Print this page
11621 fmadm and fmstat document privileges incorrectly
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man5/privileges.5.man.txt
+++ new/usr/src/man/man5/privileges.5.man.txt
1 1 PRIVILEGES(5) Standards, Environments, and Macros PRIVILEGES(5)
2 2
3 3
4 4
5 5 NAME
6 6 privileges - process privilege model
7 7
8 8 DESCRIPTION
9 - Solaris software implements a set of privileges that provide fine-
9 + In illumos, software implements a set of privileges that provide fine-
10 10 grained control over the actions of processes. The possession of a
11 11 certain privilege allows a process to perform a specific set of
12 12 restricted operations.
13 13
14 14
15 - The change to a primarily privilege-based security model in the Solaris
15 + The change to a primarily privilege-based security model in the
16 16 operating system gives developers an opportunity to restrict processes
17 17 to those privileged operations actually needed instead of all (super-
18 18 user) or no privileges (non-zero UIDs). Additionally, a set of
19 19 previously unrestricted operations now requires a privilege; these
20 20 privileges are dubbed the "basic" privileges and are by default given
21 21 to all processes.
22 22
23 23
24 24 Taken together, all defined privileges with the exception of the
25 25 "basic" privileges compose the set of privileges that are traditionally
26 26 associated with the root user. The "basic" privileges are "privileges"
27 27 unprivileged processes were accustomed to having.
28 28
29 29
30 30 The defined privileges are:
31 31
32 32 PRIV_CONTRACT_EVENT
33 33
34 34 Allow a process to request reliable delivery of events to an event
35 35 endpoint.
36 36
37 37 Allow a process to include events in the critical event set term of
38 38 a template which could be generated in volume by the user.
39 39
40 40
41 41 PRIV_CONTRACT_IDENTITY
42 42
43 43 Allows a process to set the service FMRI value of a process
44 44 contract template.
45 45
46 46
47 47 PRIV_CONTRACT_OBSERVER
48 48
49 49 Allow a process to observe contract events generated by contracts
50 50 created and owned by users other than the process's effective user
51 51 ID.
52 52
53 53 Allow a process to open contract event endpoints belonging to
54 54 contracts created and owned by users other than the process's
55 55 effective user ID.
56 56
57 57
58 58 PRIV_CPC_CPU
59 59
60 60 Allow a process to access per-CPU hardware performance counters.
61 61
62 62
63 63 PRIV_DTRACE_KERNEL
64 64
65 65 Allow DTrace kernel-level tracing.
66 66
67 67
68 68 PRIV_DTRACE_PROC
69 69
70 70 Allow DTrace process-level tracing. Allow process-level tracing
71 71 probes to be placed and enabled in processes to which the user has
72 72 permissions.
73 73
74 74
75 75 PRIV_DTRACE_USER
76 76
77 77 Allow DTrace user-level tracing. Allow use of the syscall and
78 78 profile DTrace providers to examine processes to which the user has
79 79 permissions.
80 80
81 81
82 82 PRIV_FILE_CHOWN
83 83
84 84 Allow a process to change a file's owner user ID. Allow a process
85 85 to change a file's group ID to one other than the process's
86 86 effective group ID or one of the process's supplemental group IDs.
87 87
88 88
89 89 PRIV_FILE_CHOWN_SELF
90 90
91 91 Allow a process to give away its files. A process with this
92 92 privilege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect.
93 93
94 94
95 95 PRIV_FILE_DAC_EXECUTE
96 96
97 97 Allow a process to execute an executable file whose permission bits
98 98 or ACL would otherwise disallow the process execute permission.
99 99
100 100
101 101 PRIV_FILE_DAC_READ
102 102
103 103 Allow a process to read a file or directory whose permission bits
104 104 or ACL would otherwise disallow the process read permission.
105 105
106 106
107 107 PRIV_FILE_DAC_SEARCH
108 108
109 109 Allow a process to search a directory whose permission bits or ACL
110 110 would not otherwise allow the process search permission.
