The getauthattr() and getauthnam()
functions each return an auth_attr(4)
entry. Entries can come from any of the sources specified in the nsswitch.conf(4)
The getauthattr() function enumerates auth_attr entries. The getauthnam() function
searches for an auth_attr entry with a given authorization
name name. Successive calls to these functions
return either successive auth_attr entries or NULL.
Th internal representation of an auth_attr entry
is an authattr_t structure defined in <auth_attr.h> with the following members:
char *name; /* name of the authorization */
char *res1; /* reserved for future use */
char *res2; /* reserved for future use */
char *short_desc; /* short description */
char *long_desc; /* long description */
kva_t *attr; /* array of key-value pair attributes */
The setauthattr() function "rewinds"
to the beginning of the enumeration of auth_attr entries.
Calls to getauthnam() can leave the enumeration in an
indeterminate state. Therefore, setauthattr() should
be called before the first call to getauthattr().
The endauthattr() function may be called to indicate
that auth_attr processing is complete; the system may
then close any open auth_attr file, deallocate storage,
and so forth.
The chkauthattr() function verifies whether or
not a user has a given authorization. It first reads the AUTHS_GRANTED key in the /etc/security/policy.conf file
and returns 1 if it finds a match for the given authorization. If chkauthattr() does not find a match, it reads the PROFS_GRANTED key in /etc/security/policy.conf and returns
1 if the given authorization is in any profiles specified with the PROFS_GRANTED keyword. If a match is not found from the default
authorizations and default profiles, chkauthattr() reads
database. If it does not find a match in user_attr,
it reads the prof_attr(4)
database, using the list of profiles assigned to the user, and checks if
any of the profiles assigned to the user has the given authorization. The chkauthattr() function returns 0 if it does not find a match in
any of the three sources.
A user is considered to have been assigned an authorization if either
of the following are true:
- The authorization name matches exactly any authorization
assigned in the user_attr or prof_attr
databases (authorization names are case-sensitive).
- The authorization name suffix is not the key word grant and the authorization name matches any authorization up
to the asterisk (*) character assigned in the user_attr
or prof_attr databases.
The examples in the following table illustrate the conditions under
which a user is assigned an authorization.
| ||/etc/security/policy.conf or||Is user
|Authorization name||user_attr or prof_attr entry||authorized?
The free_authattr() function releases memory allocated
by the getauthnam() and getauthattr()