Get and Set File System Security Attribute Flags
This example sets the public attribute flag on a regular directory and gets the MLD flag of a multi-level directory. The process needs the file_owner and file_audit privileges for this example to work. Use setfpriv(1) to set the privileges as follows. The file_setpriv privilege is required with setfpriv(1) so this command must be executed from the profile shell with this privilege.
phoenix% setfpriv -s -a file_owner,file_audit executable |
#include <tsol/secflgs.h>
main()
{
secflgs_t value;
char *file = "/opt/SUNWspro"; /* Not MLD */
char *file1 = "/export/home/zelda"; /* MLD */
int retval;
retval = setfattrflag(file, FAF_PUBLIC, FAF_PUBLIC);
retval = getfattrflag(file, &value);
printf("Public Attribute Flag = %d\n", value);
retval = mldgetfattrflag(file1, &value);
printf("MLD Attribute Flag = %d\n", value);
}
The printf statements print the following where 1 equals True and 0 equals false.
Public Attribute Flag = 0 MLD Attribute Flag = 1 |
FAF_MLD - Directory is a multi-level directory. FAF_MLD may be set without privilege if the directory is empty, the effective user ID of the process matches the directory owner, and the process has mandatory write access.
FAF_SLD - Directory is a single-level directory. This flag cannot be set programmatically.
If an adorned pathname is passed to getfattrflag(1), FAF_MLD is returned if the directory is an MLD. If an unadorned pathname is passed and if the directory is an MLD, FAF_SLD is returned.
If an adorned pathname is passed to mldgetfattrflag(2), FAF_SLD is returned if the directory is an MLD. If an unadorned pathname is passed and if the directory is an MLD, FAF_MLD is returned.
Adorned names are described in Chapter 7, Multilevel Directories.
FAF_PUBLIC - File or directory is public. Audit records are not generated for read operations on public files and directories even when the read operations are part of a preselected audit class. This applies to the following read operations: access(2), fstatvfs(2), lstat(2), open(2) (read only), pathconf(2), readlink(2), stat(2), and statvfs(2).
Note -
If the AUE_MAC or AUE_UPRIV audit pseudo events are in a preselected audit class, an audit record for those events is always generated regardless of the public attribute flag setting. See Trusted Solaris Audit Administration for more information on these pseudo audit events.
The process needs the file_audit and file_owner privileges in its effective set to get or set the public attribute flag for a file or directory. See "Privileges and Authorizations" for more information. This flag can also be administratively set as described in Trusted Solaris Administrator's Procedures.
- © 2010, Oracle Corporation and/or its affiliates