Standards, Environments, and Macros                 privileges(5)


NAME

     privileges - process privilege model


DESCRIPTION

     Solaris software implements a set of privileges that provide
     fine-grained control over the actions of processes. The pos-
     session of a certain privilege allows a process to perform a
     specific set of restricted operations.

     The change to a primarily privilege-based security model  in
     the Solaris operating system gives developers an opportunity
     to restrict processes to those privileged  operations  actu-
     ally  needed  instead  of  all (super-user) or no privileges
     (non-zero UIDs). Additionally, a set  of  previously  unres-
     tricted   operations   now   requires   a  privilege;  these
     privileges are dubbed the  "basic"  privileges  and  are  by
     default given to all processes.

     Taken together, all defined privileges with the exception of
     the  "basic"  privileges  compose the set of privileges that
     are traditionally associated with the root user. The "basic"
     privileges  are  "privileges"  unprivileged  processes  were
     accustomed to having.

     The defined privileges are:

     PRIV_CONTRACT_EVENT

         Allow a process to request reliable delivery  of  events
         to an event endpoint.

         Allow a process to include events in the critical  event
         set  term  of  a  template  which  could be generated in
         volume by the user.

     PRIV_CONTRACT_IDENTITY

         Allows a process to set the service FMRI value of a pro-
         cess contract template.

     PRIV_CONTRACT_OBSERVER

         Allow a process to observe contract events generated  by
         contracts  created  and  owned  by  users other than the
         process's effective user ID.

         Allow  a  process  to  open  contract  event   endpoints

SunOS 5.11          Last change: 29 May 2009                    1


Standards, Environments, and Macros                 privileges(5)

         belonging  to contracts created and owned by users other
         than the process's effective user ID.

     PRIV_CPC_CPU

         Allow a process to access per-CPU  hardware  performance
         counters.

     PRIV_DTRACE_KERNEL

         Allow DTrace kernel-level tracing.

     PRIV_DTRACE_PROC

         Allow DTrace process-level tracing. Allow  process-level
         tracing  probes to be placed and enabled in processes to
         which the user has permissions.

     PRIV_DTRACE_USER

         Allow DTrace user-level tracing. Allow use of  the  sys-
         call  and  profile DTrace providers to examine processes
         to which the user has permissions.

     PRIV_FILE_CHOWN

         Allow a process to change a file's owner user ID.  Allow
         a  process to change a file's group ID to one other than
         the process's effective group ID or one of the process's
         supplemental group IDs.

     PRIV_FILE_CHOWN_SELF

         Allow a process to give away its files. A  process  with
         this  privilege  runs as if {_POSIX_CHOWN_RESTRICTED} is
         not in effect.

     PRIV_FILE_DAC_EXECUTE

         Allow a process to execute an executable file whose per-
         mission bits or ACL would otherwise disallow the process
         execute permission.

SunOS 5.11          Last change: 29 May 2009                    2


Standards, Environments, and Macros                 privileges(5)

     PRIV_FILE_DAC_READ

         Allow a process to read a file or directory  whose  per-
         mission bits or ACL would otherwise disallow the process
         read permission.

     PRIV_FILE_DAC_SEARCH

         Allow a process to search a directory  whose  permission
         bits or ACL would not otherwise allow the process search
         permission.

     PRIV_FILE_DAC_WRITE

         Allow a process to write a file or directory whose  per-
         mission  bits or ACL do not allow the process write per-
         mission. All privileges  are  required  to  write  files
         owned by UID 0 in the absence of an effective UID of 0.

     PRIV_FILE_DOWNGRADE_SL

         Allow a process to set the sensitivity label of  a  file
         or  directory  to a sensitivity label that does not dom-
         inate the existing sensitivity label.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_FILE_LINK_ANY

         Allow a process to create hardlinks to files owned by  a
         UID different from the process's effective UID.

