getuserattrs Subroutine

Purpose

Retrieves multiple user attributes in the user database.

Library

Security Library (libc.a)

Syntax

#include <usersec.h>

int getuserattrs (UserAttributesCount)
char * User;
dbattr_t * Attributes;
int Count

Description

Attention: Do not use this subroutine and the setpwent and setgrent subroutines simultaneously. The results can be unpredictable.

The getuserattrs subroutine accesses user information. Because of its greater granularity and extensibility, use it instead of the getpwent routines.

The getuserattrs subroutine reads one or more attributes from the user database. If the database is not already open, this subroutine does an implicit open for reading. A call to the getuserattrs subroutine with an Attributes parameter of null and the Count parameter of zero for every new user verifies that the user exists.

The Attributes array contains information about each attribute that is to be read. The dbattr_t data structure contains the following fields:
attr_name
The name of the desired attribute.
attr_idx
Used internally by the getuserattrs subroutine.
attr_type
The type of the desired attribute. The following possible attributes are defined in the usersec.h file:
S_CORECOMP
Core compression status. The attribute type is SEC_CHAR.
S_COREPATH
Core path specification status. The attribute type is SEC_CHAR.
S_COREPNAME
Core path specification location. The attribute type is SEC_CHAR.
S_CORENAMING
Core naming status. The attribute type is SEC_CHAR.
S_ID
User ID. The attribute type is SEC_INT.
S_PGID
Principle group ID. The attribute type is SEC_INT.
S_PGRP
Principle group name. The attribute type is SEC_CHAR.
S_GROUPS
Groups to which the user belongs. The attribute type is SEC_LIST.
S_ADMGROUPS
Groups for which the user is an administrator. The attribute type is SEC_LIST.
S_ADMIN
Administrative status of a user. The attribute type is SEC_BOOL.
S_AUDITCLASSES
Audit classes to which the user belongs. The attribute type is SEC_LIST.
S_AUTHSYSTEM
Defines the user's authentication method. The attribute type is SEC_CHAR.
S_HOME
Home directory. The attribute type is SEC_CHAR.
S_SHELL
Initial program run by a user. The attribute type is SEC_CHAR.
S_GECOS
Personal information for a user. The attribute type is SEC_CHAR.
S_USRENV
User-state environment variables. The attribute type is SEC_LIST.
S_SYSENV
Protected-state environment variables. The attribute type is SEC_LIST.
S_LOGINCHK
Specifies whether the user account can be used for local logins. The attribute type is SEC_BOOL.
S_HISTEXPIRE
Defines the period of time (in weeks) that a user cannot reuse a password. The attribute type is SEC_INT.
S_HISTSIZE
Specifies the number of previous passwords that the user cannot reuse. The attribute type is SEC_INT.
S_MAXREPEAT
Defines the maximum number of times a user can repeat a character in a new password. The attribute type is SEC_INT.
S_MINAGE
Defines the minimum age in weeks that the user's password must exist before the user can change it. The attribute type is SEC_INT.
S_PWDCHECKS
Defines the password restriction methods for this account. The attribute type is SEC_LIST.
S_MINALPHA
Defines the minimum number of alphabetic characters required in a new user's password. The attribute type is SEC_INT.
S_MINDIFF
Defines the minimum number of characters required in a new password that were not in the old password. The attribute type is SEC_INT.
S_MINLEN
Defines the minimum length of a user's password. The attribute type is SEC_INT.
S_MINOTHER
Defines the minimum number of non-alphabetic characters required in a new user's password. The attribute type is SEC_INT.
S_DICTIONLIST
Defines the password dictionaries for this account. The attribute type is SEC_LIST.
S_SUCHK
Specifies whether the user account can be accessed with the su command. Type SEC_BOOL.
S_REGISTRY
Defines the user's authentication registry. The attribute type is SEC_CHAR.
S_RLOGINCHK
Specifies whether the user account can be used for remote logins using the telnet or rlogin commands. The attribute type is SEC_BOOL.
S_DAEMONCHK
Specifies whether the user account can be used for daemon execution of programs and subsystems using the cron daemon or src. The attribute type is SEC_BOOL.
S_TPATH
Defines how the account might be used on the trusted path. The attribute type is SEC_CHAR. This attribute must be one of the following values:
nosak
The secure attention key is not enabled for this account.
notsh
The trusted shell cannot be accessed from this account.
always
This account may only run trusted programs.
