The /tcb/files/auth hierarchy deals with user-specific files. This directory contains 26 subdirectories, named for every letter in the alphabet. User authentication profiles are stored in these directories according to the first letter of the account name (see prpw(F) for more details).
The directories below /etc/auth contain system-wide information:
The file /etc/auth/subsystems/dflt_users lists the users granted default subsystem authorizations. The other files in /etc/auth/subsystems are named for the group associated with a protected subsystem. These subsystem files are owned by auth with the group set to be the same as the filename. Only the owner and group may view the contents of these files.
blf:u_name=blf:u_id#16:u_encrypt=a78/a1.eitfn6:u_type=sso:chkent:may be split into:
blf:u_name=blf:u_id#16:\ :u_encrypt=a78/a1.eitfn6:\ :u_type=sso:chkent:Note that all capabilities must be immediately preceded and followed with the ``:'' separator; multiple line entries require additional ones -- one more per line. Multiple entries are separated by a newline:
drb:u_name=drb:u_id#75:u_maxtries#9:u_type=general:chkent: blf:u_name=blf:u_id#76:u_maxtries#5:u_type=general:chkent:For subsystem files, the file is a set of lines, each containing a user name terminated by a colon, followed by a comma-separated list of primary and secondary authorizations defined for that subsystem.
The entry can be referenced by the name or any of the alternate names (alt_name). A description may be included to document the entry. The alt_name and description fields are optional; if included, the name, alt_names, and description fields must be separated using the ``|'' character. The end of the name/description part of the entry is terminated by the ``:'' character.
At the end of each entry is the ``chkent'' field. This is used as an integrity check on each entry. The authcap(S) routines will reject all entries that do not have ``chkent'' at the very end.
Each entry has 0 or more capabilities, each terminated with
the ``:'' character.
Each capability has a unique name.
Numeric capabilities have the format:
where num is a decimal or (0 preceded) octal number.
Boolean capabilities have the format:
id or id@
where the first form signals the presence of the capability and the
second form signals the absence of the capability.
String capabilities have the format:
where string is 0 or more characters.
The ``\'' and ``:'' characters are
escaped as ``\\'' and ``\:'' respectively.
Although it is not recommended, the same id may be used for
different numeric, boolean, and string capabilities.