/etc/security/authorizations File

Purpose

Contains the list of valid, user-defined authorizations.

Description

The /etc/security/authorizations file stores the list of valid, user-defined authorizations available on a system. An authorization administrator can modify user-defined authorizations. System-defined authorizations do not appear in this file. You can add new authorizations to this file using the mkauth command and modify authorizations using the chauth command.

The /etc/security/authorizations file is an ASCII file that uses a stanza for each user-defined authorization. Each stanza is identified by the authorization name followed by a colon (:). You can list authorization attributes individually as Attribute=Value pairs on subsequent lines. Each attribute pair ends with a newline character, as does each stanza. For an example of a stanza, see Examples.

When the system is operating in Enhanced RBAC Mode, changes that you make to the authorizations file do not impact security considerations until you send the entire authorization database to the Kernel Security Tables using the setkst command, or until the system is rebooted.

Modifying and listing entries in the authorizations file

Do not directly edit the /etc/security/authorizations file. Use the following commands and subroutines to manipulate the authorization database:
mkauth
Adds new authorizations to the /etc/security/authorizations file.
chauth
Changes user-defined authorization attributes.
lsauth
Displays authorizations that are defined in this file and system-defined authorizations.
rmauth
Removes entries from this file.
To write programs that affect entries in the /etc/security/authorizations file, use one or more of the following subroutines:
  • getauthattr
  • getauthattrs
  • putauthattr
  • putauthattrs

Attributes

A stanza in this file contains one or more of the following attributes:

Attribute Description
id Specifies the unique numeric ID of the authorization. This is a required attribute and is used internally for security decisions. Do not modify this ID after creating the authorization. The value is a unique decimal integer greater than 10000. Values below 10000 are reserved for system-defined authorizations.
dfltmsg Specifies the default authorization-description text if message catalogs are not in use. The value is a character string.
msgcat Specifies the file name of the message catalog that contains the one-line description of the authorization. The value is a character string.
msgset Specifies the message set that contains the authorization description in the message catalog. The value is a decimal integer.
msgnum Specifies the message ID that contains the authorization description in the message catalog. The value is a decimal integer.

Security

The root user and the security group own this file. This files grants read and write access to the root user. Access for other users and groups depends on the security policy for the system.

Examples

The following example for the custom authorization displays a typical stanza in the file:
custom:
        id = 11000
        dfltmsg = "Custom Authorization"
        msgcat = "custom_auths.cat"
        msgset = 1
        msgnum = 5