[ Previous | Next | Table of Contents | Index | Library Home |
Legal |
Search ]
Technical Reference: Base Operating System and Extensions, Volume 1
Determines if a user is allowed
to access the system.
Security Library
(libc.a)
#include <login.h>
int loginrestrictions (Name, Mode, Tty, Msg)
char * Name;
int Mode;
char * Tty;
char ** Msg;
Note: This
subroutine is not thread-safe.
The loginrestrictions
subroutine determines if the user specified by the Name parameter
is allowed to access the system. The Mode parameter gives
the mode of account usage and the Tty parameter defines the
terminal used for access. The Msg parameter returns an
informational message explaining why the loginrestrictions
subroutine failed.
This subroutine is unsuccessful
if any of the following conditions exists:
- The user's account
has expired as defined by the expires user attribute.
- The user's account
has been locked as defined by the account_locked user
attribute.
- The user attempted too
many unsuccessful logins as defined by the loginretries user
attribute.
- The user is not allowed
to access the given terminal as defined by the ttys user
attribute.
- The user is not allowed
to access the system at the present time as defined by the
logintimes user attribute.
- The Mode
parameter is set to the S_LOGIN value or the S_RLOGIN
value, and too many users are logged in as defined by the maxlogins
system attribute.
- The Mode
parameter is set to the S_LOGIN value and the user is not allowed
to log in as defined by the login user attribute.
- The Mode
parameter is set to the S_RLOGIN value and the user is not allowed
to log in from the network as defined by the rlogin user
attribute.
- The Mode
parameter is set to the S_SU value and other users are not allowed
to use the su command as defined by the su user
attribute, or the group ID of the current process cannot use the su
command to switch to this user as defined by the sugroups user
attribute.
- The Mode
parameter is set to the S_DAEMON value and the user is not allowed
to run processes from the cron or src subsystem as
defined by the daemon user attribute.
- The terminal is locked as
defined by the locktime port attribute.
- The user cannot use the
terminal to access the system at the present time as defined by the
logintimes port attribute.
- The user is not the root
user and the /etc/nologin file exists.
Note: The loginrestrictions subroutine is not safe
in a multi-threaded environment. To use loginrestrictions in
a threaded application, the application must keep the integrity of each
thread.
| Name
| Specifies the user's login name whose account is to be
validated.
|
| Mode
| Specifies the mode of usage. Valid values as defined in the
login.h file are listed below. The Mode
parameter has a value of 0 or one of the following values:
- S_LOGIN
- Verifies that local logins are permitted for this account.
- S_SU
- Verifies that the su command is permitted and the current
process has a group ID that can invoke the su command to switch to
the account.
- S_DAEMON
- Verifies the account can invoke daemon or batch programs through the
src or cron subsystems.
- S_RLOGIN
- Verifies the account can be used for remote logins through the
rlogind or telnetd programs.
|
| Tty
| Specifies the terminal of the originating activity. If this
parameter is a null pointer or a null string, no tty origin checking is
done.
|
| Msg
| Returns an informative message indicating why the
loginrestrictions subroutine failed. Upon return, the value
is either a pointer to a valid string within memory allocated storage or a
null value. If a message is displayed, it is provided based on the user
interface.
|
Access Control:The calling
process must have access to the account information in the user database and
the port information in the port database.
File Accessed:
| Mode
| Files
|
| r
| /etc/security/user
|
| r
| /etc/security/login.cfg
|
| r
| /etc/security/portlog
|
| r
| /etc/passwd
|
If the account is valid for the
specified usage, the loginrestrictions subroutine returns a value
of 0. Otherwise, a value of -1 is returned, the errno global
value is set to the appropriate error code, and the Msg parameter
returns an informative message explaining why the specified account usage is
invalid.
The loginrestrictions
subroutine fails if one or more of the following values is true:
| ENOENT
| The user specified does not have an account.
|
| ESTALE
| The user's account is expired.
|
| EPERM
| The user's account is locked, the specified terminal is locked, the
user has had too many unsuccessful login attempts, or the user cannot log in
because the /etc/nologin file exists.
|
| EACCES
| One of the following conditions exists:
- The specified terminal does not have access to the
specified account.
- The Mode parameter is the S_SU
value and the current process is not permitted to use the su
command to access the specified user.
- Access to the account is not permitted in the specified
mode.
- Access to the account is not permitted at the current
time.
- Access to the system with the specified terminal is not
permitted at the current time.
|
| EAGAIN
| The Mode parameter is either the S_LOGIN value or
the S_RLOGIN value, and all the user licenses are in use.
|
| EINVAL
| The Mode parameter has a value other than S_LOGIN,
S_SU, S_DAEMON, S_RLOGIN, or
0.
|
This subroutine is part of Base
Operating System (BOS) Runtime.
The authenticate (authenticate Subroutine) subroutine, getpcred (getpcred Subroutine) subroutine, getpenv (getpenv Subroutine) subroutine,
loginfailed (loginfailed Subroutine) subroutine, loginsuccess (loginsuccess Subroutine) subroutine, setpcred subroutine, setpenv subroutine.
The cron daemon.
The login command, rlogin command, telnet, tn, or tn3270
command, su command.
List of Security
and Auditing Subroutines in AIX 5L Version 5.1 General
Programming Concepts: Writing and Debugging Programs.
Subroutines,
Example Programs, and Libraries in AIX 5L Version 5.1 General
Programming Concepts: Writing and Debugging Programs.
[ Previous | Next | Table of Contents | Index |
Library Home |
Legal |
Search ]