Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ satmpd(1M) — IRIX 6.5.3f

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

iflabel(1m)

rhost(1m)

samp(7p)

satmp(7p)

trusted_networking(7)

tsix(7p)



SATMPD(1M)                                                          SATMPD(1M)



NAME
     satmpd - Security Attribute Token Mapping Protocol Daemon

SYNOPSIS
     /usr/bin/satmpd [ -c configdir ] [ -d debug-options ] [ -l logfile ] [ -p
     port ]

DESCRIPTION
     A daemon that implements the Security Attribute Token Mapping Protocol,
     (SATMP).  It is also known as the Token Mapping Daemon.

OPTIONS
     -c configdir
          Set the location of satmpd configuration files to configdir.

     -d debug-options
          Turn on the requested debugging options.  These must be entered as a
          single option or as a comma-separated list with no whitespace.
          Acceptable values are STARTUP, FILE_OPEN, DIR_OPEN, OPEN_FAIL,
          OPENDIR_FAIL, PROTOCOL, and ALL.  The -d option may be given more
          than once.

     -l logfile
          Direct debugging output to file logfile.

     -p port
          Force satmpd to listen on alternate port port.

CONFIGURATION FILES
     The following configuration files are required.  It is an unrecoverable
     error if any of these are missing.

   ATTRIDS
     This file contains human-readable names of the SATMP attributes plus
     their numerical values.  Each ATTRIDS entry consists of a single line
     with the following format:

          <attribute>:<number>

     The ATTRIDS file supplied with your system contains the following
     entries:

          SEN_LABEL:0
          NATIONAL_CAVEATS:1
          INTEGRITY_LABEL:2
          INFO_LABEL:3
          PRIVILEGES:4
          AUDIT_ID:5
          IDS:6
          CLEARANCE:7
          AUDIT_INFO:8
          UNASSIGNED_9:9



                                                                        Page 1





SATMPD(1M)                                                          SATMPD(1M)



          ACL:10
          UNASSIGNED_11:11

     The following attributes are not supported under Trusted IRIX and are
     silently ignored: NATIONAL_CAVEATS, INFO_LABEL, CLEARANCE, AUDIT_INFO,
     ACL, UNASSIGNED_9, and UNASSIGNED_11.

   REQATTR
     This file contains human-readable names of the attributes all clients
     must support. These names must match those in ATTRIDS.  For example:

          SEN_LABEL
          PRIVILEGES
          ACL

   WEIGHTS
     This file contains information regarding weights assigned to domains of
     translation.  When the local and remote host have more than one domain of
     translation in common for a given attribute, the weight is used to
     determine which domain of translation is used.  Weight entries should be
     listed in descending order within the file, one per line, with the
     following format:

          <attribute>:<domain>:<weight>

     For example:

          ACL:SGI:255
          ACL:DECMLS:250
          ACL:SUN:245

   localmap
     This file contains remote-to-local attribute mapping information. Each
     entry consists of one-line with the following format:

          <attribute>:<domain>:<source>:<dest>

     The meaning of <source> and <dest> is attribute specific.  If the map in
     any domain has a <source> field with the value "NATIVE_MAPPING", the map
     is ignored and SGI native mapping is assumed.  Otherwise, the meaning of
     <source> and <dest> is as follows:

     PRIVILEGES

     <source> is the remote representation, as one "word". The remote
     representation of the privilege set is broken up into words, which are
     then matched against <source>.

     <dest> is an SGI format capability set. Again, only the effective set
     matters, and a one-to-many mapping is possible.





                                                                        Page 2





SATMPD(1M)                                                          SATMPD(1M)



     Examples:

          PRIVILEGES:SGI:mac-read:CAP_MAC_READ+e
          PRIVILEGES:SGI:all-privs:all+eip

     AUDITID

     <source> is the remote user name and <dest> is the local user name.

     Examples:

          AUDIT_ID:SGI:gails:gsmith
          AUDIT_ID:SGI:cbj:charles

     IDS

     User and group ids are listed on separate lines.  For each, <source> is
     the remote name and <dest> is the local name.

