clearance - user clearance label information file
The /etc/clearance file contains the following information for each user:
name User's login name - contains no upper case characters and must
not be greater than eight characters long. The name must be
default security label
It is used as the default label when the user doesn't specify
the label at login time. If this field doesn't exist the user
will be forced to enter their security label. This field
cannot be a label range. This label lie within the range of
the security clearance label field.
security clearance label
Security clearance range or range(s) can be defined.
An entry beginning with # is ignored as a comment. The clearance file is
an ASCII character file. Each field within an entry is separated from
the next field by a colon. Each user entry is separated from the next by
The name field is the key between the the clearance(4) and the passwd(4)
file. So both files need to have entries to validate users.
The default security label field is the label at which the user of the
account will login at if they don't choose a security label when prompted
during the log in process. If the default security label field is null
the user must then explicitly enter a security label that is valid label
in the security clearance label field before being allowed to log in. A
security range is not permitted in the default label field.
If the security clearance label field is null, that user will have an
invalid label. A user with an invalid label will not be allowed to log
in. If any incorrectly formed security label is detected in the security
clearance label field the whole field is considered invalid. Multiple
security clearance(s) can be declared within the security clearance
field. The syntax for defining multiple security clearance(s) is that a
blank space separates the security clearance(s) and three (3) periods
("...") defines a security range. For example, "dblow...dbadmin" is a
security range with the lowest label on the right and the highest label
on the left. A single security clearance range can be denoted by using
the security label "userlow" or "userlow...userlow". Single label
security clearance(s) and security clearance range(s) can be mixed.
Because of the security label information, access to this file is
restricted to trusted programs.
Here is a example /etc/clearance file :
Betty:adminlabel midlabel...highlabel lowlabel
Bubba:lowlabel midlabel adminlabel
Betty is cleared for lowlabel, the label range from midlabel
to highlabel, and adminlabel. Bubba is cleared for lowlabel,
midlabel and adminlabel only (notice no clearance ranges).
Bubbles is cleared for the security ranges between lowlabel
to midlabel and highlabel to adminlabel.
In this example, there are specific entries for users duck
and bill. Duck has a security default label of "userlow"
which must be a valid label in the clearance field and
has the ability to login with a security label of "dblow".
Note : "dblow...dblow" is equal to "dblow" since a single
security label is really a security range that only spans
one security label.
The bill account has not specified a default security label
which means that the account bill must explicitly specify
the security label that they wish to login at.
a64l(3C), crypt(3), fgetpwent(3), getuserinfoent(3), group(4), login(1),
mac_cleared(3C), netgroup(4) and passwd(4).
PPPPaaaaggggeeee 2222 [ Back ]