files - File control database (Enhanced Security)
The file control database (/etc/auth/system/files) is
designed to help the Information System Security Officer
(ISSO) maintain the integrity of the system. The database
contains entries for system data files and executable
files that require certain attributes. Some files require
certain attributes to provide protection against unauthorized
access, while others require a specific set of
attributes to accomplish their intended function.
The database is used by the library routine create_file_securely()
to determine the set of attributes for
a newly created file. Many programs associated with the
trusted computing base (TCB) use this library routine for
file creation to ensure that file attributes are set correctly.
A broad range of attributes can be specified in the file
control database. Specific choices depend upon the exact
system configuration. These choices are as follows: This
field specifies the owner name for the entry. If an owner
name is not specified and the entry is created using create_file_securely(),
the owner of the file will be the
real user ID of the process creating the file. This field
specifies the group name for the entry. If a group name is
not specified and the entry is created using create_file_securely(),
the group of the file will be the
real group ID of the process creating the file. This
field specifies the mode word for the entry. If the mode
word is not specified and create_file_securely() is used
to create the entry, a mode word of 0 (zero) is assigned
to the new file. This field identifies the type of the
entry. This field is not taken into account by create_file_securely()
when a file is being created. The
library routine will only create regular files. Choices
for the type field are as follows: Regular file Directory
FIFO device (pipe) Character special device Block special
device Socket
The following example is a typical file control database
entry for the program /sbin/newfs:
/sbin/newfs:f_owner=root:f_group=bin:\
:f_type=r:f_mode#04111:\
:chkent:
This entry specifies that the newfs program has bin as its
owner and group, that it is a regular file, and that its
mode is 0111.
The following example shows an entry for a site-specific
directory that contains help files for an application:
/appl/help_files:f_owner=appadmin:f_group=appl:\
:f_type=d:f_mode#0750:\ :chkent;
This entry specifies the owner of the /appl/help_files
directory as appadmin, the group as appl, and the mode as
0750.
Specifies the pathname of the file control database.
Functions: getprfient(3)
Files: authcap(4)
files(4)
[ Back ] | 