authcap(4)                                                       authcap(4)




 NAME    [Toc]    [Back]
      authcap - security databases for trusted systems

 SYNOPSIS    [Toc]    [Back]
      /tcb/files/auth/*
      /tcb/files/auth/system/*

 DESCRIPTION    [Toc]    [Back]
      All security-relevant databases are stored in an ASCII format in the
      file system.  This format is converted to binary structures by support
      routines described in Section 3 manual entries.  This manual entry
      describes the format of these databases, and describes the philosophy
      of conversion into data structures.

    Hierarchy Structure    [Toc]    [Back]
      The complete database resides in two hierarchies: /tcb/files/auth/*
      and /tcb/files.  The first hierarchy contains the Protected Password
      database, and has subdirectories with single letter names, each of
      which is a starting letter for user names.  Within each of these
      directories are regular files, each containing an authcap(4) format
      file containing the Protected Password entry for a particular user.
      Thus, all user names beginning with x have their respective
      authentication and identity information in a file in directory
      /tcb/files/auth/x.

      Directories within /tcb/files/auth/system and /tcb/files contain
      system-wide information.  Global system settings reside in directory
      /tcb/files/auth/system.  Terminal and device assignment files are
      located in directory /tcb/files.

      The following database files reside in directory system:

           default        Default Control

      The following database files reside in directory /tcb/files:

           ttys           Terminal Control
           devassign      Device Assignment

    File Format    [Toc]    [Back]
      Each data file (/tcb/files/auth/system and /tcb/files)has the same
      format.  Each file consists of one virtual line, optionally split into
      multiple physical lines with the \ character present at the end of all
      lines except the last.  For example, the line

           smk:u_name=smk:u_id#16:u_pwd=a78/a1.eitfn6:chkent:

      can be split into:

           smk:u_name=smk:u_id#16:\
                :u_pwd=a78/a1.eitfn6:\



 Hewlett-Packard Company            - 1 -   HP-UX 11i Version 2: August 2003






 authcap(4)                                                       authcap(4)




                :chkent:

      Note that all capabilities must be immediately preceded and followed
      with the : separator.  Multiple line entries require : at the end of
      each line and at the beginning of each continuation line in the entry.
      Continuation lines are indented by a tab character.  Multiple entries
      are separated by a new-line character that is not preceded by a
      continuation character:

           daa:u_name=daa:u_id#75:u_maxtries#9:chkent:
           smk:u_name=smk:u_id#76:u_maxtries#5:chkent:

    Line Format    [Toc]    [Back]
      The format of a line is briefly as follows:

           name:cap1:cap2:cap3:...:capn:chkent:

      The entry is referenced by the name.  The end of the name part of the
      entry is terminated by the : character.

      At the end of each entry is the chkent field.  This is used as an
      integrity check on each entry.  The authcap routines reject all
      entries that do not contain the chkent terminator.

      Each entry has 0 or more capabilities, each terminated with the :
      character.  Each capability has a unique name.  Numeric capabilities
      have the format:

           id#num

      where num is a decimal or (0-preceded) octal number.  Boolean
      capabilities have the format:

           id

      or

           id@

      where the first form signals the presence of the capability and the
      second form signals the absence of the capability.  String
      capabilities have the format:

           id=string

      where string is 0 or more characters.  The \ and : characters are
      escaped as \\ and \: respectively.

    File Locking    [Toc]    [Back]
      All databases use a lock file, the existence of which means that the
      file is currently being rewritten.  Occasionally, the lock files



 Hewlett-Packard Company            - 2 -   HP-UX 11i Version 2: August 2003






 authcap(4)                                                       authcap(4)




      remain after a system crash and must be removed manually.  The lock
      file is formed by appending -t to the database file name.

    Fields/Flags
      All databases are converted into structures by programs.  The data
      structures consist of two substructures, each of which has one member
      for each field in the database entry.  The field structure contains a
      field value (for example, a number, a boolean flag, a directory
      string, or a mask), while the flag value (one bit) indicates the
      presence or absence of the field in that entry.

 AUTHOR    [Toc]    [Back]
      authcap was developed by HP.

 SEE ALSO    [Toc]    [Back]
      default(4), devassign(4), getdvagent(3), getprdfent(3), getprpwent(3),
      getprtcent(3), prpwd(4), ttys(4).


 Hewlett-Packard Company            - 3 -   HP-UX 11i Version 2: August 2003