| Title and Copyright Information |
| About This Manual |
| Audience |
| Organization |
| Related Documentation |
| Reader's Comments |
| Conventions |
| 1 | Introduction for Programmers |
| 1.1 | Security Programming Overview |
| 1.1.1 | Protecting TCB Files |
| 1.1.2 | Secure Applications |
| 1.2 | Libraries and Header Files |
| 1.3 | Standard Trusted System Directories |
| 1.4 | Security-Relevant System Calls and Library Routines |
| 1.4.1 | System Calls |
| 1.4.2 | Library Routines |
| 2 | Trusted Programming Techniques |
| 2.1 | Writing SUID and SGID Programs |
| 2.2 | Handling Errors |
| 2.3 | Protecting Files |
| 2.4 | Specifying a Secure Search Path |
| 2.5 | Responding to Signals |
| 2.6 | Using Open File Descriptors with Child Processes |
| 2.7 | Security Concerns in the X Environment |
| 2.7.1 | Protect Keyboard Input |
| 2.7.2 | Block Keyboard and Mouse Events |
| 2.7.3 | Protect Device-Related Events |
| 2.8 | Protecting Shell Scripts |
| 3 | Authentication Database |
| 3.1 | Authentication Database Overview |
| 3.1.1 | Device Assignment Database (devassign) |
| 3.1.2 | File Control Database |
| 3.1.3 | System Default Database |
| 3.1.4 | Enhanced (Protected) Password Database |
| 3.1.5 | Terminal Control Database |
| 3.2 | Authentication Database Components |
| 3.2.1 | Database Form |
| 3.2.2 | Reading and Writing a Database |
| 3.2.2.1 | Buffer Management |
| 3.2.2.2 | Reading an Entry by Name or ID |
| 3.2.2.3 | Reading Entries Sequentially |
| 3.2.2.4 | Using System Defaults |
| 3.2.2.5 | Writing an Entry |
| 3.3 | Accessing the Authentication Databases |
| 4 | Identification and Authentication |
| 4.1 | The Audit ID |
| 4.2 | Identity Support Libraries |
| 4.3 | Using Daemons |
| 4.4 | Using the Enhanced (Protected) Password Database |
| 4.4.1 | Example: Password Expiration Program |
| 5 | Audit Record Generation |
| 5.1 | Audit Record Overview |
| 5.2 | Audit Events |
| 5.3 | Audit Records and Tokens |
| 5.3.1 | Public Tokens |
| 5.3.2 | Private Tokens |
| 5.4 | Audit Flag and Masks |
| 5.5 | Disabling System-Call Auditing for the Current Process |
| 5.6 | Modifying System-Call Auditing for the Current Process |
| 5.7 | Application-Specific Audit Records |
| 5.8 | Site-Defined Events |
| 5.8.1 | Sample site_events File |
| 5.8.2 | Example: Generating an Audit Record for a Site-Defined Audit Event |
| 5.9 | Creating Your Own Audit Logs |
| 5.10 | Parsing an Audit Log |
| 5.10.1 | Overview of Audit Log Format and List of Common Tuples |
| 5.10.2 | Token/Tuple Byte Descriptions |
| 5.10.3 | Parsing Tuples |
| 6 | Using the SIA Interface |
| 6.1 | SIA Overview |
| 6.2 | SIA Architecture |
| 6.2.1 | Libraries |
| 6.2.2 | Header Files |
| 6.3 | SIA System Initialization |
| 6.4 | SIAENTITY Structure |
| 6.5 | SIA Parameter Collection |
| 6.6 | Maintaining State |
| 6.7 | SIA Return Values |
| 6.8 | SIA Debugging and Logging |
| 6.9 | SIA Integrating Security Mechanisms |
| 6.10 | SIA Session Processing |
| 6.10.1 | Session Initialization |
| 6.10.2 | Session Authentication |
| 6.10.3 | Session Establishment |
| 6.10.4 | Session Launch |
| 6.10.5 | Session Release |
| 6.10.6 | Specific Session Processing |
| 6.10.6.1 | The login Process |
| 6.10.6.2 | The rshd Process |
| 6.10.6.3 | The rlogind Process |
| 6.11 | Changing Secure Information |
| 6.11.1 | Changing a User's Password |
