authcap(F)

authcap -- authentication database

Format

name [ | alt_name [ | ... ]] [ | description ]:cap1:cap2: ... : \ capn:chkent:

Description

The database contains authentication and identity information for users, terminals, and Trusted Computing Base files as well as system-wide parameters. It is intended to be used by programs to interrogate user and system values, as well as by authentication programs to update that information.

Structure of the hierarchies

The complete database resides in two hierarchies: /tcb/files/auth and /etc/auth.

The /tcb/files/auth hierarchy deals with user-specific files. This directory contains 26 subdirectories, named for every letter in the alphabet. User authentication profiles are stored in these directories according to the first letter of the account name (see prpw(F) for more details).

The directories below /etc/auth contain system-wide information:

The files in /etc/auth/system contains global system settings (see authorize(F), defaults(F), devassign(F), files(F), and ttys(F) for more details).
The files in /etc/auth/subsystems contain protected subsystem authorization settings (a protected subsystem is privileged but does not require global authority to perform actions).

The file /etc/auth/subsystems/dflt_users lists the users granted default subsystem authorizations. The other files in /etc/auth/subsystems are named for the group associated with a protected subsystem. These subsystem files are owned by auth with the group set to be the same as the filename. Only the owner and group may view the contents of these files.

Format of a file

Each data file in the hierarchy, whether system-wide or user-specific, has the same format. Each user file consists of one virtual line, optionally split into multiple physical lines with the ``\'' character present at the very end of all lines but the last. For instance, the line

   blf:u_name=blf:u_id#16:u_encrypt=a78/a1.eitfn6:u_type=sso:chkent:

may be split into:

   blf:u_name=blf:u_id#16:\
           :u_encrypt=a78/a1.eitfn6:\
           :u_type=sso:chkent:

Note that all capabilities must be immediately preceded and followed with the ``:'' separator; multiple line entries require additional ones -- one more per line. Multiple entries are separated by a newline:

   drb:u_name=drb:u_id#75:u_maxtries#9:u_type=general:chkent:
   blf:u_name=blf:u_id#76:u_maxtries#5:u_type=general:chkent:

For subsystem files, the file is a set of lines, each containing a user name terminated by a colon, followed by a comma-separated list of primary and secondary authorizations defined for that subsystem.

Format of a line

The format of a line (except for subsystem files) is briefly as follows:

name[|alt_name[|...]][|description]:cap1:cap2:...:capn:chkent:

The entry can be referenced by the name or any of the alternate names (alt_name). A description may be included to document the entry. The alt_name and description fields are optional; if included, the name, alt_names, and description fields must be separated using the ``|'' character. The end of the name/description part of the entry is terminated by the ``:'' character.

At the end of each entry is the ``chkent'' field. This is used as an integrity check on each entry. The authcap(S) routines will reject all entries that do not have ``chkent'' at the very end.

Each entry has 0 or more capabilities, each terminated with the ``:'' character. Each capability has a unique name. Numeric capabilities have the format:

id#num

where num is a decimal or (0 preceded) octal number. Boolean capabilities have the format:

id or id@

where the first form signals the presence of the capability and the second form signals the absence of the capability. String capabilities have the format:

id=string

where string is 0 or more characters. The ``\'' and ``:'' characters are escaped as ``\\'' and ``\:'' respectively. Although it is not recommended, the same id may be used for different numeric, boolean, and string capabilities.

Files

/etc/auth/subsystems/dflt_users: users with default subsystem authorization
/etc/auth/subsystems/group: subsystem authorizations associated with a group
/etc/auth/system/authorize: primary and secondary authorizations
/etc/auth/system/default: default system-wide values
/etc/auth/system/devassign: device name equivalences
/etc/auth/system/files: file ownership, permissions, and types
/etc/auth/system/ttys: terminal access control
/tcb/files/auth/[a-z]/: user authentication profiles (including protected password)

Standards conformance

authcap is not part of any currently supported standard; it is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.