111 111
112 112
113 113 PRIV_FILE_DAC_WRITE
114 114
115 115 Allow a process to write a file or directory whose permission bits
116 116 or ACL do not allow the process write permission. All privileges
117 117 are required to write files owned by UID 0 in the absence of an
118 118 effective UID of 0.
119 119
120 120
121 121 PRIV_FILE_DOWNGRADE_SL
122 122
123 123 Allow a process to set the sensitivity label of a file or directory
124 124 to a sensitivity label that does not dominate the existing
125 125 sensitivity label.
126 126
127 127 This privilege is interpreted only if the system is configured with
128 128 Trusted Extensions.
129 129
130 130
131 131 PRIV_FILE_FLAG_SET
132 132
133 133 Allows a process to set immutable, nounlink or appendonly file
134 134 attributes.
135 135
136 136
137 137 PRIV_FILE_LINK_ANY
138 138
139 139 Allow a process to create hardlinks to files owned by a UID
140 140 different from the process's effective UID.
141 141
142 142
143 143 PRIV_FILE_OWNER
144 144
145 145 Allow a process that is not the owner of a file to modify that
146 146 file's access and modification times. Allow a process that is not
147 147 the owner of a directory to modify that directory's access and
148 148 modification times. Allow a process that is not the owner of a file
149 149 or directory to remove or rename a file or directory whose parent
150 150 directory has the "save text image after execution" (sticky) bit
151 151 set. Allow a process that is not the owner of a file to mount a
152 152 namefs upon that file. Allow a process that is not the owner of a
153 153 file or directory to modify that file's or directory's permission
154 154 bits or ACL.
155 155
156 156
157 157 PRIV_FILE_READ
158 158
159 159 Allow a process to open objects in the filesystem for reading. This
160 160 privilege is not necessary to read from an already open file which
161 161 was opened before dropping the PRIV_FILE_READ privilege.
162 162
163 163
164 164 PRIV_FILE_SETID
165 165
166 166 Allow a process to change the ownership of a file or write to a
167 167 file without the set-user-ID and set-group-ID bits being cleared.
168 168 Allow a process to set the set-group-ID bit on a file or directory
169 169 whose group is not the process's effective group or one of the
170 170 process's supplemental groups. Allow a process to set the set-user-
171 171 ID bit on a file with different ownership in the presence of
172 172 PRIV_FILE_OWNER. Additional restrictions apply when creating or
173 173 modifying a setuid 0 file.
174 174
175 175
176 176 PRIV_FILE_UPGRADE_SL
177 177
178 178 Allow a process to set the sensitivity label of a file or directory
179 179 to a sensitivity label that dominates the existing sensitivity
180 180 label.
181 181
182 182 This privilege is interpreted only if the system is configured with
183 183 Trusted Extensions.
184 184
185 185
186 186 PRIV_FILE_WRITE
187 187
188 188 Allow a process to open objects in the filesystem for writing, or
189 189 otherwise modify them. This privilege is not necessary to write to
190 190 an already open file which was opened before dropping the
191 191 PRIV_FILE_WRITE privilege.
192 192
193 193
194 194 PRIV_GRAPHICS_ACCESS
195 195
196 196 Allow a process to make privileged ioctls to graphics devices.
197 197 Typically only an xserver process needs to have this privilege. A
198 198 process with this privilege is also allowed to perform privileged
199 199 graphics device mappings.
200 200
201 201
202 202 PRIV_GRAPHICS_MAP
203 203
204 204 Allow a process to perform privileged mappings through a graphics
205 205 device.
206 206
207 207
208 208 PRIV_IPC_DAC_READ
209 209
210 210 Allow a process to read a System V IPC Message Queue, Semaphore
211 211 Set, or Shared Memory Segment whose permission bits would not
212 212 otherwise allow the process read permission.
213 213
214 214
215 215 PRIV_IPC_DAC_WRITE
216 216
217 217 Allow a process to write a System V IPC Message Queue, Semaphore
218 218 Set, or Shared Memory Segment whose permission bits would not
219 219 otherwise allow the process write permission.