on
Normal trusted-path processing applies.
S_TTYS
List of ttys that can or cannot be used to access this account. The attribute type is SEC_LIST.
S_SUGROUPS
Groups that can or cannot access this account. The attribute type is SEC_LIST.
S_EXPIRATION
Expiration date for this account is a string in the form MMDDhhmmyy, where MM is the month, DD is the day, hh is the hour in 0 to 24 hour notation, mm is the minutes past the hour, and yy is the last two digits of the year. The attribute type is SEC_CHAR.
S_AUTH1
Primary authentication methods for this account. The attribute type is SEC_LIST.
S_AUTH2
Secondary authentication methods for this account. The attribute type is SEC_LIST.
S_UFSIZE
Process file size soft limit. The attribute type is SEC_INT.
S_UCPU
Process processor time soft limit. The attribute type is SEC_INT.
S_UDATA
Process data segment size soft limit. The attribute type is SEC_INT.
S_USTACK
Process stack segment size soft limit. Type: SEC_INT.
S_URSS
Process real memory size soft limit. Type: SEC_INT.
S_UCORE
Process core file size soft limit. The attribute type is SEC_INT.
S_UNOFILE
Process file descriptor table size soft limit. The attribute type is SEC_INT.
S_PWD
Specifies the value of the passwd field in the /etc/passwd file. The attribute type is SEC_CHAR.
S_UMASK
File creation mask for a user. The attribute type is SEC_INT.
S_LOCKED
Specifies whether the user's account can be logged into. The attribute type is SEC_BOOL.
S_ROLES
Defines the administrative roles for this account. The attribute type is SEC_LIST.
S_UFSIZE_HARD
Process file size hard limit. The attribute type is SEC_INT.
S_UCPU_HARD
Process processor time hard limit. The attribute type is SEC_INT.
S_UDATA_HARD
Process data segment size hard limit. The attribute type is SEC_INT.
S_USREXPORT
Specifies if the DCE registry can overwrite the local user information with the DCE user information during a DCE export operation. The attribute type is SEC_BOOL.
S_USTACK_HARD
Process stack segment size hard limit. Type: SEC_INT.
S_URSS_HARD
Process real memory size hard limit. Type: SEC_INT.
S_UCORE_HARD
Process core file size hard limit. The attribute type is SEC_INT.
S_UNOFILE_HARD
Process file descriptor table size hard limit. The attribute type is SEC_INT.
S_DFLT_ROLES
The default roles for the user. It can be one or more. The attribute type is SEC_LIST.
S_DOMAINS
The domains for the user. It can be one or more. The attribute type is SEC_LIST.
S_MINLOWERALPHA
Defines the minimum number of lowercase alphabetic characters required in a new user password. The attribute type is SEC_INT.
S_MINUPPERALPHA
Defines the minimum number of uppercase alphabetic characters required in a new user password. The attribute type is SEC_INT.
S_MINDIGIT
Defines the minimum number of digits required in a new user password. The attribute type is SEC_INT.
S_MINSPECIALCHAR
Defines the minimum number of special characters required in a new user password. The attribute type is SEC_INT.
attr_flag
The results of the request to read the desired attribute.
attr_un
A union containing the returned values. Its union members, which follows, correspond to the definitions of the attr_char, attr_int, attr_long, and attr_llong macros, respectively:
au_char
Attributes of type SEC_CHAR and SEC_LIST store a pointer to the returned attribute in this member when the requested attribute is successfully read. The caller is responsible for freeing this memory.
au_int
Attributes of type SEC_INT and SEC_BOOL store the value of the attribute in this member when the requested attribute is successfully read.
au_long
Attributes of type SEC_LONG store the value of the attribute in this member when the requested attribute is successfully read.
au_llong
Attributes of type SEC_LLONG store the value of the attribute in this member when the requested attribute is successfully read.
attr_domain
The authentication domain containing the attribute. The getuserattrs subroutine is responsible for managing the memory referenced by this pointer. If attr_domain is specified for an attribute, the get request is sent only to that domain. If attr_domain is not specified (that is, set to NULL), getuserattrs searches the domains known to the system and sets this field to the name of the domain from which the value is retrieved. This search space can be restricted with the setauthdb subroutine so that only the domain specified in the setauthdb call is searched. If the request for a NULL domain was not satisfied, the request is tried from the local files using the default stanza.

