diff options
author | davidn <davidn@FreeBSD.org> | 1997-01-04 16:50:08 +0000 |
---|---|---|
committer | davidn <davidn@FreeBSD.org> | 1997-01-04 16:50:08 +0000 |
commit | 592532aadcdb13b887c05694955f650b9bd949ec (patch) | |
tree | aa04c54fb028c62bb1d96580ed4783ff2af6df69 /lib/libutil/login_cap.3 | |
parent | 4caa8a8a8d6d5751162281575440b4564e1831c5 (diff) | |
download | FreeBSD-src-592532aadcdb13b887c05694955f650b9bd949ec.zip FreeBSD-src-592532aadcdb13b887c05694955f650b9bd949ec.tar.gz |
Library functions relating to the login class capabilities database,
including manpages.
See also login_cap.h.
Diffstat (limited to 'lib/libutil/login_cap.3')
-rw-r--r-- | lib/libutil/login_cap.3 | 378 |
1 files changed, 378 insertions, 0 deletions
diff --git a/lib/libutil/login_cap.3 b/lib/libutil/login_cap.3 new file mode 100644 index 0000000..3fbf3a6 --- /dev/null +++ b/lib/libutil/login_cap.3 @@ -0,0 +1,378 @@ +.\" Copyright (c) 1995 David Nugent <davidn@blaze.net.au> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, is permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice immediately at the beginning of the file, without modification, +.\" this list of conditions, and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. This work was done expressly for inclusion into FreeBSD. Other use +.\" is permitted provided this notation is included. +.\" 4. Absolutely no warranty of function or purpose is made by the author +.\" David Nugent. +.\" 5. Modifications may be freely made to this file providing the above +.\" conditions are met. +.\" +.\" $Id$ +.\" +.Dd December 27, 1996 +.Os FreeBSD +.Dt LOGIN_CAP 3 +.Sh NAME +.Nm login_getclassbyname , +.Nm login_close , +.Nm login_getclass , +.Nm login_getuserclass , +.Nm login_getcapstr , +.Nm login_getcaplist , +.Nm login_getcaptime , +.Nm login_getcapnum , +.Nm login_getcapsize , +.Nm login_getcapbool , +.Nm login_getstyle +.Nd functions for accessing the login class capabilities database. +.Sh SYNOPSIS +.Fd #include <sys/types.h> +.Fd #include <login_cap.h> +.Ft void +.Fn login_close "login_cap_t * lc" +.Ft login_cap_t * +.Fn login_getclassbyname "const char *nam" "const char *dir" +.Ft login_cap_t * +.Fn login_getclass "const struct passwd *pwd" +.Ft login_cap_t * +.Fn login_getuserclass "const struct passwd *pwd" +.Ft char * +.Fn login_getcapstr "login_cap_t *lc" "const char *cap" "char *def" "char *error" +.Ft char ** +.Fn login_getcaplist "login_cap_t *lc" "const char *cap" "const char *chars" +.Ft char * +.Fn login_getpath "login_cap_t *lc" "const char *cap" "char *error" +.Ft rlim_t +.Fn login_getcaptime "login_cap_t *lc" "const char *cap" "rlim_t def" "rlim_t error" +.Ft rlim_t +.Fn login_getcapnum "login_cap_t *lc" "const char *cap" "rlim_t def" "rlim_t error" +.Ft rlim_t +.Fn login_getcapsize "login_cap_t *lc" const "char *cap" "rlim_t def" "rlim_t error" +.Ft int +.Fn login_getcapbool "login_cap_t *lc" "const char *cap" "int def" +.Ft char * +.Fn login_getstyle "login_cap_t *lc" "char *style" "const char *auth" +.Pp +.Sh DESCRIPTION +These functions represent a programming interface to the login +classes database provided in +.Xr login.conf 5 . +This database contains capabilities, attributes and default environment +and accounting settings for users and programs running as specific users, +as determined by the login class field within entries in +.Pa /etc/master.passwd . +.Pp +Entries in +.Xr login.conf 5 +consist of colon +.Ql \&: +separated fields, the first field in each record being one or more +identifiers for the record which must be unique for the entire database +each separated by a '|' and may optionally include a description as +the last 'name'. +Remaining fields in the record consist of keyword/data pairs. +Long lines may be continued with a backslash within empty entries +with the second and subsequent lines optionally indented for readability. +This is similar to the format used in +.Xr termcap 5 +except that keywords are not limited to two significant characters, +and are usually longer for improved readability. +As with termcap entries, multiple records can be linked together +(one record including another) using a field containing tc=<recordid>, +the result is that the entire record referenced by <recordid> replaces +the tc= field at the point at which it occurs. +See +.Xr getcap 3 +for further details on the format and use of a capabilities database. +.Pp +The +.Nm login_cap +interface provides a convenient means of retrieving login class +records with all tc= references expanded. +A program will typically call one of +.Fn login_getclass , +.Fn login_getuserclass +or +.Fn login_getclassbyname +according to its requirements. +Each of these functions returns a login capabilities structure, +.Ft login_cap_t +which may subsequently be used to interrogate the database for +specific values using the rest of the API. +Once the login_cap_t is of no further use, the +.Fn login_close +function should be called to free all