putauthattr Subroutine

Purpose

Modifies the authorizations that are defined in the authorization database.

Library

Security Library (libc.a)

Syntax

#include <usersec.h>

int putauthattr(Auth, Attribute, Value, Type)
    char *Auth;
    char *Attribute;
    void *Value;
    int Type;

Description

The putauthattr subroutine modifies the authorization database. The subroutine can be invoked only by new authorizations or authorizations that already exist in the user-defined authorization database. Calling the putauthattr subroutine with an authorization in the system-defined authorization table will fail.

New authorizations can be added to the authorization database by calling the putauthattr subroutine with the SEC_NEW type and specifying the new authorization name. Authorization names are of a hierarchical structure (that is, parent.subparent.subsubparent). Parent authorizations must exist before the child can be created. Deletion of an authorization or authorization attribute is done using the SEC_DELETE type for the putauthattr subroutine. Deleting an authorization requires that all child authorizations have already been deleted.

Data changed by the putauthattr subroutine must be explicitly committed by calling the putauthattr subroutine with a Type parameter specifying the SEC_COMMIT type. Until all the data is committed, only the getauthattr and getauthattrs subroutines within the process return the modified data. Changes that are made to the authorization database do not impact security considerations until the entire database is sent to the Kernel Security Tables using the setkst command or until the system is rebooted.

Parameters

Item	Description
Auth	The authorization name. This parameter must be specified unless the Type parameter is SEC_COMMIT.
Attribute	Specifies the attribute to be written. The following possible attributes are defined in the usersec.h file: S_DFLTMSG Specifies a default authorization description to use if message catalogs are not in use. The attribute type is SEC_CHAR. S_ID Specifies a unique integer that is used to identify the authorization. The attribute type is SEC_INT. Note: Do not modify this value after it is set initially when the authorization is created. Modifying the value might compromise the security of the system. S_MSGCAT Specifies the message catalog file name that contains the description of the authorization. The attribute type is SEC_CHAR. S_MSGSET Specifies the message set that contains the message for the description of the authorization in the file specified by the S_MSGCAT attribute. The attribute type is SEC_INT. S_MSGNUMBER Specifies the message number for the description of the authorization in the file that is specified by the S_MSGCAT attribute and the message set that is specified by the S_MSGSET attribute. The attribute type is SEC_INT.
Value	Specifies a buffer, a pointer to a buffer, or a pointer to a pointer according to the values of the Attribute and Type parameters. See the Type parameter for more details.
Type	Specifies the type of attribute. The following valid types are defined in the usersec.h file: SEC_INT The format of the attribute is an integer. The user should supply an integer value. SEC_CHAR The format of the attribute is a null-terminated character string. The user should supply a character pointer. SEC_LIST The format of the attribute is a series of concatenated strings, each of which is null-terminated. The last string in the series is terminated by two successive null characters. The user should supply a character pointer. SEC_COMMIT Specifies that the changes to the named authorization are to be committed to permanent storage. The values of the Attribute and Value parameters are ignored. If no authorization is specified, the changes to all modified authorizations are committed to permanent storage. SEC_DELETE If the Attribute parameter is specified, the corresponding attribute is deleted from the authorization database. If no Attribute parameter is specified, the entire authorization definition is deleted from the authorization database. SEC_NEW Creates a new authorization in the authorization database.

Security

Files Accessed:

File	Mode
/etc/security/authorizations	rw

Return Values

If successful, the putauthattr subroutine returns zero. Otherwise, a value of -1 is returned and the errno global value is set to indicate the error.

Error Codes

If the putauthattr subroutine fails, one of the following errno values is set:

Item	Description
EEXIST	The Type parameter is SEC_DELETE and the Auth parameter specifies an authorization that is the parent of at least one another authorization.
EINVAL	The Auth parameter is NULL and the Type parameter is not SEC_COMMIT.
EINVAL	The Auth parameter is default, ALL, ALLOW_OWNER, ALLOW_GROUP or ALLOW_ALL.
EINVAL	The Auth parameter begins with aix. Authorizations with a hierarchy that begin with aix are reserved for system-defined authorizations and are not modifiable using the putauthattr subroutine.
EINVAL	The Attribute parameter is NULL and the Type parameter is not SEC_NEW, SEC_DELETE or SEC_COMMIT.
EINVAL	The Attribute parameter does not contain one of the defined attributes.
EINVAL	The Type parameter does not contain one of the defined values.
EINVAL	The Value parameter does not point to a valid buffer or to valid data for this type of attribute.
ENOENT	The authorization specified by the Auth parameter does not exist.
ENOENT	The Auth parameter specifies a hierarchy and the Type parameter is SEC_NEW, but the parent authorization does not exist.
ENOMEM	Memory cannot be allocated.
EPERM	The operation is not permitted.