220 220
221 221
222 222 PRIV_IPC_OWNER
223 223
224 224 Allow a process that is not the owner of a System V IPC Message
225 225 Queue, Semaphore Set, or Shared Memory Segment to remove, change
226 226 ownership of, or change permission bits of the Message Queue,
227 227 Semaphore Set, or Shared Memory Segment.
228 228
229 229
230 230 PRIV_NET_ACCESS
231 231
232 232 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint.
233 233 This privilege is not necessary to communicate using an existing
234 234 endpoint already opened before dropping the PRIV_NET_ACCESS
235 235 privilege.
236 236
237 237
238 238 PRIV_NET_BINDMLP
239 239
240 240 Allow a process to bind to a port that is configured as a multi-
241 241 level port (MLP) for the process's zone. This privilege applies to
242 242 both shared address and zone-specific address MLPs. See
243 243 tnzonecfg(4) from the Trusted Extensions manual pages for
244 244 information on configuring MLP ports.
245 245
246 246 This privilege is interpreted only if the system is configured with
247 247 Trusted Extensions.
248 248
249 249
250 250 PRIV_NET_ICMPACCESS
251 251
252 252 Allow a process to send and receive ICMP packets.
253 253
254 254
255 255 PRIV_NET_MAC_AWARE
256 256
257 257 Allow a process to set the NET_MAC_AWARE process flag by using
258 258 setpflags(2). This privilege also allows a process to set the
259 259 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). The
260 260 NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both
261 261 allow a local process to communicate with an unlabeled peer if the
262 262 local process's label dominates the peer's default label, or if the
263 263 local process runs in the global zone.
264 264
265 265 This privilege is interpreted only if the system is configured with
266 266 Trusted Extensions.
267 267
268 268
269 269 PRIV_NET_MAC_IMPLICIT
270 270
271 271 Allow a process to set SO_MAC_IMPLICIT option by using
272 272 setsockopt(3SOCKET). This allows a privileged process to transmit
273 273 implicitly-labeled packets to a peer.
274 274
275 275 This privilege is interpreted only if the system is configured with
276 276 Trusted Extensions.
277 277
278 278
279 279 PRIV_NET_OBSERVABILITY
280 280
281 281 Allow a process to open a device for just receiving network
282 282 traffic, sending traffic is disallowed.
283 283
284 284
285 285 PRIV_NET_PRIVADDR
286 286
287 287 Allow a process to bind to a privileged port number. The privilege
288 288 port numbers are 1-1023 (the traditional UNIX privileged ports) as
289 289 well as those ports marked as "udp/tcp_extra_priv_ports" with the
290 290 exception of the ports reserved for use by NFS and SMB.
291 291
292 292
293 293 PRIV_NET_RAWACCESS
294 294
295 295 Allow a process to have direct access to the network layer.
296 296
297 297
298 298 PRIV_PROC_AUDIT
299 299
300 300 Allow a process to generate audit records. Allow a process to get
301 301 its own audit pre-selection information.
302 302
303 303
304 304 PRIV_PROC_CHROOT
305 305
306 306 Allow a process to change its root directory.
307 307
308 308
309 309 PRIV_PROC_CLOCK_HIGHRES
310 310
311 311 Allow a process to use high resolution timers.
312 312
313 313
314 314 PRIV_PROC_EXEC
315 315
316 316 Allow a process to call exec(2).
317 317
318 318
319 319 PRIV_PROC_FORK
320 320
321 321 Allow a process to call fork(2), fork1(2), or vfork(2).
322 322
323 323
324 324 PRIV_PROC_INFO
325 325
326 326 Allow a process to examine the status of processes other than those
327 327 to which it can send signals. Processes that cannot be examined
328 328 cannot be seen in /proc and appear not to exist.
329 329
330 330
331 331 PRIV_PROC_LOCK_MEMORY
332 332
333 333 Allow a process to lock pages in physical memory.
334 334
335 335
336 336 PRIV_PROC_MEMINFO
337 337
338 338 Allow a process to access physical memory information.
