authcap - Format of security databases (Enhanced Security)
The security-relevant databases used by the enhanced security subsets
include the user profile databases (and by extension thier optional NIS map
source files), the file control database, the terminal control and device
assignment databases, and the system default database.
This reference page describes the location and general format of these
databases. A specific reference page for each database describes its
The user profile databases (sometimes referred to as the protected password
database) reside in /tcb/files/auth.db and /var/tcb/files/auth.db. The
/tcb/files/auth.db database contains information for UIDs from 0 to 99.
The /var/tcb/files/auth.db database contains information for UIDs 100 and
All other databases reside in /etc/auth/system. These include:
default System default database of global (or template) values for users
files File control database
ttys.db Terminal control database
devassign Device assignment database
Files with .db extensions are in database format for efficiency. Others
are ASCII files. All the databases can be manipulated by the edauth util-
A file entry consists of a key followed by a colon (:), a set of
field/value pairs each followed by a colon, and a terminator, chkent:. The
following is an example of a user profile entry as a single, continuous
For readability, an entry can optionally be split into multiple lines by
inserting a backslash (\) character at the end of each line and an extra
colon at the beginning of the continuation line. Continuation lines are
indented by a tab character. The split cannot separate a field/value pair,
including its terminating colon.
The following is the same entry as above, broken into multiple lines:
Multiple entries are separated by a new line that is not preceded by a con-
tinuation character. For example:
Each entry is referenced by the key followed by the colon (:).
At the end of each entry is the chkent field. The "chkent:" string indi-
cates that the entry is complete. This is used as an integrity check on
each entry by the programs that read the databases.
The field names, or capabilities, begin with an identifying prefix that
depends upon the database type. The following list of prefixes also lists
the reference page that explains the associated database:
t_ Terminal control database field. See the ttys(4) reference page.
u_ User profile (protected password) database field. See the prpasswd(4)
v_ Device assignment database field. See the devassign(4) reference
d_ System default database field. Note that the system default database
can contain fields with any of the above prefixes. See the default(4)
Fields can have numeric, Boolean, or string values:
Numeric Numeric fields take the form fieldname#number, where number is a
decimal number, an octal number (indicated by a leading 0), or a
hexadecimal number (indicated by a leading 0X).
Boolean Boolean fields take the form fieldname for true or fieldname@ for
String String fields take the form fieldname=string, where string is 0
(zero) or more characters. To include the backslash () or colon
(:) characters in a string, surround them with the backslash ()
All databases use a lock file, the existence of which means that the file
is currently being rewritten. Occasionally, the files remain after a system
crash and must be removed manually. The lock file is formed by appending :t
to the database file name.
Fields and Flags
A program reads a database entry as a structure composed of two sub-
structures: a field sub-structure and a flag sub-structure. Each sub-
structure has one member for each potential field. A one-bit flag indi-
cates the presence or absence of its corresponding field in a particular
entry. The field structure contains the field values (for example, a
number, a Boolean flag, a directory string, or a mask).
Protected password database for UIDs from 0 to 99.
Protected password database for UIDs 100 and up.
Contains the global system settings database.
Functions: getprpwent(3), getdvagent(3), getprdfent(3), getprtcent(3), get-
Files: default(4), devassign(4), files(4), prpasswd(4), ttys(4)