     PRIV_FILE_OWNER

         Allow a process that is not  the  owner  of  a  file  to
         modify  that file's access and modification times. Allow
         a process that is not the owner of a directory to modify
         that  directory's access and modification times. Allow a
         process that is not the owner of a file or directory  to
         remove or rename a file or directory whose parent direc-
         tory has the "save text image after execution"  (sticky)
         bit set. Allow a process that is not the owner of a file
         to mount a namefs upon that file. Allow a  process  that
         is  not  the owner of a file or directory to modify that
         file's or directory's permission bits or ACL.

SunOS 5.11          Last change: 29 May 2009                    3


Standards, Environments, and Macros                 privileges(5)

     PRIV_FILE_SETID

         Allow a process to change the ownership  of  a  file  or
         write to a file without the set-user-ID and set-group-ID
         bits being cleared. Allow a  process  to  set  the  set-
         group-ID  bit  on a file or directory whose group is not
         the process's effective group or one  of  the  process's
         supplemental  groups.  Allow  a  process to set the set-
         user-ID bit on a file with different  ownership  in  the
         presence  of  PRIV_FILE_OWNER.   Additional restrictions
         apply when creating or modifying a setuid 0 file.

     PRIV_FILE_UPGRADE_SL

         Allow a process to set the sensitivity label of  a  file
         or  directory  to a sensitivity label that dominates the
         existing sensitivity label.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_FILE_FLAG_SET

         Allows a process to set immutable,  nounlink  or  appen-
         donly file attributes.

     PRIV_GRAPHICS_ACCESS

         Allow a process to make privileged  ioctls  to  graphics
         devices. Typically only an xserver process needs to have
         this privilege. A process with this  privilege  is  also
         allowed to perform privileged graphics device mappings.

     PRIV_GRAPHICS_MAP

         Allow a process to perform privileged mappings through a
         graphics device.

     PRIV_IPC_DAC_READ

         Allow a process to read a System V  IPC  Message  Queue,
         Semaphore Set, or Shared Memory Segment whose permission
         bits would not otherwise allow the process read  permis-
         sion.

SunOS 5.11          Last change: 29 May 2009                    4


Standards, Environments, and Macros                 privileges(5)

     PRIV_IPC_DAC_WRITE

         Allow a process to write a System V IPC  Message  Queue,
         Semaphore Set, or Shared Memory Segment whose permission
         bits would not otherwise allow the process write permis-
         sion.

     PRIV_IPC_OWNER

         Allow a process that is not the owner of a System V  IPC
         Message  Queue,  Semaphore Set, or Shared Memory Segment
         to remove, change ownership  of,  or  change  permission
         bits  of  the  Message  Queue,  Semaphore Set, or Shared
         Memory Segment.

     PRIV_NET_BINDMLP

         Allow a process to bind to a port that is configured  as
         a  multi-level  port  (MLP) for the process's zone. This
         privilege applies  to  both  shared  address  and  zone-
         specific address MLPs. See tnzonecfg(4) from the Trusted
         Extensions manual pages for information  on  configuring
         MLP ports.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_NET_ICMPACCESS

         Allow a process to send and receive ICMP packets.

     PRIV_NET_MAC_AWARE

         Allow a process to set the NET_MAC_AWARE process flag by
         using  setpflags(2).   This privilege also allows a pro-
         cess to set the SO_MAC_EXEMPT  socket  option  by  using
         setsockopt(3SOCKET).  The NET_MAC_AWARE process flag and
         the SO_MAC_EXEMPT socket option both allow a local  pro-
         cess  to communicate with an unlabeled peer if the local
         process's label dominates the peer's default  label,  or
         if the local process runs in the global zone.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_NET_OBSERVABILITY

SunOS 5.11          Last change: 29 May 2009                    5


Standards, Environments, and Macros                 privileges(5)

         Allow a process to open a device for just receiving net-
         work traffic, sending traffic is disallowed.

     PRIV_NET_PRIVADDR

         Allow a process to bind to a privileged port number. The
         privilege  port numbers are 1-1023 (the traditional UNIX
         privileged ports) as  well  as  those  ports  marked  as
         "udp/tcp_extra_priv_ports"  with  the  exception  of the
         ports reserved for use by NFS and SMB.

