subsystems -- manipulation routines for Subsystems database


cc . . . -lprot -lx

int authorized_user (auth)
char *auth;

int primary_auth (name) char *name;

char *primary_of_secondary_auth (name) char *name;

int secondary_auth (name) char *name;

int total_auths()

int widest_auth()

int write_authorizations (user, auth_list, list_len) char *user; char **auth_list; int list_len;


These routines manipulate and refer to the Subsystems database, which is extracted from the Protected Password entries for all users. The Subsystems database stores primary and secondary authorizations for users with respect to protected subsystems on the Security Module Package. A protected subsystem is associated with a special group, and provides some service to users. It is called protected because all its programs run SGID to that group, and the files and devices that the subsystem references are only accessible to that group, and therefore through the protected subsystem's programs.

A primary authorization for a protected subsystem allows a user to assume the administrator role for that subsystem. The primary authorization name is the group name whose effective identity is used by the subsystem programs to protect subsystem files. If a user possesses a primary authorization for a subsystem, he/she can do all actions within that subsystem. The list of primary authorizations is as follows:

Audit administrator.

Authentication database administrator.

Backup and file system maintenance administrator.

Cron subsystem administrator (at, batch, crontab).

Line printer spooling subsystem administrator.

Authorization to view information about other users (memory devices).

System administrator functions that require root privilege.

The authorization to send unfiltered information between user terminals.

The ability to run uucp (not currently supported).

A secondary authorization allows finer grain operations within protected subsystems. These authorizations are often granted either to specific users or to the entire user community by appropriate setup of user Protected Password entries and the Defaults database. Each secondary authorization is associated with exactly one protected subsystem, and only allows operations with respect to that subsystem. The secondary authorizations are as follows:

Authorization to see other user's jobs in the print queues (lp).

Authorization to change printer status with enable(C) and disable(C) commands (lp).

Authorization to use df(C) to query file system space (backup).

The authorized_user routine returns non-zero if the login user ID associated with the current process has the specified authorization in the subsystem that is currently running. This subsystem is identified by the effective group under which the program began execution. The primary authorization for any subsystem grants all secondary authorizations for that subsystem.

The rest of the routines are for programs that manipulate user entries directly, or that have to validate authorizations input by users. They may not be supported in future releases of the SMP. The primary_auth routine maps a primary authorization name to a bit offset in a mask. This is used for checking a user's authorizations against the Protected Password entry. The primary_of_secondary_auth routine returns the primary authorization name associated with the secondary authorization. The primary authorization name is also the subsystem name in which the secondary authorization is recognized. The secondary_auth routine maps a secondary authorization to a bit offset. The total_auths routine returns the number of primary and secondary authorizations recognized by the system. The widest_auth routine returns the longest string name of any authorization.

The write_authorizations routine updates the Subsystems database for a given user. It takes list_len authorizations from the auth_list array of string pointers and associates those authorizations with the given user. If the first character string pointer references the string ``default,'' the user is given default authorizations. This routine is used by the screen-oriented routine which updates the user's Protected Password entry, and then must propagate the user's authorizations to the Subsystems database.

NOTE: These routines are also included in libsocket. The libsocket version provides the same functionality described here, in addition to providing the NIS support. Link with libsocket using cc ... -lsocket to get the additional NIS (Network Information Service) functionality.


The authorized_user routine returns non-zero if the user possesses the specified authorization, otherwise zero. The total_auths routine returns the sum of the number of primary authorizations and the number of secondary authorizations recognized by the system. The widest_auth routine returns the length of the longest string name of an authorization. This length does not include the trailing null character. Both primary_auth and secondary_auth return a negative value if the authorization name is not supported; otherwise, they return the bit offset of the authorization. The Protected Password database stores both types of authorizations in the same mask. The primary_of_secondary_auth routine returns a pointer to a static area containing the primary authorization name associated with the secondary authorization. The string must be copied if it is to be modified. The write_authorizations routine returns 0 on success, non-zero on permission failures, I/O errors, etc.

See also


Standards conformance

subsystems is not part of any currently supported standard; it is an extension of AT&T System V provided by the Santa Cruz Operation.
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003