resources used. +.Pp +The structure of login_cap_t is defined in login_cap.h, as: +.Bd -literal -offset indent +typedef struct { + char *lc_class; + char *lc_cap; + char *lc_style; +} login_cap_t; +.Ed +.Pp +The +.Ar lc_class +member contains a pointer to the name of the login class +retrieved. +This may not necessarily be the same as the one requested, +either directly via +.Fn login_getclassbyname , +or indirectly via a user's login record using +.Fn login_getclass +or +.Fn login_getuserclass . +If the referenced user has no login class specified in +.Pa /etc/master.passwd , +the class name is NULL or an empty string, or if the class +specified does not exist in the database, each of these +functions will search for a record with an id of "default", +with that name returned in the +.Ar lc_class +field. +.Pp +The +.Ar lc_cap +field is used internally by the library to contain the +expanded login capabilities record. +Programs with unusual requirements may wish to use this +with the lower-level +.Fn getcap +style functions to access the record directly. +.Pp +The +.Ar lc_style +field is set by the +.Fn login_getstyle +function to the authorisation style according to the requirements +of the program handling a login itself. +.Pp +As noted above, the +.Fn get*class +functions return a login_cap_t object which is used to access +the matching or default record in the capabilities database. +.Fn getclassbyname +accepts two arguments: the first one is the record identifier of the +record to be retrieved, the second being an optional directory name. +If the first +.Ar name +argument is NULL, an empty string, or a class that does not exist +in the supplimental or system login class database, then the system +.Em default +record is returned instead. +If the second +.Ar dir +parameter is NULL, then only the system login class database is +used, but when not NULL, the named directory is searched for +a login database file called ".login.conf", and capability records +contained within it may override the system defaults. +This scheme allows users to override some login settings from +those in the system login class database by creating class records +for their own private class with a record id of `me'. +In the context of a +.Em login , +it should be noted that some options cannot by overridden by +users for two reasons; many options, such as resource settings +and deafult process priorities, require root privileges +in order to take effect, and other fields in the user's file are +not be consulted at all during the early phases of login for +security or administrative reasons. +See +.Xr login.conf 5 +for more information on which settings a user is able to override. +Typically, these are limited purely to the user's default login +environment which might otherwise have been overridden in shell +startup scripts in any case. +The user's +.Pa .login.conf +merely provides a convenient way for a user to set up their preferred +login environment before the shell is invoked on login. +.Pp +If the specified record is NULL, empty or does not exist, and the +system has no "default" record available to fallback, there is a +memory allocation error or for some reason +.Xr cgetent 3 +is unable to access the login capabilities database, this function +returns NULL. +.Pp +The functions +.Fn login_getclass +and +.Fn login_getuserclass +retrieve the applicable login class record for the user's passwd +entry by calling +.Fn login_getclassbyname . +On failure, NULL is returned. +The difference between the two functions is that +.Fn login_getuserclass +includes the user's overriding +.Pa .login.conf +that exists in the user's home directory, while +.Fn login_getclass +restricts itself only to the system login class database in +.Pa /etc/login.conf . +In either case, if the passwd pointer is NULL, or the user has +no class, then the system "default" entry is retrieved. +.Pp +Once a program no longer wishes to use a login_cap_t object, +.Fn login_close +may be called to free all resources used by the login class. +.Fn login_close +may be passed a NULL pointer with no harmful side-effects. +.Pp +The remaining functions may be used to retrieve individual +capability records. +Each function takes a login_cap_t object as its first parameter, +a capability tag as the second, and remaining parameters being +default and error values that are returned if the capability is +not found. +The type of the additional parameters passed and returned depend +on the +.Em type +of capability each deals with, be it a simple string, a list, +a time value, a file or memory size value, a path (consisting of +a colon-separated list of directories) or a boolean flag. +The manpage for +.Xr login.conf 5 +deals in specific tags and their type. +.Pp +Note that with all functions in this group, you should not call +.Xr free 3 +on any pointers returned. +Memory allocated during retrieval or processing of capability +tags is automatically reused by