     PRIV_NET_RAWACCESS

         Allow a process to have direct  access  to  the  network
         layer.

     PRIV_PROC_AUDIT

         Allow a process to generate audit records. Allow a  pro-
         cess to get its own audit pre-selection information.

     PRIV_PROC_CHROOT

         Allow a process to change its root directory.

     PRIV_PROC_CLOCK_HIGHRES

         Allow a process to use high resolution timers.

     PRIV_PROC_EXEC

         Allow a process to call exec(2).

     PRIV_PROC_FORK

         Allow a process to call fork(2), fork1(2), or vfork(2).

     PRIV_PROC_INFO

         Allow a process to examine the status of processes other
         than  those to which it can send signals. Processes that
         cannot be examined cannot be seen in  /proc  and  appear
         not to exist.

SunOS 5.11          Last change: 29 May 2009                    6


Standards, Environments, and Macros                 privileges(5)

     PRIV_PROC_LOCK_MEMORY

         Allow a process to lock pages in physical memory.

     PRIV_PROC_OWNER

         Allow a process to send signals to other  processes  and
         inspect and modify the process state in other processes,
         regardless of ownership. When modifying another process,
         additional  restrictions  apply: the effective privilege
         set of the attaching process must be a superset  of  the
         target  process's  effective, permitted, and inheritable
         sets; the limit set must be a superset of  the  target's
         limit  set;  if  the target process has any UID set to 0
         all privilege must be asserted unless the effective  UID
         is  0.  Allow  a  process to bind arbitrary processes to
         CPUs.

     PRIV_PROC_PRIOCNTL

         Allow a  process  to  elevate  its  priority  above  its
         current  level. Allow a process to change its scheduling
         class to any scheduling class, including the RT class.

     PRIV_PROC_SESSION

         Allow a process to send signals or trace processes  out-
         side its session.

     PRIV_PROC_SETID

         Allow a process to set its UIDs at will, assuming UID  0
         requires all privileges to be asserted.

     PRIV_PROC_TASKID

         Allow a process to assign a new task ID to  the  calling
         process.

     PRIV_PROC_ZONE

         Allow a process to trace or send signals to processes in
         other zones. See zones(5).

SunOS 5.11          Last change: 29 May 2009                    7


Standards, Environments, and Macros                 privileges(5)

     PRIV_SYS_ACCT

         Allow  a  process  to  enable  and  disable  and  manage
         accounting through acct(2).

     PRIV_SYS_ADMIN

         Allow a process to perform system  administration  tasks
         such  as  setting  node  and  domain name and specifying
         coreadm(1M) and nscd(1M) settings

     PRIV_SYS_AUDIT

         Allow a process to  start  the  (kernel)  audit  daemon.
         Allow  a process to view and set audit state (audit user
         ID, audit terminal ID, audit  sessions  ID,  audit  pre-
         selection  mask).  Allow  a  process  to turn off and on
         auditing. Allow a process to configure the audit parame-
         ters  (cache  and  queue sizes, event to class mappings,
         and policy options).

     PRIV_SYS_CONFIG

         Allow a process to perform various system  configuration
         tasks.  Allow  filesystem-specific  administrative  pro-
         cedures, such as filesystem configuration ioctls,  quota
         calls,  creation  and deletion of snapshots, and manipu-
         lating the PCFS bootsector.

     PRIV_SYS_DEVICES

         Allow a process to create device special files. Allow  a
         process  to successfully call a kernel module that calls
         the kernel drv_priv(9F) function to  check  for  allowed
         access.  Allow a process to open the real console device
         directly. Allow a process to open devices that have been
         exclusively opened.

     PRIV_SYS_DL_CONFIG

         Allow a process to configure a system's datalink  inter-
         faces.

     PRIV_SYS_IP_CONFIG

         Allow a process to configure a  system's  IP  interfaces

SunOS 5.11          Last change: 29 May 2009                    8


Standards, Environments, and Macros                 privileges(5)

         and routes. Allow a process to configure network parame-
         ters for TCP/IP using ndd.  Allow a  process  access  to
         otherwise   restricted  TCP/IP  information  using  ndd.
         Allow a process to configure IPsec.  Allow a process  to
         pop anchored STREAMs modules with matching zoneid.

