fgetfpriv(2)

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | SEE ALSO

NAME

getfpriv, fgetfpriv, setfpriv, fsetfpriv- Return or set a privilege set associated with a file

SYNOPSIS

cc [flags...] file... -ltsol
int getfpriv(char * path, priv_ftype_t type, priv_set_t * priv_set);
int setfpriv(char * path, priv_op_t op, priv_ftype_t type, priv_set_t * priv_set);
int fgetfpriv(int fd, priv_ftype_t type, priv_set_t *priv_set);
int fsetfpriv(int fd, priv_op_t op, priv_ftype_t type, priv_set_t * priv_set);

DESCRIPTION

Set or get privileges of the file that is named by path or referred to by fd . fgetfpriv() and fsetfpriv() function exactly like getfpriv() and setfpriv() respectively, except that they require an open reference to a file as their argument.

getfpriv() copies the privilege set indicated by type and associated with the named file into the address specified by priv_set . Values for type are:

PRIV_FORCED

The forced privilege set.

PRIV_ALLOWED

The allowed privilege set.

MAC read permission is required for the named file unless the privilege PRIV_FILE_MAC_READ is effective.

setfpriv() sets/modifies the privilege set (the target set) indicated by type and associated with the named file. Modification occurs according to the value of op and the privilege set specified by priv_set (the specified set). Values for op are:

PRIV_ON

Each privilege asserted in the specified set is asserted in the target set.

PRIV_OFF

Each privilege asserted in the specified set is cleared in the target set.

PRIV_SET

The target set is set exactly equal to the specified set.

Values for type are the same as those used for getfpriv() .

In all cases, the privilege PRIV_FILE_SETPRIV must be effective. In addition, only the owner of a file may change its privilege sets, unless the privilege PRIV_FILE_OWNER is effective.

The invoking process must have MAC write permission for the named file (unless the privilege PRIV_FILE_MAC_WRITE is effective). DAC write access is not required.

It is an error to attempt to assert a forced privilege if the corresponding allowed privilege is not present. For this reason, it is recommended that the allowed privilege set be modified first whenever both privilege sets are to be modified.

If the target set is the allowed set, all privileges cleared from the target set are also automatically cleared from the forced set.

Normally MAC read permission is required or the privilege PRIV_FILE_MAC_READ must be effective for getfpriv() to complete its operation successfully unless the named file is a pty pseudo-terminal. If the named file is a pseudo-terminal ( /dev/ptyp * or /dev/ttyp *) and the label of the process invoking getfpriv() does not dominate the label of the named file and the privilege PRIV_FILE_MAC_READ is not effective then getfpriv() returns success but sets the privilege fields of priv_set to zero.

RETURN VALUES

These routines return:

0

On success.

-1

On failure, and set errno to indicate the error.

ERRORS

These routines fail and the target set is not modified if:

EINVAL

An illegal or undefined value is supplied for size or type .

EFAULT

priv_set refers to an invalid address.

Additionally, getfpriv() and setfpriv() fail if:

EACCES

Search permission is denied a component of path . To override this restriction, the calling process may assert the PRIV_FILE_DAC_SEARCH privilege and/or the PRIV_FILE_MAC_SEARCH privilege.

getfpriv() and fgetfpriv() fail if:

EACCES

MAC read permission is denied for the named file, and privilege PRIV_FILE_MAC_READ is not effective.

ENOENT

A component of the specified path does not exist.

ENOTDIR

A component of the specified path prefix is not a directory.

ENAMETOOLONG

The length of the path argument exceeds PATH_MAX , oL a pathname component is longer than NAME_MAX while _POSIX_NO_TRUNC is in effect.

setfpriv() and fsetfpriv() fail and the target set is not modified if:

EACCES

MAC write permission is denied for the named file, privilege PRIV_FILE_MAC_WRITE is not effective, and the user's clearance dominates the sensitivity label of the file.

EINVAL

(1) The named file resides on a file system that does not support privileges (that is, a file system other than NFS , TMPFS ) or (2) an illegal or undefined value is supplied for op . Also if privilege PRIV_FILE_MAC_WRITE is not effective.

EPERM

MAC write permission is denied for the named file, and the user's clearance does not dominate the label of the named file, or (2) PRIV_FILE_SETPRIV is not effective, or (3) the effective uid does not match the owner of the named file and privilege PRIV_FILE_OWNER is not effective.

EROFS

The named file resides on a read-only file system.

SEE ALSO

Trusted Solaris 8 Reference Manual

getppriv(2) , setppriv(2) , priv_macros(5)

SunOS 5.8 Reference Manual

attributes(5)

Trusted Solaris 8  Last Revised 30 Sep 1999

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | SEE ALSO