339 339
340 340
341 341 PRIV_PROC_OWNER
342 342
343 343 Allow a process to send signals to other processes and inspect and
344 344 modify the process state in other processes, regardless of
345 345 ownership. When modifying another process, additional restrictions
346 346 apply: the effective privilege set of the attaching process must be
347 347 a superset of the target process's effective, permitted, and
348 348 inheritable sets; the limit set must be a superset of the target's
349 349 limit set; if the target process has any UID set to 0 all privilege
350 350 must be asserted unless the effective UID is 0. Allow a process to
351 351 bind arbitrary processes to CPUs.
352 352
353 353
354 354 PRIV_PROC_PRIOUP
355 355
356 356 Allow a process to elevate its priority above its current level.
357 357
358 358
359 359 PRIV_PROC_PRIOCNTL
360 360
361 361 Allows all that PRIV_PROC_PRIOUP allows. Allow a process to change
362 362 its scheduling class to any scheduling class, including the RT
363 363 class.
364 364
365 365
366 366 PRIV_PROC_SECFLAGS
367 367
368 368 Allow a process to manipulate the secflags of processes (subject
369 369 to, additionally, the ability to signal that process).
370 370
371 371
372 372 PRIV_PROC_SESSION
373 373
374 374 Allow a process to send signals or trace processes outside its
375 375 session.
376 376
377 377
378 378 PRIV_PROC_SETID
379 379
380 380 Allow a process to set its UIDs at will, assuming UID 0 requires
381 381 all privileges to be asserted.
382 382
383 383
384 384 PRIV_PROC_TASKID
385 385
386 386 Allow a process to assign a new task ID to the calling process.
387 387
388 388
389 389 PRIV_PROC_ZONE
390 390
391 391 Allow a process to trace or send signals to processes in other
392 392 zones. See zones(5).
393 393
|
↓ open down ↓ |
368 lines elided |
↑ open up ↑ |
394 394
395 395 PRIV_SYS_ACCT
396 396
397 397 Allow a process to enable and disable and manage accounting through
398 398 acct(2).
399 399
400 400
401 401 PRIV_SYS_ADMIN
402 402
403 403 Allow a process to perform system administration tasks such as
404 - setting node and domain name and specifying coreadm(1M) and
405 - nscd(1M) settings
404 + setting node and domain name and managing fmd(1M) and nscd(1M).
406 405
407 406
408 407 PRIV_SYS_AUDIT
409 408
410 409 Allow a process to start the (kernel) audit daemon. Allow a process
411 410 to view and set audit state (audit user ID, audit terminal ID,
412 411 audit sessions ID, audit pre-selection mask). Allow a process to
413 412 turn off and on auditing. Allow a process to configure the audit
414 413 parameters (cache and queue sizes, event to class mappings, and
415 414 policy options).
416 415
417 416
418 417 PRIV_SYS_CONFIG
419 418
420 419 Allow a process to perform various system configuration tasks.
421 420 Allow filesystem-specific administrative procedures, such as
422 421 filesystem configuration ioctls, quota calls, creation and deletion
423 422 of snapshots, and manipulating the PCFS bootsector.
424 423
425 424
426 425 PRIV_SYS_DEVICES
427 426
428 427 Allow a process to create device special files. Allow a process to
429 428 successfully call a kernel module that calls the kernel
430 429 drv_priv(9F) function to check for allowed access. Allow a process
431 430 to open the real console device directly. Allow a process to open
432 431 devices that have been exclusively opened.
433 432
434 433
435 434 PRIV_SYS_DL_CONFIG
436 435
437 436 Allow a process to configure a system's datalink interfaces.
438 437
439 438
440 439 PRIV_SYS_IP_CONFIG
441 440
442 441 Allow a process to configure a system's IP interfaces and routes.
443 442 Allow a process to configure network parameters for TCP/IP using
444 443 ndd. Allow a process access to otherwise restricted TCP/IP
445 444 information using ndd. Allow a process to configure IPsec. Allow a
446 445 process to pop anchored STREAMs modules with matching zoneid.
447 446
448 447
449 448 PRIV_SYS_IPC_CONFIG
450 449
451 450 Allow a process to increase the size of a System V IPC Message
452 451 Queue buffer.