     PRIV_SYS_IPC_CONFIG

         Allow a process to increase the size of a System  V  IPC
         Message Queue buffer.

     PRIV_SYS_LINKDIR

         Allow a process to unlink and link directories.

     PRIV_SYS_MOUNT

         Allow a process to mount and  unmount  filesystems  that
         would otherwise be restricted (that is, most filesystems
         except namefs).  Allow a process to add and remove  swap
         devices.

     PRIV_SYS_NET_CONFIG

         Allow a  process  to  do  all  that  PRIV_SYS_IP_CONFIG,
         PRIV_SYS_DL_CONFIG,  and PRIV_SYS_PPP_CONFIG allow, plus
         the  following:  use  the  rpcmod  STREAMS  module   and
         insert/remove  STREAMS  modules  on locations other than
         the top of the module stack.

     PRIV_SYS_NFS

         Allow a process to provide NFS service: start NFS kernel
         threads,  perform  NFS  locking  operations, bind to NFS
         reserved ports: ports 2049 (nfs) and port 4045 (lockd).

     PRIV_SYS_PPP_CONFIG

         Allow a process to create, configure,  and  destroy  PPP
         instances  with  pppd(1M)  pppd(1M)  and  control  PPPoE
         plumbing with sppptun(1M)sppptun(1M). This privilege  is
         granted by default to exclusive IP stack instance zones.

     PRIV_SYS_RES_CONFIG

SunOS 5.11          Last change: 29 May 2009                    9


Standards, Environments, and Macros                 privileges(5)

         Allow a process to create  and  delete  processor  sets,
         assign   CPUs   to   processor  sets  and  override  the
         PSET_NOESCAPE property. Allow a process  to  change  the
         operational   status   of   CPUs  in  the  system  using
         p_online(2).  Allow a process  to  configure  filesystem
         quotas.  Allow a process to configure resource pools and
         bind processes to pools.

     PRIV_SYS_RESOURCE

         Allow a process to exceed the resource limits imposed on
         it by setrlimit(2) and setrctl(2).

     PRIV_SYS_SMB

         Allow a process to  provide  NetBIOS  or  SMB  services:
         start  SMB  kernel  threads  or  bind  to NetBIOS or SMB
         reserved ports: ports 137, 138, 139  (NetBIOS)  and  445
         (SMB).

     PRIV_SYS_SUSER_COMPAT

         Allow a process to successfully call a third party load-
         able  module  that  calls the kernel suser() function to
         check for allowed access. This privilege exists only for
         third  party  loadable  module  compatibility and is not
         used by Solaris proper.

     PRIV_SYS_TIME

         Allow a process to manipulate system time using  any  of
         the appropriate system calls:  stime(2), adjtime(2), and
         ntp_adjtime(2).

     PRIV_SYS_TRANS_LABEL

         Allow a process to translate labels that  are  not  dom-
         inated by the process's sensitivity label to and from an
         external string form.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_VIRT_MANAGE

         Allows a process to manage virtualized environments such

SunOS 5.11          Last change: 29 May 2009                   10


Standards, Environments, and Macros                 privileges(5)

         as xVM(5).

     PRIV_WIN_COLORMAP

         Allow a process to override colormap restrictions.

         Allow a process to install or remove colormaps.

         Allow a process to retrieve colormap cell entries  allo-
         cated by other processes.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_WIN_CONFIG

         Allow a process to configure or destroy  resources  that
         are permanently retained by the X server.

         Allow a process to use SetScreenSaver to set the  screen
         saver timeout value

         Allow a process to use ChangeHosts to modify the display
         access control list.

         Allow a process to use GrabServer.

         Allow a process to use the SetCloseDownMode request that
         can  retain  window, pixmap, colormap, property, cursor,
         font, or graphic context resources.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_WIN_DAC_READ

         Allow a process to read from a window resource  that  it
         does not own (has a different user ID).

