authcap(F) 19 June 1992 authcap(F) Name authcap - authentication database Description The database contains authentication and identity information for users, kernels, and Trusted Computing Base files as well as system-wide parame- ters. It is intended to be used by programs to interrogate user and sys- tem values, as well as by authentication programs to update that informa- tion. Structure of the hierarchies The complete database resides in two hierarchies: /tcb/files/auth and /etc/auth. The first hierarchy deals with user-specific files, and has subdirectories of one letter each of which is the starting letter for user name. Within each of these directories are files, each containing an authcap(F) format file for a particular user. Thus, all user names beginning with x have their respective authentication and identity infor- mation in a file in directory /tcb/files/auth/x. The directories within /etc/auth contain system-wide information. The global system settings reside in the /etc/auth/system directory. The subsystem authorizations associated with each protected subsystem (a pro- tected subsystem is privileged but does not require global authority to perform actions) are located in the /etc/auth/subsystems directory. The following database files are contained in the system directory: default Default Control files File Control ttys Terminal Control authorize Primary and Secondary Authorization Control File devassign Device Assignment A subsystem filename is the group name associated with the protected sub- system. The owner of all files is auth and the group is the group of the subsystem. Only the owner and group of this file may view the contents. The file dflt_users lists the users granted default subsystem authoriza- tions. Format of a file Each data file in the hierarchy, whether system-wide or user-specific, has the same format. Each user file consists of one virtual line, optionally split into multiple physical lines with the ``\'' character present at the very end of all lines but the last. For instance, the line blf:u_name=blf:u_id#16:u_encrypt=a78/a1.eitfn6:u_type=sso:chkent: may be split into: blf:u_name=blf:u_id#16:\ :u_encrypt=a78/a1.eitfn6:\ :u_type=sso:chkent: Note that all capabilities must be immediately preceded and followed with the ``:'' separator; multiple line entries require additional ones - one more per line. Multiple entries are separated by a newline: drb:u_name=drb:u_id#75:u_maxtries#9:u_type=general:chkent: blf:u_name=blf:u_id#76:u_maxtries#5:u_type=general:chkent: For subsystem files, the file is a set of lines, each containing a user name terminated by a colon, followed by a comma-separated list of primary and secondary authorizations defined for that subsystem. Format of a line The format of a line (except for subsystem files) is briefly as follows: name|alt name(s)|description:cap1:cap2:cap3:...:capn:chkent: The entry can be referenced by the name or any of the alternate names. A description field may document the entry. The entry name(s) and descrip- tion are separated by the ``|'' character. The end of the name/description part of the entry is terminated by the ``:'' character. Alternate names and the description fields are optional. At the end of each entry is the ``chkent'' field. This is used as an integrity check on each entry. The authcap(S) routines will reject all entries that do not have ``chkent'' at the very end. Each entry has 0 or more capabilities, each terminated with the ``:'' character. Each capability has a unique name. Numeric capabilities have the format: id#num where num is a decimal or (0 preceded) octal number. Boolean capabili- ties have the format: id or id@ where the first form signals the presence of the capability and the second form signals the absence of the capability. String capabilities have the format: id=string where string is 0 or more characters. The ``\'' and ``:'' characters are escaped as ``\\'' and ``\:'' respectively. Although it is not recom- mended, the same id may be used for different numeric, boolean, and string capabilities. See also getprpwent(S), getdvagent(S), getprtcent(S), getprfient(S) Value added authcap is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.