subsystems(S) 6 January 1993 subsystems(S) Name subsystems - manipulation routines for Subsystems database Syntax cc . . . -lprot -lx int authorized_user (auth) char *auth; int primary_auth (name) char *name; char *primary_of_secondary_auth (name) char *name; int secondary_auth (name) char *name; int total_auths() int widest_auth() int write_authorizations (user, auth_list, list_len) char *user; char **auth_list; int list_len; Description These routines manipulate and refer to the Subsystems database, which is extracted from the Protected Password entries for all users. The Subsys- tems database stores primary and secondary authorizations for users with respect to protected subsystems on the Security Module Package. A pro- tected subsystem is associated with a special group, and provides some service to users. It is called protected because all its programs run SGID to that group, and the files and devices that the subsystem refer- ences are only accessible to that group, and therefore through the pro- tected subsystem's programs. A primary authorization for a protected subsystem allows a user to assume the administrator role for that subsystem. The primary authorization name is the group name whose effective identity is used by the subsystem programs to protect subsystem files. If a user possesses a primary authorization for a subsystem, he/she can do all actions within that sub- system. The list of primary authorizations is as follows: audit Audit administrator. auth Authentication database administrator. backup Backup and file system maintenance administrator. cron Cron subsystem administrator (at, batch, crontab). lp Line printer spooling subsystem administrator. mem Authorization to view information about other users (memory devices). sysadmin System administrator functions that require root privilege. terminal The authorization to send unfiltered information between user terminals. uucp The ability to run uucp (not currently supported). A secondary authorization allows finer grain operations within protected subsystems. These authorizations are often granted either to specific users or to the entire user community by appropriate setup of user Pro- tected Password entries and the Defaults database. Each secondary authorization is associated with exactly one protected subsystem, and only allows operations with respect to that subsystem. The secondary authorizations are as follows: printqueue Authorization to see other user's jobs in the print queues (lp). printerstat Authorization to change printer status with enable(C) and disable(C) commands (lp). queryspace Authorization to use df(C) to query file system space (backup). The authorizeduser routine returns non-zero if the login user ID associ- ated with the current process has the specified authorization in the sub- system that is currently running. This subsystem is identified by the effective group under which the program began execution. The primary authorization for any subsystem grants all secondary authorizations for that subsystem. The rest of the routines are for programs that manipulate user entries directly, or that have to validate authorizations input by users. They may not be supported in future releases of the SMP. The primaryauth routine maps a primary authorization name to a bit offset in a mask. This is used for checking a user's authorizations against the Protected Password entry. The primaryofsecondaryauth routine returns the pri- mary authorization name associated with the secondary authorization. The primary authorization name is also the subsystem name in which the sec- ondary authorization is recognized. The secondaryauth routine maps a secondary authorization to a bit offset. The totalauths routine returns the number of primary and secondary authorizations recognized by the sys- tem. The widestauth routine returns the longest string name of any authorization. The writeauthorizations routine updates the Subsystems database for a given user. It takes listlen authorizations from the authlist array of string pointers and associates those authorizations with the given user. If the first character string pointer references the string ``default,'' the user is given default authorizations. This routine is used by the screen-oriented routine which updates the user's Protected Password entry, and then must propagate the user's authorizations to the Subsys- tems database. Diagnostics The authorizeduser routine returns non-zero if the user possesses the specified authorization, otherwise zero. The totalauths routine returns the sum of the number of primary authorizations and the number of second- ary authorizations recognized by the system. The widestauth routine returns the length of the longest string name of an authorization. This length does not include the trailing null character. Both primaryauth and secondaryauth return a negative value if the authorization name is not supported; otherwise, they return the bit offset of the authoriza- tion. The Protected Password database stores both types of authoriza- tions in the same mask. The primaryofsecondaryauth routine returns a pointer to a static area containing the primary authorization name asso- ciated with the secondary authorization. The string must be copied if it is to be modified. The writeauthorizations routine returns 0 on suc- cess, non-zero on permission failures, I/O errors, etc. See also getprpwent(S) Standards conformance subsystems is not part of any currently supported standard; it is an extension of AT&T System V provided by the Santa Cruz Operation.