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_WIN_DAC_WRITE

         Allow a process to write to or create a window  resource
         that  it does not own (has a different user ID). A newly
         created window property is  created  with  the  window's
         user ID.

SunOS 5.11          Last change: 29 May 2009                   11


Standards, Environments, and Macros                 privileges(5)

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_WIN_DEVICES

         Allow a process to perform operations  on  window  input
         devices.

         Allow a process to get and set keyboard and pointer con-
         trols.

         Allow a process to modify pointer button  and  key  map-
         pings.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_WIN_DGA

         Allow a process to use the direct graphics access  (DGA)
         X  protocol  extensions.  Direct  process  access to the
         frame buffer is still required. Thus  the  process  must
         have  MAC  and  DAC  privileges that allow access to the
         frame buffer, or the frame buffer must be  allocated  to
         the process.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_WIN_DOWNGRADE_SL

         Allow a process to set the sensitivity label of a window
         resource  to  a sensitivity label that does not dominate
         the existing sensitivity label.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_WIN_FONTPATH

         Allow a process to set a font path.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_WIN_MAC_READ

SunOS 5.11          Last change: 29 May 2009                   12


Standards, Environments, and Macros                 privileges(5)

         Allow a process to read from  a  window  resource  whose
         sensitivity  label  is  not  equal to the process sensi-
         tivity label.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_WIN_MAC_WRITE

         Allow a process to create a window resource whose sensi-
         tivity  label  is  not  equal to the process sensitivity
         label. A newly created window property is  created  with
         the window's sensitivity label.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_WIN_SELECTION

         Allow a  process  to  request  inter-window  data  moves
         without the intervention of the selection confirmer.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_WIN_UPGRADE_SL

         Allow a process to set the sensitivity label of a window
         resource  to  a  sensitivity  label  that  dominates the
         existing sensitivity label.

         This privilege is interpreted only if the system is con-
         figured with Trusted Extensions.

     PRIV_XVM_CONTROL

         Allows a process access to the  xVM(5)  control  devices
         for  managing  guest  domains  and  the hypervisor. This
         privilege is used only if booted into xVM on  x86  plat-
         forms.

     Of   the   privileges   listed   above,    the    privileges
     PRIV_FILE_LINK_ANY,    PRIV_PROC_INFO,    PRIV_PROC_SESSION,
     PRIV_PROC_FORK and  PRIV_PROC_EXEC  are  considered  "basic"
     privileges.  These  are  privileges  that  used to be always
     available to unprivileged processes. By  default,  processes

SunOS 5.11          Last change: 29 May 2009                   13


Standards, Environments, and Macros                 privileges(5)

     still have the basic privileges.

     The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT  must  be
     present  in  the Limit set (see below) of a process in order
     for set-uid root execs to be successful,  that  is,  get  an
     effective UID of 0 and additional privileges.

     The privilege implementation in Solaris extends the  process
     credential with four privilege sets:

     I, the inheritable set    The privileges inherited on exec.

     P, the permitted set      The maximum set of privileges  for
                               the process.

     E, the effective set      The   privileges   currently    in
                               effect.

     L, the limit set          The upper bound of the  privileges
                               a  process  and  its offspring can
                               obtain.  Changes to L take  effect
                               on the next exec.

     The sets I, P and E are typically identical to the basic set
     of  privileges  for unprivileged processes. The limit set is
     typically the full set of privileges.

     Each process has a Privilege Awareness State (PAS) that  can
     take the value PA (privilege-aware) and NPA (not-PA). PAS is
     a transitional mechanism that allows a choice  between  full
     compatibility  with  the  old superuser model and completely
     ignoring the effective UID.

     To facilitate the discussion, we  introduce  the  notion  of
     "observed  effective  set" (oE) and "observed permitted set"
     (oP) and the implementation sets iE and iP.