subsequent calls to functions +in this group, or deallocated on calling +.Fn login_close . +.Bl -tag -width "login_getcaplist()" +.It Fn login_getcapstr +This function returns a simple string capability. +If the string is not found, then the value in +.Ar def +is returned as the default value, or if an error +occurs, the value in the +.Ar error +parameter is returned. +.It Fn login_getcaplist +This function returns the value corresponding to the named +capability tag as a list of values in a NULL terminated +array. +Within the login class database, some tags are of type +.Em list , +which consist of one or more comma- or space separated +values. +Usually, this function is not called directly from an +application, but is used indirectly via +.Fn login_getstyle . +.It Fn login_getpath +This function returns a list of directories separated by colons +.Ql &: . +Capability tags for which this function is called consist of a list of +directories separated by spaces. +.It Fn login_getcaptime +This function returns a +.Em time value +associated with a particular capability tag with the value expressed +in seconds (the default), minutes, hours, days, weeks or (365 day) +years or any combination of these. +A suffix determines the units used: S for seconds, M for minutes, +H for hours, D for days, W for weeks and Y for 365 day years. +Case of the units suffix is ignored. +.Pp +Time values are normally used for setting resource, accounting and +session limits. +If supported by the operating system and compiler (which is true of +FreeBSD), the value returned is a quad (long long), of type +.Em rlim_t . +A value "inf" or "infinity" may be used to express an infinite +value, in which case RLIM_INFINITY is returned. +.It Fn login_getcapnum +This function returns a numeric value for a tag, expressed either as +tag=<value> or the standard +.Fn cgetnum +format tag#<value>. +The first format should be used in preference to the second, the +second format is provided for compatibility and consistency with the +.Xr getcap 3 +database format where numeric types use the +.Ql \&# +as the delimiter for numeric values. +If in the first format, then the value given may be "inf" or +"infinity" which results in a return value of RLIM_INFINITY. +If the given capability tag cannot be found, the +.Ar def +parameter is returned, and if an error occurs, the +.Ar error +parameter is returned. +.It Fn login_getcapsize +.Fn login_getcapsize +returns a value representing a size (typicially, file or memory) +which may be expressed as bytes (the default), 512 byte blocks, +kilobytes, megabytes, gigabytes, and on systems that support the +.Ar long long +type, terrabytes. +The suffix used determines the units, and multiple values and +units may be used in combination (e.g. 1m500k = 1.5 megabytes). +A value with no suffix is interpreted as bytes, B as 512-byte +blocks, K as kilobytes, M as megabytes, G as gigabytes and T as +terrabytes. +Case is ignored. +The error value is returned if there is a login capabilities database +error, if an invalid suffix is used, or if a numeric value cannot be +interpreted. +.It Fn login_getcapbool +This function returns a boolean value tied to a particular flag. +It returns 0 if the given capability tag is not present or is +negated by the presence of a "tag@" (See +.Xr getcap 3 +for more information on boolean flags), and returns 1 if the tag +is found. +.It Fn login_getstyle +This function is used by the login authorisation system to determine +the style of login available in a particular case. +The function accepts three parameters, the login_cap entry itself and +two optional parameters, and authorisation type 'auth' and 'style', and +applies these to determine the authorisation style that best suites +these rules. +.Bl -bullet -indent offset +.It +If 'auth' is neither NULL nor an empty string, look for a tag of type +"auth-<auth>" in the capability record. +If not present, then look for the default default tag "auth=". +.It +If no valid authorisation list was found from the previous step, then +default to "passwd" as the authorisation list. +.It +If 'style' is not NULL or empty, look for it in the list of authorisation +methods found from the pprevious step. +If 'style' is NULL or an empty string, then default to "passwd" +authorisation. +.It +If 'style' is found in the chosen list of authorisation methods, then +return that, otherwise return NULL. +.El +.Pp +This scheme allows the administrator to determine the types of +authorisation methods accepted by the system, depending on the +means by which the access occurs. +For example, the administrator may require skey or kerberos as +the authentication method used for access to the system via the +network, and standard methods via direct dialup or console +logins, significantly reducing the risk of password discovery +by "snooping" network packets. +.El +.Sh SEE ALSO +.Xr login_class 3 , +.Xr login.conf 5 , +.Xr termcap 5 , +.Xr getcap 3 |