453 452
454 453
455 454 PRIV_SYS_IPTUN_CONFIG
456 455
457 456 Allow a process to configure IP tunnel links.
458 457
459 458
460 459 PRIV_SYS_LINKDIR
461 460
462 461 Allow a process to unlink and link directories.
463 462
464 463
465 464 PRIV_SYS_MOUNT
466 465
467 466 Allow a process to mount and unmount filesystems that would
468 467 otherwise be restricted (that is, most filesystems except namefs).
469 468 Allow a process to add and remove swap devices.
470 469
471 470
472 471 PRIV_SYS_NET_CONFIG
473 472
474 473 Allow a process to do all that PRIV_SYS_IP_CONFIG,
475 474 PRIV_SYS_DL_CONFIG, and PRIV_SYS_PPP_CONFIG allow, plus the
476 475 following: use the rpcmod STREAMS module and insert/remove STREAMS
477 476 modules on locations other than the top of the module stack.
478 477
479 478
480 479 PRIV_SYS_NFS
481 480
482 481 Allow a process to provide NFS service: start NFS kernel threads,
483 482 perform NFS locking operations, bind to NFS reserved ports: ports
484 483 2049 (nfs) and port 4045 (lockd).
485 484
486 485
487 486 PRIV_SYS_PPP_CONFIG
488 487
489 488 Allow a process to create, configure, and destroy PPP instances
490 489 with pppd(1M) pppd(1M) and control PPPoE plumbing with
491 490 sppptun(1M)sppptun(1M). This privilege is granted by default to
492 491 exclusive IP stack instance zones.
493 492
494 493
495 494 PRIV_SYS_RES_BIND
496 495
497 496 Allows a process to bind processes to processor sets.
498 497
499 498
500 499 PRIV_SYS_RES_CONFIG
501 500
502 501 Allows all that PRIV_SYS_RES_BIND allows. Allow a process to
503 502 create and delete processor sets, assign CPUs to processor sets and
504 503 override the PSET_NOESCAPE property. Allow a process to change the
505 504 operational status of CPUs in the system using p_online(2). Allow a
506 505 process to configure filesystem quotas. Allow a process to
507 506 configure resource pools and bind processes to pools.
508 507
509 508
510 509 PRIV_SYS_RESOURCE
511 510
512 511 Allow a process to exceed the resource limits imposed on it by
513 512 setrlimit(2) and setrctl(2).
514 513
515 514
516 515 PRIV_SYS_SMB
517 516
|
↓ open down ↓ |
102 lines elided |
↑ open up ↑ |
518 517 Allow a process to provide NetBIOS or SMB services: start SMB
519 518 kernel threads or bind to NetBIOS or SMB reserved ports: ports 137,
520 519 138, 139 (NetBIOS) and 445 (SMB).
521 520
522 521
523 522 PRIV_SYS_SUSER_COMPAT
524 523
525 524 Allow a process to successfully call a third party loadable module
526 525 that calls the kernel suser() function to check for allowed access.
527 526 This privilege exists only for third party loadable module
528 - compatibility and is not used by Solaris proper.
527 + compatibility and is not used by illumos.
529 528
530 529
531 530 PRIV_SYS_TIME
532 531
533 532 Allow a process to manipulate system time using any of the
534 533 appropriate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
535 534
536 535
537 536 PRIV_SYS_TRANS_LABEL
538 537
539 538 Allow a process to translate labels that are not dominated by the
540 539 process's sensitivity label to and from an external string form.
541 540
542 541 This privilege is interpreted only if the system is configured with
543 542 Trusted Extensions.
544 543
545 544
546 545 PRIV_VIRT_MANAGE
547 546
548 547 Allows a process to manage virtualized environments such as xVM(5).
549 548
550 549
551 550 PRIV_WIN_COLORMAP
552 551
553 552 Allow a process to override colormap restrictions.
554 553
555 554 Allow a process to install or remove colormaps.
556 555
557 556 Allow a process to retrieve colormap cell entries allocated by
558 557 other processes.
559 558
560 559 This privilege is interpreted only if the system is configured with
561 560 Trusted Extensions.