     A process becomes privilege-aware either by manipulating the
     effective,   permitted,  or  limit  privilege  sets  through
     setppriv(2) or by using setpflags(2).  In all cases, oE  and
     oP are invariant in the process of becoming privilege-aware.
     In the process of becoming  privilege-aware,  the  following

SunOS 5.11          Last change: 29 May 2009                   14


Standards, Environments, and Macros                 privileges(5)

     assignments take place:

       iE = oE
       iP = oP

     When a process is privilege-aware, oE and oP  are  invariant
     under UID changes. When a process is not privilege-aware, oE
     and oP are observed as follows:

       oE = euid == 0 ? L : iE
       oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP

     When a non-privilege-aware process has an effective  UID  of
     0,  it  can  exercise  the privileges contained in its limit
     set, the upper bound of its privileges. If a  non-privilege-
     aware  process has any of the UIDs 0, it appears to be capa-
     ble of potentially exercising all privileges in L.

     It is possible for a process to return to the  non-privilege
     aware  state  using setpflags().  The kernel always attempts
     this on exec(2).  This operation is permitted  only  if  the
     following conditions are met:

         o    If any of the UIDs is equal to 0, P must  be  equal
              to L.

         o    If the effective UID is equal to 0, E must be equal
              to L.

     When a process gives up privilege awareness,  the  following
     assignments take place:

       if (euid == 0) iE = L & I
       if (any uid == 0) iP = L & I

     The privileges obtained when not having a UID of 0  are  the
     inheritable set of the process restricted by the limit set.

     Only  privileges  in  the  process's  (observed)   effective
     privilege set allow the process to perform restricted opera-
     tions. A process can use any of the  privilege  manipulation
     functions  to  add  or  remove privileges from the privilege
     sets. Privileges can  be  removed  always.  Only  privileges

SunOS 5.11          Last change: 29 May 2009                   15


Standards, Environments, and Macros                 privileges(5)

     found in the permitted set can be added to the effective and
     inheritable set. The limit set cannot grow. The  inheritable
     set can be larger than the permitted set.

     When a process performs an exec(2), the kernel  first  tries
     to  relinquish privilege awareness before making the follow-
     ing privilege set modifications:

       E' = P' = I' = L & I
       L is unchanged

     If  a  process  has  not  manipulated  its  privileges,  the
     privilege  sets  effectively  remain the same, as E, P and I
     are already identical.

     The limit set is enforced at exec time.

     To run a  non-privilege-aware  application  in  a  backward-
     compatible  manner,  a  privilege-aware  application  should
     start the non-privilege-aware application with I=basic.

     For most privileges, absence of the privilege simply results
     in a failure.  In some instances, the absense of a privilege
     can cause system  calls  to  behave  differently.  In  other
     instances,  the  removal  of a privilege can force a set-uid
     application to seriously  malfunction.  Privileges  of  this
     type  are considered "unsafe". When a process is lacking any
     of the unsafe privileges from its limit set, the system does
     not  honor the set-uid bit of set-uid root applications. The
     following   unsafe   privileges   have   been    identified:
     proc_setid, sys_resource and proc_audit.

  Privilege Escalation
     In certain circumstances, a single privilege could lead to a
     process  gaining one or more additional privileges that were
     not explicitly granted to that process. To prevent  such  an
     escalation  of  privileges,  the  security  policy  requires
     explicit permission for those additional privileges.

     Common examples of  escalation  are  those  mechanisms  that
     allow modification of system resources through "raw'' inter-
     faces; for example, changing kernel data structures  through
     /dev/kmem  or changing files through /dev/dsk/*.  Escalation
     also occurs when a  process  controls  processes  with  more
     privileges  than  the controlling process. A special case of

SunOS 5.11          Last change: 29 May 2009                   16


Standards, Environments, and Macros                 privileges(5)

     this is manipulating or creating objects owned by UID  0  or
     trying  to obtain UID 0 using setuid(2).  The special treat-
     ment of UID 0 is needed because the UID 0  owns  all  system
     configuration  files and ordinary file protection mechanisms
     allow processes with UID 0 to modify the  system  configura-
     tion.   With appropriate file modifications, a given process
     running with an effective UID of 0 can gain all privileges.

     In situations where a process might obtain UID 0, the  secu-
     rity  policy  requires additional privileges, up to the full
     set of privileges. Such restrictions  could  be  relaxed  or
     removed at such time as additional mechanisms for protection
     of system files became available. There are no such  mechan-
     isms in the current Solaris release.

