getesdfent, getesdfnam, setprdfent, endprdfent, putesdfnam,
getprdfent, getprdfnam, putprdfnam, copyesdfent -
Manipulate system default database entry (Enhanced Security)
#include <sys/types.h> #include <sys/security.h> #include
<prot.h>
struct es_default *getesdfent(
void ); struct es_default *getesdfnam(
char *name ); void setprdfent(
void ); void endprdfent(
void ); int putesdfnam(
char *name,
struct es_default *pr ); struct es_default *copyesdfent(
struct es_default *pr );
Note
The getprdfent(), getprdfnam(), and putprdfnam() routines
have been replaced by getesdfent(), getesdfnam(), and
putesdfnam() respectively.
Security Library (libsecurity.so)
NOTE: In order to quickstart a program, the program must
be linked as follows: -lsecurity -ldb -laud -lm
See the shared library discussion in the Programmer's
Guide for more information about using the quickstarting
feature.
Specifies a system default database entry name. Specifies
a system default database control entry structure.
The getesdfent(), getesdfnam(), and copyesdfent() functions
each return a pointer to an object with the following
structure containing the separated-out fields of a
line in the system default database. Each line in the
database contains a es_default structure, declared in the
<prot.h> file as follows:
struct es_default {
AUTH_ESCAP_COMMON
char *dd_name; /* copy of
sfld->fd_name */
int dg_name; /* copy of
sflg->fg_name */
size_t esprof_flen;
struct espw_field *prd;
struct espw_flag *prg;
size_t estc_flen;
struct estc_field *tcd;
struct estc_flag *tcg;
size_t esdev_flen;
struct esdev_field *devd;
struct esdev_flag *devg;
size_t fieldlen;
struct es_default_fields *sfld;
struct es_default_flags *sflg; } ;
struct system_default_fields
{
time_t fd_inactivity_timeout;
time_t fd_pw_expire_warning;
char fd_pw_site_callout[MAXPATHLEN];
mask_t fd_secclass[AUTH_SECCLASSVEC_SIZE];
/* System security class */
char fd_boot_authenticate;
char fd_audit_enable;
} ;
struct system_default_flags
{
unsigned int
fg_inactivity_timeout : 1,
fg_pw_expire_warning : 1,
fg_pw_site_callout : 1,
fg_boot_authenticate : 1,
fg_audit_enable : 1,
fg_secclass : 1 ;
} ;
struct es_default_fields
{
char *fd_name;
time_t fd_inactivity_timeout;
time_t fd_pw_expire_warning;
char *fd_pw_site_callout;
mand_ir_t *fd_single_user_sl;
mask_t *fd_secclass; /* System security
class */
char fd_boot_authenticate;
char fd_audit_enable;
char fd_preexpire; /* admin-set psw
should be expired */
char fd_skip_ttys_update; /* skip putprtcnam in
login path */
char fd_auto_migrate_u; /* auto-create 'missing'
profiles */
time_t fd_max_vac_future; /* how far into future
can vac. be? */
time_t fd_max_vac_len; /* how long can vac.
be (by user)? */ /* if either of the above fields is 0,
user-originated 'vacation' * scheduling is disabled. */
char fd_accept_vouch; /* accept 'vouching'
in SIA */
} ;
struct es_default_flags
{
unsigned int
fg_name : 1,
fg_inactivity_timeout : 1,
fg_pw_expire_warning : 1,
fg_pw_site_callout : 1,
fg_single_user_sl : 1, /* sens. level for
single-user*/
fg_boot_authenticate : 1,
fg_audit_enable : 1,
fg_secclass : 1,
fg_preexpire : 1, /* Is fd_preexpire
set? */
fg_skip_ttys_update : 1, /* Have
fd_skip_ttys_update? */
fg_auto_migrate_u : 1, /* Have
fd_auto_migrate_u? */
fg_max_vac_future : 1, /* Have
fd_max_vac_future? */
fg_max_vac_len : 1, /* Have
fd_max_vac_len? */
fg_accept_vouch : 1 /* Have
fd_accept_vouch? */
;
} ;
Currently there is only one entry in the system default
database, referenced by the name "default".