Use the setuserdb and enduserdb subroutines to open and close the user database. Failure to explicitly open and close the user database can result in loss of memory and performance.

Parameters

Item Description
User Specifies the name of the user for which the attributes are to be read.
Attributes A pointer to an array of zero or more elements of type dbattr_t. The list of user attributes is defined in the usersec.h header file.
Count The number of array elements in Attributes.

Security

Files accessed:

Item Description
Mode File
rw /etc/passwd
rw /etc/group
rw /etc/security/user
rw /etc/security/limits
rw /etc/security/group
rw /etc/security/environ

Return Values

If User exists, the getuserattrs subroutine returns zero. Otherwise, a value of -1 is returned and the errno global variable is set to indicate the error. Each element in the Attributes array must be examined on a successful call to getuserattrs to determine if the Attributes array entry was successfully retrieved.

Error Codes

The getuserattrs subroutine returns an error that indicates that the user does or does not exist. Additional errors can indicate an error querying the information databases for the requested attributes.

Item Description
EINVAL The Count parameter is less than zero.
EINVAL The Attributes parameter is null and the Count parameter is greater than zero.
ENOENT The specified User parameter does not exist.
EIO Failed to access remote user database.

If the getuserattrs subroutine fails to query an attribute, one or more of the following errors is returned in the attr_flag field of the corresponding Attributes element:

Item Description
EACCES The user does not have access to the attribute specified in the attr_name field.
EINVAL The attr_type field in the Attributes entry contains a type that is not valid.
EINVAL The attr_un field in the Attributes entry does not point to a valid buffer or to valid data for this type of attribute. Limited testing is possible and all errors might not be detected.
ENOATTR The attr_name field in the Attributes entry specifies an attribute that is not defined for this user or group.
   

Examples

The following sample test program displays the output to a call to getuserattrs. In this example, the system has a user named foo.

#include <stdio.h> 
#include <usersec.h>

#define NATTR 3
#define USERNAME "foo"

main() {

	dbattr_t attributes[NATTR]; 
	int 	i;
	int 	rc;


	memset (&attributes, 0, sizeof(attributes));

	/*
	 * Fill in the attributes array with "id", "expires" and
	 * "SYSTEM" attributes.
	 */

	attributes[0].attr_name = S_ID;
	attributes[0].attr_type = SEC_INT;;

	attributes[1].attr_name = S_ADMIN;
	attributes[1].attr_type = SEC_BOOL;

	attributes[2].attr_name = S_AUTHSYSTEM;
	attributes[2].attr_type = SEC_CHAR;

	/* 
	 * Make a call to getuserattrs.
	 */

        setuserdb(S_READ);

	rc = getuserattrs(USERNAME, attributes, NATTR);

        enduserdb();

	if (rc) {
		printf("getuserattrs failed ....\n");
		exit(-1);
	}

	for (i = 0; i < NATTR; i++) {
		printf("attribute name   : %s \n", attributes[i].attr_name);
		printf("attribute flag   : %d \n", attributes[i].attr_flag);

		if (attributes[i].attr_flag) {

			/*
			 * No attribute value. Continue.
			 */
			printf("\n");
			continue;
		}
		/*
		 * We have a value.
		 */
		printf("attribute domain : %s \n", attributes[i].attr_domain);
		printf("attribute value  : ");

		switch (attributes[i].attr_type)
		{
			case SEC_CHAR:
				if (attributes[i].attr_char) {
                               		printf("%s\n", attributes[i].attr_char);
					free(attributes[i].attr_char);
				}
                               	break;
			case SEC_INT:
			case SEC_BOOL:
                       		printf("%d\n", attributes[i].attr_int);
                               	break;
			default:
				break;
                }
		printf("\n");
	}
	exit(0);
}
The following output for the call is expected:
	attribute name   : id 
	attribute flag   : 0 
	attribute domain : files 
	attribute value  : 206
	
	attribute name   : admin 
	attribute flag   : 0 
	attribute domain : files 
	attribute value  : 0
	
	attribute name   : SYSTEM 
	attribute flag   : 0 
	attribute domain : files 
	attribute value  : compat

Files

Item Description
/etc/passwd Contains user IDs.