdvagent(S)

getprtcent(S)

getprfient(S)


 authcap(F)                      19 June 1992                      authcap(F)


 Name

    authcap - authentication database

 Description

    The database contains authentication and identity information for users,
    kernels, and Trusted Computing Base files as well as system-wide parame-
    ters.  It is intended to be used by programs to interrogate user and sys-
    tem values, as well as by authentication programs to update that informa-
    tion.

    Structure of the hierarchies

    The complete database resides in two hierarchies:  /tcb/files/auth and
    /etc/auth.  The first hierarchy deals with user-specific files, and has
    subdirectories of one letter each of which is the starting letter for
    user name.  Within each of these directories are files, each containing
    an authcap(F) format file for a particular user.  Thus, all user names
    beginning with x have their respective authentication and identity infor-
    mation in a file in directory /tcb/files/auth/x.

    The directories within /etc/auth contain system-wide information.  The
    global system settings reside in the /etc/auth/system directory.  The
    subsystem authorizations associated with each protected subsystem (a pro-
    tected subsystem is privileged but does not require global authority to
    perform actions) are located in the /etc/auth/subsystems directory.

    The following database files are contained in the system directory:

       default         Default Control
       files           File Control
       ttys            Terminal Control
       authorize       Primary and Secondary Authorization Control File
       devassign       Device Assignment

    A subsystem filename is the group name associated with the protected sub-
    system.  The owner of all files is auth and the group is the group of the
    subsystem.  Only the owner and group of this file may view the contents.
    The file dflt_users lists the users granted default subsystem authoriza-
    tions.

    Format of a file

    Each data file in the hierarchy, whether system-wide or user-specific,
    has the same format.  Each user file consists of one virtual line,
    optionally split into multiple physical lines with the ``\'' character
    present at the very end of all lines but the last.  For instance, the
    line

    blf:u_name=blf:u_id#16:u_encrypt=a78/a1.eitfn6:u_type=sso:chkent:

    may be split into:

    blf:u_name=blf:u_id#16:\
            :u_encrypt=a78/a1.eitfn6:\
            :u_type=sso:chkent:

    Note that all capabilities must be immediately preceded and followed with
    the ``:'' separator;  multiple line entries require additional ones - one
    more per line.  Multiple entries are separated by a newline:

    drb:u_name=drb:u_id#75:u_maxtries#9:u_type=general:chkent:
    blf:u_name=blf:u_id#76:u_maxtries#5:u_type=general:chkent:

    For subsystem files, the file is a set of lines, each containing a user
    name terminated by a colon, followed by a comma-separated list of primary
    and secondary authorizations defined for that subsystem.

    Format of a line

    The format of a line (except for subsystem files) is briefly as follows:

    name|alt name(s)|description:cap1:cap2:cap3:...:capn:chkent:

    The entry can be referenced by the name or any of the alternate names.  A
    description field may document the entry.  The entry name(s) and descrip-
    tion are separated by the ``|'' character.  The end of the
    name/description part of the entry is terminated by the ``:'' character.
    Alternate names and the description fields are optional.

    At the end of each entry is the ``chkent'' field.  This is used as an
    integrity check on each entry.  The authcap(S) routines will reject all
    entries that do not have ``chkent'' at the very end.

    Each entry has 0 or more capabilities, each terminated with the ``:''
    character.  Each capability has a unique name. Numeric capabilities have
    the format:

    id#num

    where num is a decimal or (0 preceded) octal number.  Boolean capabili-
    ties have the format:

    id  or  id@

    where the first form signals the presence of the capability and the
    second form signals the absence of the capability.  String capabilities
    have the format:

    id=string

    where string is 0 or more characters.  The ``\'' and ``:'' characters are
    escaped as ``\\'' and ``\:'' respectively.  Although it is not recom-
    mended, the same id may be used for different numeric, boolean, and
    string capabilities.

 See also

    getprpwent(S), getdvagent(S), getprtcent(S), getprfient(S)

 Value added

    authcap is an extension of AT&T System V provided by The Santa Cruz
    Operation, Inc.


Typewritten Software • bear@typewritten.org • Edmonds, WA 98026