     The use of UID 0 processes should be limited as much as pos-
     sible. They should be replaced with programs running under a
     different UID but with exactly the privileges they need.

     Daemons that never need to exec subprocesses  should  remove
     the  PRIV_PROC_EXEC privilege from their permitted and limit
     sets.

  Assigned Privileges and Safeguards
     When privileges are assigned to a user, the system  adminis-
     trator  could  give that user more powers than intended. The
     administrator should consider whether safeguards are needed.
     For example, if the PRIV_PROC_LOCK_MEMORY privilege is given
     to a user, the administrator  should  consider  setting  the
     project.max-locked-memory   resource  control  as  well,  to
     prevent that user from locking all memory.

  Privilege Debugging
     When a system call fails with a permission error, it is  not
     always immediately obvious what caused the problem. To debug
     such a problem, you can use a tool called  privilege  debug-
     ging.   When  privilege  debugging is enabled for a process,
     the kernel reports missing  privileges  on  the  controlling
     terminal  of  the  process.  (Enable debugging for a process
     with the -D option of ppriv(1).)  Additionally, the adminis-
     trator can enable system-wide privilege debugging by setting
     the system(4) variable priv_debug using:

       set priv_debug = 1

     On a running system, you can use mdb(1) to change this vari-
     able.

SunOS 5.11          Last change: 29 May 2009                   17


Standards, Environments, and Macros                 privileges(5)

  Privilege Administration
     The Solaris Management Console (see  smc(1M))  is  the  pre-
     ferred  method  of  modifying  privileges for a command. Use
     usermod(1M) or smrole(1M) to assign privileges to or  modify
     privileges for, respectively, a user or a role. Use ppriv(1)
     to enumerate  the  privileges  supported  on  a  system  and
     truss(1) to determine which privileges a program requires.


SEE ALSO

     mdb(1),  ppriv(1),  add_drv(1M),  ifconfig(1M),   lockd(1M),
     nfsd(1M),   pppd(1M),  rem_drv(1M),  smbd(1M),  sppptun(1M),
     update_drv(1M), Intro(2), access(2), acct(2),  acl(2),  adj-
     time(2),    audit(2),    auditon(2),   chmod(2),   chown(2),
     chroot(2),  creat(2),  exec(2),  fcntl(2),  fork(2),  fpath-
     conf(2),  getacct(2),  getpflags(2), getppriv(2), getsid(2),
     kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2),
     nice(2),  ntp_adjtime(2), open(2), p_online(2), priocntl(2),
     priocntlset(2),       processor_bind(2),       pset_bind(2),
     pset_create(2),   readlink(2),   resolvepath(2),   rmdir(2),
     semctl(2), setauid(2),  setegid(2),  seteuid(2),  setgid(2),
     setgroups(2),  setpflags(2), setppriv(2), setrctl(2), setre-
     gid(2), setreuid(2), setrlimit(2), settaskid(2),  setuid(2),
     shmctl(2),   shmget(2),   shmop(2),   sigsend(2),   stat(2),
     statvfs(2),  stime(2),  swapctl(2),  sysinfo(2),  uadmin(2),
     ulimit(2),   umount(2),   unlink(2),   utime(2),  utimes(2),
     bind(3SOCKET),       door_ucred(3C),        priv_addset(3C),
     priv_set(3C),     priv_getbyname(3C),     priv_getbynum(3C),
     priv_set_to_str(3C),  priv_str_to_set(3C),  socket(3SOCKET),
     t_bind(3NSL), timer_create(3C), ucred_get(3C), exec_attr(4),
     proc(4),  system(4),  user_attr(4),  xVM(5),   ddi_cred(9F),
     drv_priv(9F),      priv_getbyname(9F),      priv_policy(9F),
     priv_policy_choice(9F), priv_policy_only(9F)

     System Administration Guide: Security Services

SunOS 5.11          Last change: 29 May 2009                   18


Man(1) output converted with man2html


FhG Schily's Home VED powered