The system default database contains default values for
all parameters in the protected password, terminal control,
and device assignment databases, as well as configurable
system-wide parameters. The fields from the other
databases are described in the corresponding reference
pages. This field is the time, in seconds, before a password's
expiration that the system begins printing expiration
warnings when the user logs in. Although not used in
the software, this field is an indicator of the system's
TCSEC (Orange Book) class of trust. This field is a
Boolean flag that indicates whether an authorized user
must authenticate before the system begins operation. This
field is reserved for future use. This field and the
fd_audit_flag are always 0 (zero). Name of the entry.
Reserved for future use. Pathname for the password policy
callout script (or program, if replaced by the site). It
is currently shipped as "/tcb/bin/pwpolicy". Flag determining
whether passwords set by system administrators
should be pre-expired. Honored by the dxchpwd program (and
thus by dxaccounts), as well as by the auto-migration code
in the login sequence (see fd_auto_migrate_u). Flag
which, if set, disables break-in evasion for terminals by
skipping the update of the ttys database during logins.
Flag determining whether user accounts which have valid
accounts according to getpwnam() but which have no entry
visible to getespwnam() should have an extended profile
created automatically during login processing. Time
interval (in seconds) specifying the maximum time from the
current time at which a user-initiated vacation can start.
(Administratively-set vacations are not subject to this
limit.) If 0, no user-initiated vacationing is possible.
Maximum time interval (in seconds) which can be set as the
duration of a user-initiated vacation request. (Administratively-set
vacations are not subject to this limit.)
If 0, no user-initiated vacationing is possible. Flag
determining whether the enhanced security login sequence
accepts password validation from another SIA mechanism,
such as DCE.
The getesdfent() function returns a pointer to the first
es_default structure in the database when first called.
Thereafter, it returns a pointer to the next es_default
structure in the database, so successive calls can be used
to search the database (not currently supported). The
getesdfnam() function searches from the beginning of the
file until a default entry matching name is found, and
returns a pointer to the particular structure in which it
was found. If an end-of-file or an error is encountered on
reading, these functions return a null pointer. Currently,
all programs access the default database by calling getesdfnam()
(the default).
The copyesdfent() function copies pr, and the fields to
which it refers, to a newly allocated data area. Because
the getesdfent() and putesdfent() functions reuse a static
structure when accessing the database, the values of any
entry must be saved if the database routines are used
again. The es_default structure returned by copyesdfent()
can be freed using the free() function.
A call to the setprdfent() function has the effect of
rewinding the default control file to allow repeated
searches. The endprdfent() function can be called to close
the database when processing is complete.
The putesdfnam() function puts a new or replaced default
control entry pr with key name into the database. If the
sflg->fg_name field contains a value of 0 (zero), the
requested entry is deleted from the system default
database. The putesdfnam() function locks the database for
all update operations, and performs an endprdfent() after
the update or failed attempt.
Structures returned by the database routines contain
pointers to character strings and lists rather than being
self-contained. The copyesdfent() function must be used
rather than doing a structure assignment to save a
returned structure.
The value returned by the getesdfent() and getesdfnam()
functions refers to a structure that is overwritten by
calls to the function. To retrieve an entry, modify it,
and replace it in the database, you must copy the entry
using the copyesdfent() function and supply the modified
buffer to the putesdfent() function.
The () and getesdfnam() functions return null pointers on
EOF or an error.
The putesdfnam() function returns a value of 0 (zero) if
it cannot add or update the entry.
The copyesdfent() function returns a pointer, or NULL on
(allocation) error.
System defaults database.
Functions: getespwent(3), getestcent(3), getesdvent(3)
Files: authcap(4), default(4)
Security
getesdfent(3)
[ Back ] |