Print this page
11621 fmadm and fmstat document privileges incorrectly
*** 1,22 ****
'\" te
.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
.\" Copyright 2015, Joyent, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
.\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
! .TH PRIVILEGES 5 "Feb 28, 2018"
.SH NAME
privileges \- process privilege model
.SH DESCRIPTION
! .LP
! Solaris software implements a set of privileges that provide fine-grained
control over the actions of processes. The possession of a certain privilege
allows a process to perform a specific set of restricted operations.
.sp
.LP
! The change to a primarily privilege-based security model in the Solaris
operating system gives developers an opportunity to restrict processes to those
privileged operations actually needed instead of all (super-user) or no
privileges (non-zero UIDs). Additionally, a set of previously unrestricted
operations now requires a privilege; these privileges are dubbed the "basic"
privileges and are by default given to all processes.
--- 1,22 ----
'\" te
.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
.\" Copyright 2015, Joyent, Inc. All Rights Reserved.
+ .\" Copyright 2019 Peter Tribble
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
.\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
! .TH PRIVILEGES 5 "Aug 26, 2019"
.SH NAME
privileges \- process privilege model
.SH DESCRIPTION
! In illumos, software implements a set of privileges that provide fine-grained
control over the actions of processes. The possession of a certain privilege
allows a process to perform a specific set of restricted operations.
.sp
.LP
! The change to a primarily privilege-based security model in the
operating system gives developers an opportunity to restrict processes to those
privileged operations actually needed instead of all (super-user) or no
privileges (non-zero UIDs). Additionally, a set of previously unrestricted
operations now requires a privilege; these privileges are dubbed the "basic"
privileges and are by default given to all processes.
*** 639,649 ****
\fB\fBPRIV_SYS_ADMIN\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to perform system administration tasks such as setting node and
! domain name and specifying \fBcoreadm\fR(1M) and \fBnscd\fR(1M) settings
.RE
.sp
.ne 2
.na
--- 639,649 ----
\fB\fBPRIV_SYS_ADMIN\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to perform system administration tasks such as setting node and
! domain name and managing \fBfmd\fR(1M) and \fBnscd\fR(1M).
.RE
.sp
.ne 2
.na
*** 843,853 ****
.sp .6
.RS 4n
Allow a process to successfully call a third party loadable module that calls
the kernel \fBsuser()\fR function to check for allowed access. This privilege
exists only for third party loadable module compatibility and is not used by
! Solaris proper.
.RE
.sp
.ne 2
.na
--- 843,853 ----
.sp .6
.RS 4n
Allow a process to successfully call a third party loadable module that calls
the kernel \fBsuser()\fR function to check for allowed access. This privilege
exists only for third party loadable module compatibility and is not used by
! illumos.
.RE
.sp
.ne 2
.na
*** 1094,1104 ****
The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present
in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
to be successful, that is, get an effective UID of 0 and additional privileges.
.sp
.LP
! The privilege implementation in Solaris extends the process credential with
four privilege sets:
.sp
.ne 2
.na
\fBI, the inheritable set\fR
--- 1094,1104 ----
The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present
in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
to be successful, that is, get an effective UID of 0 and additional privileges.
.sp
.LP
! The privilege implementation in illumos extends the process credential with
four privilege sets:
.sp
.ne 2
.na
\fBI, the inheritable set\fR
*** 1257,1275 ****
"unsafe". When a process is lacking any of the unsafe privileges from its limit
set, the system does not honor the set-uid bit of set-uid root applications.
The following unsafe privileges have been identified: \fBproc_setid\fR,
\fBsys_resource\fR and \fBproc_audit\fR.
.SS "Privilege Escalation"
- .LP
In certain circumstances, a single privilege could lead to a process gaining
one or more additional privileges that were not explicitly granted to that
process. To prevent such an escalation of privileges, the security policy
requires explicit permission for those additional privileges.
.sp
.LP
Common examples of escalation are those mechanisms that allow modification of
! system resources through "raw'' interfaces; for example, changing kernel data
structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
Escalation also occurs when a process controls processes with more privileges
than the controlling process. A special case of this is manipulating or
creating objects owned by UID 0 or trying to obtain UID 0 using
\fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0
--- 1257,1274 ----
"unsafe". When a process is lacking any of the unsafe privileges from its limit
set, the system does not honor the set-uid bit of set-uid root applications.
The following unsafe privileges have been identified: \fBproc_setid\fR,
\fBsys_resource\fR and \fBproc_audit\fR.
.SS "Privilege Escalation"
In certain circumstances, a single privilege could lead to a process gaining
one or more additional privileges that were not explicitly granted to that
process. To prevent such an escalation of privileges, the security policy
requires explicit permission for those additional privileges.
.sp
.LP
Common examples of escalation are those mechanisms that allow modification of
! system resources through "raw" interfaces; for example, changing kernel data
structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
Escalation also occurs when a process controls processes with more privileges
than the controlling process. A special case of this is manipulating or
creating objects owned by UID 0 or trying to obtain UID 0 using
\fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0
*** 1281,1291 ****
.LP
In situations where a process might obtain UID 0, the security policy requires
additional privileges, up to the full set of privileges. Such restrictions
could be relaxed or removed at such time as additional mechanisms for
protection of system files became available. There are no such mechanisms in
! the current Solaris release.
.sp
.LP
The use of UID 0 processes should be limited as much as possible. They should
be replaced with programs running under a different UID but with exactly the
privileges they need.
--- 1280,1290 ----
.LP
In situations where a process might obtain UID 0, the security policy requires
additional privileges, up to the full set of privileges. Such restrictions
could be relaxed or removed at such time as additional mechanisms for
protection of system files became available. There are no such mechanisms in
! the current release.
.sp
.LP
The use of UID 0 processes should be limited as much as possible. They should
be replaced with programs running under a different UID but with exactly the
privileges they need.
*** 1292,1310 ****
.sp
.LP
Daemons that never need to \fBexec\fR subprocesses should remove the
\fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets.
.SS "Assigned Privileges and Safeguards"
- .LP
When privileges are assigned to a user, the system administrator could give
that user more powers than intended. The administrator should consider whether
safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR
privilege is given to a user, the administrator should consider setting the
\fBproject.max-locked-memory\fR resource control as well, to prevent that user
from locking all memory.
.SS "Privilege Debugging"
- .LP
When a system call fails with a permission error, it is not always immediately
obvious what caused the problem. To debug such a problem, you can use a tool
called \fBprivilege debugging\fR. When privilege debugging is enabled for a
process, the kernel reports missing privileges on the controlling terminal of
the process. (Enable debugging for a process with the \fB-D\fR option of
--- 1291,1307 ----
*** 1320,1336 ****
.sp
.LP
On a running system, you can use \fBmdb\fR(1) to change this variable.
.SS "Privilege Administration"
- .LP
Use \fBusermod\fR(1M) or \fBrolemod\fR(1M)
to assign privileges to or modify privileges for, respectively, a user or a
role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
\fBtruss\fR(1) to determine which privileges a program requires.
.SH SEE ALSO
- .LP
\fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M),
\fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M),
\fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2),
\fBaccess\fR(2), \fBacct\fR(2), \fBacl\fR(2), \fBadjtime\fR(2), \fBaudit\fR(2),
\fBauditon\fR(2), \fBchmod\fR(2), \fBchown\fR(2), \fBchroot\fR(2),
--- 1317,1331 ----