getcmdattr Subroutine

Purpose

Queries the command security information in the privileged command database.

Library

Security Library (libc.a)

Syntax

#include <usersec.h>

int getcmdattr (Command, Attribute, Value, Type)
    char *Command;
    char *Attribute;
    void *Value;
    int Type;

Description

The getcmdattr subroutine reads a specified attribute from the command database. If the database is not open, this subroutine does an implicit open for reading. For attributes of the SEC_CHAR and SEC_LIST types, the getcmdattr subroutine returns the value to the allocated memory. Caller needs to free this memory.

Parameters

Item	Description
Command	Specifies the command name. The value should be the full path to the command on the system.
Attribute	Specifies the attribute to read. The following possible attributes are defined in the usersec.h file: S_ACCESSAUTHS Access authorizations. The attribute type is SEC_LIST and is a null-separated list of authorization names. Sixteen authorizations can be specified. A user with one of the authorizations is allowed to run the command. In addition to the user-defined and system-defined authorizations available on the system, the following three special values are allowed: ALLOW_OWNER Allows the command owner to run the command without checking for access authorizations. ALLOW_GROUP Allows the command group to run the command without checking for access authorizations. ALLOW_ALL Allows every user to run the command without checking for access authorizations. S_AUTHPRIVS Authorized privileges. The attribute type is SEC_LIST. Privilege authorization and authorized privileges pairs indicate process privileges during the execution of the command corresponding to the authorization that the parent process possesses. The authorization and its corresponding privileges are separated by an equal sign (=); individual privileges are separated by a plus sign (+); the authorization and privileges pairs are separated by a comma (,) as shown in the following illustration: `auth=priv+priv+...,auth=priv+priv...,...` The number of authorization and privileges pairs is limited to sixteen. S_AUTHROLES The role or list of roles, users having these have to be authenticated to allow execution of the command. The attribute type is SEC_LIST. S_INNATEPRIVS Innate privileges. This is a null-separated list of privileges that are assigned to the process when running the command. The attribute type is SEC_LIST. S_INHERITPRIVS Inheritable privileges. This is a null-separated list of privileges that are passed to child process privileges. The attribute type is SEC_LIST. S_EUID The effective user ID to be assumed when running the command. The attribute type is SEC_INT. S_EGID The effective group ID to be assumed when running the command. The attribute type is SEC_INT. S_RUID The real user ID to be assumed when running the command. The attribute type is SEC_INT.
Value	Specifies a pointer, or a pointer to a pointer according to the value specified in the Attribute and Type parameters. See the Type parameter for more details.
Type	Specifies the type of attribute. The following valid types are defined in the usersec.h file: SEC_INT The format of the attribute is an integer. For the subroutine, the user should supply a pointer to a defined integer variable. SEC_CHAR The format of the attribute is a null-terminated character string. For the subroutine, the user should supply a pointer to a defined character pointer variable. Caller needs to free this memory. SEC_LIST The format of the attribute is a series of concatenated strings that each of which is null-terminated. The last string in the series is terminated by two successive null characters. For the subroutine, the user should supply a pointer to a defined character pointer variable. Caller needs to free this memory.

Security

Files Accessed:

File	Mode
/etc/security/privcmds	rw

Return Values

If successful, the getcmdattr subroutine returns zero. Otherwise, a value of -1 is returned and the errno global value is set to indicate the error.

Error Codes

If the getcmdattr subroutine fails, one of the following errno values is set:

Item	Description
EINVAL	The Command parameter is NULL or default.
EINVAL	The Attribute array or the Type parameter is NULL or does not contain one of the defined values.
ENOATTR	The Attribute array is S_PRIVCMDS, but the Command parameter is not ALL.
ENOENT	The command specified in the Command parameter does not exist.
ENOATTR	The attribute specified in the Attribute array is valid, but no value is defined for the command.
EPERM	The operation is not permitted.
EIO	Failed to access remote command database.