/etc/security/domains File

Edit online

Purpose

Contains the list of valid domains.

Description

The /etc/security/domains file stores the list of valid, user-defined domains available on a system. A domain administrator can modify domains. You can add new domains to this file using the mkdom command and modify authorizations using the chdom command.

A maximum of 1024 domains are supported.

The /etc/security/domains is an ASCII file that uses a stanza for each domain. Each stanza is identified by the domain name followed by a colon (:) . You can list domain attributes individually as Attribute=Value pairs on subsequent lines. Each attribute pair ends with a newline character, as does each stanza. For an example of a stanza, see Examples.

When the system is operating in EnhancedRBAC Mode, changes that you make to the domains file do not impact security considerations until you send the entire domain database to the Kernel Security Tables using the setkst command, or until the system is rebooted.

Modifying and listing entries in the domains file

Do not directly edit the /etc/security/domobs file file. Use the following commands and subroutines to manipulate the authorization database:
mkdom
Adds new domains to the /etc/security/domains file.
chdom
Changes domain attributes.
lsdom
Displays domain that are defined in this file.
rmdom
Removes entries from this file.

To write programs that affect entries in the /etc/security/domains use one or more of the following subroutines:

  • getdomattr
  • getdomattrs
  • putdomattr
  • putdomattrs

Attributes

A stanza in /etc/security/domains file contains one or more of the following attributes :

Attribute Definition
id Specifies the unique numeric ID of the domain. This is a required attribute and is used internally for security decisions. Do not modify this ID after creating the domain. The value is a unique decimal integer greater than 0. The maximum value of the id can be 1024.
dfltmsg Specifies the default domain-description text if message catalogs are not in use. The value is a character string.
msgcat Specifies the file name of the message catalog that contains the one-line description of the authorization. The value is a character string.
msgset Specifies the message set that contains the authorization description in the message catalog. The value is a decimal integer.
msgnum Specifies the message ID that contains the domain description in the message catalog. The value is a decimal integer.

Security

The root user and the security group own this file. This files grants read and write access to the root user. Access for other users and groups depends on the security policy for the system.

Examples

The following example for the custom authorization displays a typical stanza in the file:

INTRANET:
id = 1
dfltmsg = "Custom Authorization"
msgcat = "custom_auths.cat"
msgset = 1
msgnum = 5