files - File control database (Enhanced Security)
The file control database (/etc/auth/system/files) is designed to help the Information System Security Officer (ISSO) maintain the integrity of the system. The database contains entries for system data files and executable files that require certain attributes. Some files require certain attributes to provide protection against unauthorized access, while others require a specific set of attributes to accomplish their intended function.
The database is used by the library routine create_file_securely() to determine the set of attributes for a newly created file. Many programs associated with the trusted computing base (TCB) use this library routine for file creation to ensure that file attributes are set correctly.
A broad range of attributes can be specified in the file control database. Specific choices depend upon the exact system configuration. These choices are as follows: This field specifies the owner name for the entry. If an owner name is not specified and the entry is created using create_file_securely, the owner of the file will be the real user ID of the process creating the file. This field specifies the group name for the entry. If a group name is not specified and the entry is created using create_file_securely, the group of the file will be the real group ID of the process creating the file. This field specifies the mode word for the entry. If the mode word is not specified and create_file_securely is used to create the entry, a mode word of 0 (zero) is assigned to the new file. This field identifies the type of the entry. This field is not taken into account by create_file_securely when a file is being created. The library routine will only create regular files. Choices for the type field are as follows: Regular file Directory FIFO device (pipe) Character special device Block special device Socket
The following example is a typical file control database entry
for the program /sbin/newfs:
:chkent: This entry specifies that the newfs program has bin as its owner and group, that it is a regular file, and that its mode is 0111O.
The following example shows an entry for a site-specific
directory that contains help files for an application:
This entry specifies the owner of the /appl/help_files directory as appadmin, the group as appl, and the mode as 0750.
Specifies the pathname of the file control database.
Files: authcap(4) delim off