     Examples:

          IDS:SGI:user,gails:gsmith
          IDS:SGI:group,square:wheel

     SENLABEL
     INTEGRITYLABEL

     For each entry, <source> is the remote representation and <dest> is the
     local representation.

     Mandatory access control labels consist of a sensitivity label and an
     integrity label.  For each of these, there are some administrative
     labels, which consist only of a type, and other labels, msentcsec and
     mintbiba, that consist of components.  Administrative labels are
     represented by entries with the attribute "type".  The sensitivity label
     "msentcsec" and the integrity label "mintbiba" are not specified as
     types.  Instead, each level or grade and category or division is
     specified on a single line.  Note that grades should be specified as
     "level" and division as "category".

     Examples:

          SEN_LABEL:SGI:type,msenhigh:highadmin
          SEN_LABEL:SGI:level,lords:senate
          SEN_LABEL:SGI:level,commons:house
          SEN_LABEL:SGI:category,crimson:red
     The daemon is implemented to facilitate matching between Trusted IRIX
     representations and those of other vendors, which do not have separate
     types for administrative labels.  To map a remote, non Trusted IRIX
     representation to a local representation, the remote label representation
     is first compared with "type" entries.  If it matches in toto, then is
     not a msentcsec or mintbiba label and the local label representation in



                                                                        Page 3





SATMPD(1M)                                                          SATMPD(1M)



     the "type" entry is the complete local representation of that label.
     Otherwise, the remote representation is broken into words.  The largest
     subsequence of words is matched against "level" entries. If no
     subsequence matches (in other words, even the first word of the label has
     no match) it is rejected.  Otherwise, any remaining words are matched one
     at a time against entries of type "category".

   remotemap
     This file contains local-to-remote attribute mapping information. The
     entries have the same format as in localmap.

     The meaning of <source> and <dest> is attribute specific. If the map in
     any domain has a <source> field with the value "NATIVE_MAPPING", the map
     is ignored and SGI native mapping is assumed.  Otherwise, the meaning of
     <source> and <dest> is as follows:

     PRIVILEGES

     <source> is an SGI format capability set. Only the effective capabilities
     are examined.  Multiple capabilities may be specified; a many-to-one
     mapping is possible.

     <dest> is the remote representation of <source>

     Examples:

          PRIVILEGES:SGI:CAP_MAC_READ+e:mac-read
          PRIVILEGES:SGI:all+eip:all-privs

     AUDITID

     <source> is the local user name and <dest> is the remote user name.

     Examples:

          AUDIT_ID:SGI:gsmith:gails
          AUDIT_ID:SGI:charles:cbj

     IDS

     User and group ids are listed on separate lines.  For each, <source> is
     the local name and <dest> is the remote name.

     Examples:

          IDS:SGI:user,gsmith:gails
          IDS:SGI:group,wheel:square

     SENLABEL
     INTEGRITYLABEL





                                                                        Page 4





SATMPD(1M)                                                          SATMPD(1M)



     For each entry, <source> is the local representation and <dest> is the
     remote representation.

     Examples:

          SEN_LABEL:SGI:type,highadmin:msenhigh
          SEN_LABEL:SGI:level,senate:lords
          SEN_LABEL:SGI:level,house:commons
          SEN_LABEL:SGI:category,red:crimson

     The daemon is implemented to correctly map local Trusted IRIX
     representations  to those of other vendors, which do not have separate
     types for administrative labels. If the local label is not a msentcsec or
     mintbiba label, then it is matched against "type" entries, and the remote
     label representation is complete.  If the local label is a msentcsec or
     mintbiba label, its local representation is divided into a level, or
     grade, and one or more categories, or divisions.  The remote label
     represenation is constructed by matching the level or grade portion
     against "level" entries, and matching each category or grade against
     "category" entries.

SEE ALSO
     iflabel(1m), rhost(1m), samp(7p), satmp(7p), trusted_networking(7),
     tsix(7p).































                                                                        Page 5



Typewritten Software • bear@typewritten.org • Edmonds, WA 98026