United States-English |
|
|
HP-UX Reference > Aauthcap(4)TO BE OBSOLETEDHP-UX 11i Version 3: February 2007 |
|
NAMEauthcap — security databases for trusted systems DESCRIPTIONAll security-relevant databases are stored in an ASCII format in the file system. This format is converted to binary structures by support routines described in Section 3 manpages. This manpage describes the format of these databases, and describes the philosophy of conversion into data structures. Hierarchy StructureThe complete database resides in two hierarchies: /tcb/files/auth/* and /tcb/files. The first hierarchy contains the Protected Password database, and has subdirectories with single letter names, each of which is a starting letter for user names. Within each of these directories are regular files, each containing an authcap(4) format file containing the Protected Password entry for a particular user. Thus, all user names beginning with x have their respective authentication and identity information in a file in directory /tcb/files/auth/x. Directories within /tcb/files/auth/system and /tcb/files contain system-wide information. Global system settings reside in directory /tcb/files/auth/system. Terminal and device assignment files are located in directory /tcb/files. The following database files reside in directory system:
The following database files reside in directory /tcb/files:
File FormatEach data file (/tcb/files/auth/system and /tcb/files) has the same format. Each file consists of one virtual line, optionally split into multiple physical lines with the \ character present at the end of all lines except the last. For example, the line smk:u_name=smk:u_id#16:u_pwd=a78/a1.eitfn6:chkent: can be split into: smk:u_name=smk:u_id#16:\ :u_pwd=a78/a1.eitfn6:\ :chkent: Note that all capabilities must be immediately preceded and followed with the : separator. Multiple line entries require : at the end of each line and at the beginning of each continuation line in the entry. Continuation lines are indented by a tab character. Multiple entries are separated by a new-line character that is not preceded by a continuation character: daa:u_name=daa:u_id#75:u_maxtries#9:chkent: smk:u_name=smk:u_id#76:u_maxtries#5:chkent: Line FormatThe format of a line is briefly as follows: name:cap1:cap2:cap3:...:capn:chkent: The entry is referenced by the name. The end of the name part of the entry is terminated by the : character. At the end of each entry is the chkent field. This is used as an integrity check on each entry. The authcap routines reject all entries that do not contain the chkent terminator. Each entry has 0 or more capabilities, each terminated with the : character. Each capability has a unique name. Numeric capabilities have the format: id#num where num is a decimal or (0-preceded) octal number. Boolean capabilities have the format:
or
where the first form signals the presence of the capability and the second form signals the absence of the capability. String capabilities have the format: id=string where string is 0 or more characters. The \ and : characters are escaped as \\ and \: respectively. File LockingAll databases use a lock file, the existence of which means that the file is currently being rewritten. Occasionally, the lock files remain after a system crash and must be removed manually. The lock file is formed by appending -t to the database file name. Fields/FlagsAll databases are converted into structures by programs. The data structures consist of two substructures, each of which has one member for each field in the database entry. The field structure contains a field value (for example, a number, a boolean flag, a directory string, or a mask), while the flag value (one bit) indicates the presence or absence of the field in that entry. SEE ALSOgetdvagent(3), getprdfent(3), getprpwent(3), getprtcent(3), default(4), devassign(4), prpwd(4), ttys(4). |
Printable version | ||
|