2.3.1.$WLI_FSPARMS$

These metadata files are regular files containing metadata storage types for the file system where they reside. This file always appears in the root directory of a file system that also contains WLI metadata. The metadata storage type is indicated by the wmdstoretype parameter. For details, see wlisys(1M). The following storage types are available:

auto

If the file system is VxFS at revision 5.0.1 or later, metadata is stored in a named

 

stream. A named stream is associated with the protected file inode and not accessible

 

to most commands. For VxFS file systems at revision 5.0 or earlier and all other file

 

system types, metadata storage is the same as described in the following entry for

 

pseudo.

pseudo

Metadata is stored separately in files within directories always named

 

.$WLI_POLICY$, described in the following section. These metadata directories

 

always reside in the parent directory of the policy protected files.

2.3.2.$WLI_POLICY$

Directories named .$WLI_POLICY$ contain policy metadata files, and appear if the wmdstoretype parameter has value pseudo, or the file system type is VxFS 5.0 or earlier. These directories also appear for all non-VxFS file systems. In addition to write protection, WLI does not allow read access to all files under directories with this name.

Each file in this directory has the same name as a file that is assigned an access policy through wlipolicy in the parent directory. For example, if /tmp contains the following files with WLI access policies:

%ls -l /tmp/JdMB4NJ1 /tmp/T1df07xe

-rw-------

1

joe

users

2723

May

4

14:49

/tmp/JdMB4NJ1

-rw-------

1

joe

users

8199

Jun

3

20:46

/tmp/T1df07xe

Then, /tmp/ .$WLI_POLICY$ contains the corresponding policy metadata files:

%ls -l /tmp/.\$WLI_POLICY\$

-rw-------

1

joe

users

2048

Jul

15

15:29

JdMB4NJ1

-rw-------

1

joe

users

2048

Jun

3

20:47

T1df07xe

NOTE: The ’\’ escape character is used to escape ‘$’, a special character to shell interpreters.

2.3.3.$WLI_SIGNATURE$

Directories named .$WLI_SIGNATURE$ contain signature metadata files. In addition to write protection, WLI does not allow read access to all files under directories with this name.

Each file in this directory has the same name as a non ELF binary that is signed with wlisign in the parent directory. For example, if /tmp contains non ELF binaries:

%ls -l CXkiELYm wpSzpxzI

-rw-------

1

joe

users

1809

Dec

9

2009

/tmp/CXkiELYm

-rw-------

1

joe

users

1809

Mar

21

03:13

/tmp/wpSzpxzI

Then, /tmp/ .$WLI_SIGNATURE$ contains the corresponding signature metadata files:

%ls -l /tmp/.\$WLI_SIGNATURE\$

-rw-------

1

joe

users

2048

Jul

15

01:33

/tmp/CXkiELYm

-rw-------

1

joe

users

2048

Jul

15

01:36

/tmp/wpSzpxzI

NOTE: The ’\’ escape character is used to escape ‘$’, a special character to shell interpreters.

ELF-formatted binaries signed by wlitool or wlisign store their signature metadata within a section of the binary file and do not have separate metadata files.

2.3 WLI metadata files 17

Page 17
Image 17
HP UX Security Products and Features Software manual 3 .$WLISIGNATURE$