562 561
563 562
564 563 PRIV_WIN_CONFIG
565 564
566 565 Allow a process to configure or destroy resources that are
567 566 permanently retained by the X server.
568 567
569 568 Allow a process to use SetScreenSaver to set the screen saver
570 569 timeout value
571 570
572 571 Allow a process to use ChangeHosts to modify the display access
573 572 control list.
574 573
575 574 Allow a process to use GrabServer.
576 575
577 576 Allow a process to use the SetCloseDownMode request that can retain
578 577 window, pixmap, colormap, property, cursor, font, or graphic
579 578 context resources.
580 579
581 580 This privilege is interpreted only if the system is configured with
582 581 Trusted Extensions.
583 582
584 583
585 584 PRIV_WIN_DAC_READ
586 585
587 586 Allow a process to read from a window resource that it does not own
588 587 (has a different user ID).
589 588
590 589 This privilege is interpreted only if the system is configured with
591 590 Trusted Extensions.
592 591
593 592
594 593 PRIV_WIN_DAC_WRITE
595 594
596 595 Allow a process to write to or create a window resource that it
597 596 does not own (has a different user ID). A newly created window
598 597 property is created with the window's user ID.
599 598
600 599 This privilege is interpreted only if the system is configured with
601 600 Trusted Extensions.
602 601
603 602
604 603 PRIV_WIN_DEVICES
605 604
606 605 Allow a process to perform operations on window input devices.
607 606
608 607 Allow a process to get and set keyboard and pointer controls.
609 608
610 609 Allow a process to modify pointer button and key mappings.
611 610
612 611 This privilege is interpreted only if the system is configured with
613 612 Trusted Extensions.
614 613
615 614
616 615 PRIV_WIN_DGA
617 616
618 617 Allow a process to use the direct graphics access (DGA) X protocol
619 618 extensions. Direct process access to the frame buffer is still
620 619 required. Thus the process must have MAC and DAC privileges that
621 620 allow access to the frame buffer, or the frame buffer must be
622 621 allocated to the process.
623 622
624 623 This privilege is interpreted only if the system is configured with
625 624 Trusted Extensions.
626 625
627 626
628 627 PRIV_WIN_DOWNGRADE_SL
629 628
630 629 Allow a process to set the sensitivity label of a window resource
631 630 to a sensitivity label that does not dominate the existing
632 631 sensitivity label.
633 632
634 633 This privilege is interpreted only if the system is configured with
635 634 Trusted Extensions.
636 635
637 636
638 637 PRIV_WIN_FONTPATH
639 638
640 639 Allow a process to set a font path.
641 640
642 641 This privilege is interpreted only if the system is configured with
643 642 Trusted Extensions.
644 643
645 644
646 645 PRIV_WIN_MAC_READ
647 646
648 647 Allow a process to read from a window resource whose sensitivity
649 648 label is not equal to the process sensitivity label.
650 649
651 650 This privilege is interpreted only if the system is configured with
652 651 Trusted Extensions.
653 652
654 653
655 654 PRIV_WIN_MAC_WRITE
656 655
657 656 Allow a process to create a window resource whose sensitivity label
658 657 is not equal to the process sensitivity label. A newly created
659 658 window property is created with the window's sensitivity label.
660 659
661 660 This privilege is interpreted only if the system is configured with
662 661 Trusted Extensions.
663 662
664 663
665 664 PRIV_WIN_SELECTION
666 665
667 666 Allow a process to request inter-window data moves without the
668 667 intervention of the selection confirmer.
669 668
670 669 This privilege is interpreted only if the system is configured with
671 670 Trusted Extensions.
672 671
673 672
674 673 PRIV_WIN_UPGRADE_SL
675 674
676 675 Allow a process to set the sensitivity label of a window resource
677 676 to a sensitivity label that dominates the existing sensitivity
678 677 label.
679 678
680 679 This privilege is interpreted only if the system is configured with
681 680 Trusted Extensions.
