SUBSYSTEMS(S) UNIX System V SUBSYSTEMS(S)
Name
subsystems - manipulation routines for Subsystems database
Syntax
int authorized_user (auth)
char *auth;
int total_auths()
int widest_auth()
int primary_auth (name)
char *name;
int secondary_auth (name)
char *name;
char *primary_of_secondary_auth (name)
char *name;
int write_authorizations (user, auth_list, list_len)
char *user;
char **auth_list;
int list_len;
Description
These routines manipulate and refer to the Subsystems
database, which is extracted from the Protected Password
entries for all users. The Subsystems database stores
primary and secondary authorizations for users with respect
to protected subsystems on the Security Module Package. A
protected subsystem is associated with a special group, and
provides some service to users. It is called protected
because all its programs run SGID to that group, and the
files and devices that the subsystem references are only
accessible to that group, and therefore through the
protected subsystem's programs.
A primary authorization for a protected subsystem allows a
user to assume the administrator role for that subsystem.
The primary authorization name is the group name whose
effective identity is used by the subsystem programs to
protect subsystem files. If a user possesses a primary
authorization for a subsystem, he/she can do all actions
within that subsystem. The list of primary authorizations
is as follows:
audit Audit administrator.
auth Authentication database administrator.
backup Backup and file system maintenance
administrator.
cron Cron subsystem administrator (at, batch,
crontab).
lp Line printer spooling subsystem
administrator.
mem Authorization to view information about
other users (memory devices).
sysadmin System administrator functions that
require root privilege.
terminal The authorization to send unfiltered
information between user terminals.
uucp The ability to run uucp (not currently
supported).
A secondary authorization allows finer grain operations
within protected subsystems. These authorizations are often
granted either to specific users or to the entire user
community by appropriate setup of user Protected Password
entries and the Defaults database. Each secondary
authorization is associated with exactly one protected
subsystem, and only allows operations with respect to that
subsystem. The secondary authorizations are as follows:
printqueue Authorization to see other user's jobs
in the print queues (lp).
printerstat Authorization to change printer status
with enable(C) and disable(C) commands
(lp).
queryspace Authorization to use df(C) to query file
system space (backup).
Authorized_user returns non-zero if the login user ID
associated with the current process has the specified
authorization in the subsystem which is currently running.
This subsystem is identified by the effective group under
which the program began execution. The primary
authorization for any subsystem grants all secondary
authorizations for that subsystem.
The rest of the routines are for programs which will
manipulate user entries directly, or which have to validate
authorizations input by users. They may not be supported in
future releases of the SMP. Total_auths returns the number
of primary and secondary authorizations recognized by the
system. Widest_auth returns the longest string name of any
authorization. Primary_auth maps a primary authorization
name to a bit offset in a mask. This is used for checking a
user's authorizations against the Protected Password entry.
Secondary_auth maps a secondary authorization to a bit
offset. Primary_of_secondary_auth returns the primary
authorization name associated with the secondary
authorization. The primary authorization name is also the
subsystem name in which the secondary authorization is
recognized.
Write_authorizations updates the Subsystems database for a
given user. It takes list_len authorizations from the
auth_list array of string pointers and associates those
authorizations with the given user. If the first character
string pointer references the string ``default,'' the user
is given default authorizations. This routine is used by
the screen-oriented routine which updates the user's
Protected Password entry, and then must propagate the user's
authorizations to the Subsystems database.
See Also
getprpwent(S)
Diagnostics
Authorized_user return non-zero if the user possesses the
specified authorization, otherwise zero. Total_auths
returns the sum of the number of primary authorizations and
the number of secondary authorizations recognized by the
system. Widest_auth returns the length of the longest
string name of an authorization. This length does not
include the trailing NULL character. Both primary_auth and
secondary_auth return a negative value if the authorization
name is not supported; otherwise, they return the bit offset
of the authorization. The Protected Password database
stores both types of authorizations in the same mask.
Primary_of_secondary_auth returns a pointer to a static area
containing the primary authorization name associated with
the secondary authorization. The string must be copied if
it is to be modified. Write_authorizations returns 0 on
success, non-zero on permission failures, I/O errors, etc.
Notes
Programs using this routine must be compiled with -lprot.
(printed 6/20/89)