source: trunk/athena/lib/al/al_login_allowed.3 @ 12154

Revision 12154, 4.8 KB checked in by ghudson, 26 years ago (diff)
Add an example.
Line 
1.\" $Id: al_login_allowed.3,v 1.5 1998-11-19 22:06:22 ghudson Exp $
2.\"
3.\" Copyright 1997, 1998 by the Massachusetts Institute of
4.\" Technology.
5.\"
6.\" Permission to use, copy, modify, and distribute this
7.\" software and its documentation for any purpose and without
8.\" fee is hereby granted, provided that the above copyright
9.\" notice appear in all copies and that both that copyright
10.\" notice and this permission notice appear in supporting
11.\" documentation, and that the name of M.I.T. not be used in
12.\" advertising or publicity pertaining to distribution of the
13.\" software without specific, written prior permission.
14.\" M.I.T. makes no representations about the suitability of
15.\" this software for any purpose.  It is provided "as is"
16.\" without express or implied warranty.
17.\"
18.TH AL_LOGIN_ALLOWED 3 "4 April 1998"
19.SH NAME
20al_login_allowed \- Determine if a user is allowed to log in
21.SH SYNOPSIS
22.nf
23.B #include <al.h>
24.PP
25.B int al_login_allowed(const char *\fIusername\fP, int *\fIlocal_acct\fP,
26.B      int \fIisremote\fP, char **\fItext\fP)
27.PP
28.B cc file.c -lal -lhesiod
29.fi
30.SH DESCRIPTION
31This function determines whether the user
32.I username
33is allowed to log in according to the Athena security model.  A user
34may be denied access if:
35.TP 2
36*
37.I /etc/nologin
38exists and
39.I username
40is not listed as having uid 0 in the local passwd file.
41.TP 2
42*
43.I username
44is not listed in the local passwd file and there is no Hesiod passwd
45entry for
46.IR username .
47.TP 2
48*
49.I username
50is not listed in the local passwd file and the Hesiod passwd entry for
51.I username
52has the same uid as some entry in the local passwd file.
53.TP 2
54*
55.I username
56is not allowed local or remote access (as appropriate) according to
57the Athena access control file
58.I /etc/athena/access
59(see access(5)).
60.PP
61If the access control file
62.I /etc/athena/access
63does not exist, then
64.I al_login_allowed
65looks for the presence of two files
66.I /etc/noremote
67and
68.I /etc/nocreate
69to determine which users are authorized to log in locally and
70remotely.  If
71.I /etc/noremote
72is present, only users in the local passwd file may log in remotely.
73If
74.I /etc/nocreate
75is present, only users in the local passwd file may log in at all.
76.PP
77If the user is denied access due to
78.I /etc/athena/access
79and explanatory text was given on the relevant line, then the variable
80pointed to by
81.I text
82is set to an allocated string (which must be freed by the caller)
83containing the explanatory text followed by a newline.  If the user
84was denied access due to
85.IR /etc/nologin ,
86.IR /etc/noremote ,
87or
88.I /etc/nocreate
89and the relevant file is of nonzero length, then the variable
90pointed to by
91.I text
92is set to the text of the file.  Otherwise, the variable pointed to by
93.I text
94is set to NULL.  If the caller does not care about explanatory text,
95it can pass NULL for
96.IR text .
97.PP
98On successful return, the variable pointed to by
99.I local_acct
100is set to 1 if the user is root or has a local account according to
101.I /etc/athena/access
102or 0 if not.  The root account is always treated as local.  If a user
103has a local account, the login program should suppress Athena-specific
104login behavior including the retrieval of Kerberos tickets.
105.SS EXAMPLE
106The following example function might be appropriate for a remote login
107program to determine if a user is allowed to log in.  The example
108assumes that
109.I respond
110is a function with printf-like arguments which transmits text to the
111client side of the connection.  The function returns only if the user
112is allowed to log in, and its return value indicates whether or not
113the user's account is local.
114.PP
115.RS
116.nf
117int check_access(const char *username)
118{
119  int local, status;
120  char *text, *errmem;
121
122  status = al_login_allowed(username, 1, &local, &text);
123  if (status != AL_SUCCESS)
124    {
125      respond("Access denied: %s\\n", al_strerror(status, &errmem));
126      if (text)
127        respond("%s", text);
128      free(text);
129      al_free_errmem(errmem);
130      exit(0);
131    }
132  return local;
133}
134.fi
135.RE
136.SH RETURN VALUES
137.I al_login_allowed
138may return the following values:
139.TP 15
140.I AL_SUCCESS
141The user may log in.
142.TP 15
143.I AL_ENOUSER
144There is no local or Hesiod passwd entry for
145.IR username .
146.TP 15
147.I AL_EBADHES
148The Hesiod passwd entry for
149.I username
150conflicts with a local passwd entry.
151.TP 15
152.I AL_ENOLOGIN
153The user may not log in because of
154.IR /etc/nologin .
155.TP 15
156.I AL_ENOREMOTE
157The user may not log in because of
158.I /etc/athena/access
159(when local access is allowed for a user but remote access is denied)
160or because of
161.IR /etc/noremote .
162.TP 15
163.I AL_ENOCREATE
164The user may not log in because of
165.I /etc/athena/access
166or because of
167.IR /etc/nocreate .
168.TP 15
169.I AL_ENOMEM
170Memory was exhausted.
171.SH FILES
172/etc/athena/access, /etc/nocreate, /etc/noremote, /etc/nologin
173.SH SEE ALSO
174al_acct_create(3), al_strerror(3)
175.SH AUTHOR
176Greg Hudson, MIT Information Systems
177.br
178Copyright 1997, 1998 by the Massachusetts Institute of Technology.
Note: See TracBrowser for help on using the repository browser.