682 681
683 682
684 683 PRIV_XVM_CONTROL
685 684
686 685 Allows a process access to the xVM(5) control devices for managing
687 686 guest domains and the hypervisor. This privilege is used only if
688 687 booted into xVM on x86 platforms.
689 688
690 689
691 690
692 691 Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
693 692 PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK, PRIV_FILE_READ,
694 693 PRIV_FILE_WRITE, PRIV_NET_ACCESS and PRIV_PROC_EXEC are considered
695 694 "basic" privileges. These are privileges that used to be always
|
↓ open down ↓ |
157 lines elided |
↑ open up ↑ |
696 695 available to unprivileged processes. By default, processes still have
697 696 the basic privileges.
698 697
699 698
700 699 The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
701 700 the Limit set (see below) of a process in order for set-uid root execs
702 701 to be successful, that is, get an effective UID of 0 and additional
703 702 privileges.
704 703
705 704
706 - The privilege implementation in Solaris extends the process credential
705 + The privilege implementation in illumos extends the process credential
707 706 with four privilege sets:
708 707
709 708 I, the inheritable set
710 709 The privileges inherited on exec.
711 710
712 711
713 712 P, the permitted set
714 713 The maximum set of privileges for the
715 714 process.
716 715
717 716
718 717 E, the effective set
719 718 The privileges currently in effect.
720 719
721 720
722 721 L, the limit set
723 722 The upper bound of the privileges a process
724 723 and its offspring can obtain. Changes to L
725 724 take effect on the next exec.
726 725
727 726
728 727
729 728 The sets I, P and E are typically identical to the basic set of
730 729 privileges for unprivileged processes. The limit set is typically the
731 730 full set of privileges.
732 731
733 732
734 733 Each process has a Privilege Awareness State (PAS) that can take the
735 734 value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
736 735 mechanism that allows a choice between full compatibility with the old
737 736 superuser model and completely ignoring the effective UID.
738 737
739 738
740 739 To facilitate the discussion, we introduce the notion of "observed
741 740 effective set" (oE) and "observed permitted set" (oP) and the
742 741 implementation sets iE and iP.
743 742
744 743
745 744 A process becomes privilege-aware either by manipulating the effective,
746 745 permitted, or limit privilege sets through setppriv(2) or by using
747 746 setpflags(2). In all cases, oE and oP are invariant in the process of
748 747 becoming privilege-aware. In the process of becoming privilege-aware,
749 748 the following assignments take place:
750 749
751 750 iE = oE
752 751 iP = oP
753 752
754 753
755 754
756 755 When a process is privilege-aware, oE and oP are invariant under UID
757 756 changes. When a process is not privilege-aware, oE and oP are observed
758 757 as follows:
759 758
760 759 oE = euid == 0 ? L : iE
761 760 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
762 761
763 762
764 763
765 764 When a non-privilege-aware process has an effective UID of 0, it can
766 765 exercise the privileges contained in its limit set, the upper bound of
767 766 its privileges. If a non-privilege-aware process has any of the UIDs
768 767 0, it appears to be capable of potentially exercising all privileges in
769 768 L.
770 769
771 770
772 771 It is possible for a process to return to the non-privilege aware state
773 772 using setpflags(). The kernel always attempts this on exec(2). This
774 773 operation is permitted only if the following conditions are met:
775 774
776 775 o If any of the UIDs is equal to 0, P must be equal to L.
777 776
778 777 o If the effective UID is equal to 0, E must be equal to L.
779 778
780 779
781 780 When a process gives up privilege awareness, the following assignments
782 781 take place:
783 782
784 783 if (euid == 0) iE = L & I
785 784 if (any uid == 0) iP = L & I
786 785
787 786
788 787
789 788 The privileges obtained when not having a UID of 0 are the inheritable
790 789 set of the process restricted by the limit set.
791 790
792 791
793 792 Only privileges in the process's (observed) effective privilege set
794 793 allow the process to perform restricted operations. A process can use
795 794 any of the privilege manipulation functions to add or remove privileges
796 795 from the privilege sets. Privileges can be removed always. Only
797 796 privileges found in the permitted set can be added to the effective and
798 797 inheritable set. The limit set cannot grow. The inheritable set can be
799 798 larger than the permitted set.