| 6.11.2 | Changing a User's Finger Information |
| 6.11.3 | Changing a User's Shell |
| 6.12 | Accessing Security Information |
| 6.12.1 | Accessing /etc/passwd Information |
| 6.12.2 | Accessing /etc/group Information |
| 6.13 | Session Parameter Collection |
| 6.14 | Packaging Products for the SIA |
| 6.15 | Security Mechanism-Dependent Interface |
| 6.16 | Single-User Mode |
| 6.17 | Symbol Preemption for SIA Routines |
| 6.17.1 | Overview of the Symbol Preemption Problem |
| 6.17.2 | The Tru64 UNIX Solution |
| 6.17.3 | Replacing the Single-User Environment |
| 7 | Programming with ACLs |
| 7.1 | ACL Overview |
| 7.2 | ACL Data Representations |
| 7.2.1 | Internal Data Representation |
| 7.2.1.1 | typedef struct acl *acl_t; |
| 7.2.1.2 | typedef struct acl_entry *acl_entry_t; |
| 7.2.1.3 | typedef uint_t acl_type_t; |
| 7.2.1.4 | typedef uint acl_tag_t; |
| 7.2.1.5 | typedef uint_t acl_perm_t; |
| 7.2.1.6 | typedef acl_perm_t *acl_permset_t; |
| 7.2.1.7 | Contiguous Internal Representation ACL |
| 7.2.2 | External Representation |
| 7.3 | ACL Library Routines |
| 7.4 | ACL Rules |
| 7.4.1 | Object Creation |
| 7.4.2 | ACL Replication |
| 7.4.3 | ACL Validity |
| 7.5 | ACL Creation Example |
| 7.6 | ACL Inheritance Example |
| 8 | GSS-API |
| 8.1 | GSS-API Overview |
| 8.1.1 | GSS-API Assumptions |
| 8.1.2 | Further Information |
| 8.2 | Application Security SDK |
| 8.3 | Application Security SDK Functions |
| 8.3.1 | Name Management Functions |
| 8.3.1.1 | Default Names and Syntax |
| 8.3.2 | Credential Management Functions |
| 8.3.2.1 | Acquiring Initial Credentials |
| 8.3.2.1.1 | Initiator Applications |
| 8.3.2.1.2 | Acceptor Applications |
| 8.3.2.1.3 | DES3 |
| 8.3.2.2 | Credential Attributes |
| 8.3.2.3 | Credentials Storage Location |
| 8.3.2.4 | Managing Credential Resources |
| 8.3.3 | Security Context Management Functions |
| 8.3.3.1 | Identifying a Mechanism |
| 8.3.3.2 | Token Exchange |
| 8.3.3.3 | Optional Security Measures |
| 8.3.3.3.1 | Channel Bindings |
| 8.3.3.3.2 | Confidentiality and Integrity |
| 8.3.3.3.3 | Replay Detection |
| 8.3.3.3.4 | Out-of-Sequence Message Detection |
| 8.3.3.3.5 | Mutual Authentication |
| 8.3.3.3.6 | Encryption Type: DES vs. DES3 |
| 8.3.3.3.7 | Credentials Delegation |
| 8.3.3.4 | Identifying the Targeted Security Measures |
| 8.3.4 | Message Functions |
| 8.3.4.1 | Quality of Protection |
| 8.3.5 | Miscellaneous Support Functions |
| 8.3.5.1 | OID and OID sets |
| 8.3.5.1.1 | OSI |
| 8.3.5.1.2 | ASN.1 |
| 8.3.5.1.3 | Object Identifiers |
| 8.3.5.1.4 | OID Sets |
| 8.3.6 | V1 Compliance Functions |
| 8.4 | Best Practices |
| 8.4.1 | Multi-threading |
| 8.4.2 | Cache Management |
| 8.4.3 | Encryption Types |
| 8.4.4 | Exported Security Contexts |
| 8.4.5 | Key Management with GSS and Kerberos 5 |
| 8.4.6 | Multi-threaded Functions |
| 8.4.7 | Mutual Authentication |
| 8.4.8 | Protecting Passwords |
| 8.4.9 | Replay Protection |
| 8.4.10 | Refreshing Credentials |
| 8.4.11 | Resource Management |
| 8.4.12 | Service Key Table Files |
| 8.4.13 | Ticket Attributes |
| 8.4.13.1 | Forwardable Tickets |
| 8.4.13.2 | Preauthentication |
| 8.4.13.3 | Ticket Lifetime |
| 8.4.13.4 | Ticket Renew Time |
| 8.4.13.4.1 | General Rules for Lifetime and Renew Settings |
| 8.5 | Building a Portable Application |
| 8.5.1 | Using Printable Names and Comparing Names |
| 8.5.2 | Specifying Mechanisms |
| 8.5.3 | Specifying a Quality of Protection (QOP) |
| 8.5.4 | Default Names |
| 8.6 | Quick Reference |
| 8.6.1 | Reference Page Conventions |
| 8.7 | Constants |
| 8.8 | Data Structures |
| 8.8.1 | gss_channel_bindings_t |
| 8.8.2 | gss_buffer_t |
| 8.8.3 | csf_gss_opts_t |
| 8.9 | Return Values |
| 8.9.1 | Status Codes Defined |
| 8.9.2 | Error Processing Macros |
| 8.9.2.1 | GSS_ERROR( ) |
| 8.9.2.2 | GSS_CALLING_ERROR( ) |
| 8.9.2.3 | GSS_ROUTINE_ERROR( ) |
| 8.9.2.4 | GSS_SUPPLEMENTARY_INFO( ) |
| 8.9.3 | Major Status |
| 8.9.4 | Minor Status |
| 8.9.5 | Kerberos-specific Codes |
| A | Coding Examples |
| A.1 | Source Code for a Reauthentication Program (sia-reauth.c) |
| A.2 | Source Code for a Superuser Authentication Program (sia-suauth.c) |
| B | Auditable Events and Aliases |
| B.1 | Default Auditable Events File |
| B.2 | Sample Event Aliases File |
| C | GSS-API Tutorial |
| C.1 | Security Primer |
| C.1.1 | Fundamental Concepts |
| C.1.2 | Kerberos Security Model |
| C.1.2.1 | Definitions |
| C.1.2.2 | Concepts and Processes |
| C.1.2.2.1 | A Shared Secret |
| C.1.2.2.2 | Trusted Third Party Arbitration |
| C.1.2.2.3 | The Kerberos Network |
| C.1.2.2.4 | Three Phases to Authentication |
| C.1.2.2.5 | Authentication Service Message Exchange |
| C.1.2.2.6 | Ticket-Granting Service Message Exchange |
| C.1.2.2.7 | Application Message Exchange |
| C.1.2.3 | Credential Attributes |
| C.2 | Getting Started |
| C.3 | Using Basic GSS-API Functions |
| C.4 | Step 1: Getting Names |
| C.5 | Step 2: Acquiring Credentials |
| C.6 | Step 3: Establishing a Security Context |
| C.7 | Step 4: Exchanging Messages |
| C.7.1 | Using gss_get_mic( ) and gss_verify_mic( ) |
| C.7.2 | Using gss_wrap( ) and gss_unwrap( ) |
| C.8 | Step 5: Terminating the Security Context |
| C.9 | Advanced Concepts |
| C.9.1 | Obtaining Initial Credentials |
| C.9.2 | Required time synchronization |
| C.9.3 | Using DES3 Encryption |
| C.10 | Status Codes for GSS-API Functions |
| C.10.1 | Minor Error Codes |
| C.11 | Sample Programs |
| C.11.1 | Building the Sample Programs |
| C.11.2 | Running the Sample Programs |
| C.11.2.1 | Prerequisites |
| C.11.2.2 | Starting the Sample Programs |
| C.11.2.3 | Server Command Line Switches (Optional) |
| C.11.2.4 | Client Command Line Switches (Optional) |
| C.11.3 | Sample Program Output |
| C.11.4 | Troubleshooting Guidelines |
| Examples |
| 4-1 | Password Expiration Program |
| 6-1 | The SIAENTITY Structure |
| 6-2 | The sia.h Definition for Parameter Collection |
| 6-3 | Typical /var/adm/sialog File |
| 6-4 | Session Processing Code for the login Command |
| 6-5 | Preempting Symbols in Single-User Mode |
| 8-1 | Constant Pointing to a Structure Containing a String |
| 8-2 | Constant Pointing to a String |
| A-1 | Reauthentication Program |
| A-2 | Superuser Authentication Program |
| Figures |
| 6-1 | SIA Layering |
| 6-2 | SIA Login Session Processing |
| Tables |
| 1-1 | Standard Trusted System Directories |
| 1-2 | Security-Relevant System Calls |
| 1-3 | Security-Relevant Library Routines |
| 5-1 | Default Tuples Common to Most Audit Records |
| 5-2 | Token/Tuple Byte Descriptions |
| 6-1 | Security-Sensitive Operating System Commands |
| 6-2 | SIA Mechanism-Independent Routines |
| 6-3 | SIA Mechanism-Dependent Routines |
| 7-1 | ACL Entry External Representation |
| Index |