800 799
801 800
802 801 When a process performs an exec(2), the kernel first tries to
803 802 relinquish privilege awareness before making the following privilege
804 803 set modifications:
805 804
806 805 E' = P' = I' = L & I
807 806 L is unchanged
808 807
809 808
810 809
811 810 If a process has not manipulated its privileges, the privilege sets
812 811 effectively remain the same, as E, P and I are already identical.
813 812
814 813
815 814 The limit set is enforced at exec time.
816 815
817 816
818 817 To run a non-privilege-aware application in a backward-compatible
819 818 manner, a privilege-aware application should start the non-privilege-
820 819 aware application with I=basic.
821 820
822 821
823 822 For most privileges, absence of the privilege simply results in a
824 823 failure. In some instances, the absence of a privilege can cause system
825 824 calls to behave differently. In other instances, the removal of a
826 825 privilege can force a set-uid application to seriously malfunction.
827 826 Privileges of this type are considered "unsafe". When a process is
828 827 lacking any of the unsafe privileges from its limit set, the system
829 828 does not honor the set-uid bit of set-uid root applications. The
830 829 following unsafe privileges have been identified: proc_setid,
831 830 sys_resource and proc_audit.
|
↓ open down ↓ |
115 lines elided |
↑ open up ↑ |
832 831
833 832 Privilege Escalation
834 833 In certain circumstances, a single privilege could lead to a process
835 834 gaining one or more additional privileges that were not explicitly
836 835 granted to that process. To prevent such an escalation of privileges,
837 836 the security policy requires explicit permission for those additional
838 837 privileges.
839 838
840 839
841 840 Common examples of escalation are those mechanisms that allow
842 - modification of system resources through "raw'' interfaces; for
843 - example, changing kernel data structures through /dev/kmem or changing
844 - files through /dev/dsk/*. Escalation also occurs when a process
845 - controls processes with more privileges than the controlling process. A
846 - special case of this is manipulating or creating objects owned by UID 0
847 - or trying to obtain UID 0 using setuid(2). The special treatment of UID
848 - 0 is needed because the UID 0 owns all system configuration files and
841 + modification of system resources through "raw" interfaces; for example,
842 + changing kernel data structures through /dev/kmem or changing files
843 + through /dev/dsk/*. Escalation also occurs when a process controls
844 + processes with more privileges than the controlling process. A special
845 + case of this is manipulating or creating objects owned by UID 0 or
846 + trying to obtain UID 0 using setuid(2). The special treatment of UID 0
847 + is needed because the UID 0 owns all system configuration files and
849 848 ordinary file protection mechanisms allow processes with UID 0 to
850 849 modify the system configuration. With appropriate file modifications, a
851 850 given process running with an effective UID of 0 can gain all
852 851 privileges.
853 852
854 853
855 854 In situations where a process might obtain UID 0, the security policy
856 855 requires additional privileges, up to the full set of privileges. Such
857 856 restrictions could be relaxed or removed at such time as additional
858 857 mechanisms for protection of system files became available. There are
859 - no such mechanisms in the current Solaris release.
858 + no such mechanisms in the current release.
860 859
861 860
862 861 The use of UID 0 processes should be limited as much as possible. They
863 862 should be replaced with programs running under a different UID but with
864 863 exactly the privileges they need.
865 864
866 865
867 866 Daemons that never need to exec subprocesses should remove the
868 867 PRIV_PROC_EXEC privilege from their permitted and limit sets.
869 868
870 869 Assigned Privileges and Safeguards
871 870 When privileges are assigned to a user, the system administrator could
872 871 give that user more powers than intended. The administrator should
873 872 consider whether safeguards are needed. For example, if the
874 873 PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
875 874 should consider setting the project.max-locked-memory resource control
876 875 as well, to prevent that user from locking all memory.
877 876
878 877 Privilege Debugging
879 878 When a system call fails with a permission error, it is not always
880 879 immediately obvious what caused the problem. To debug such a problem,
881 880 you can use a tool called privilege debugging. When privilege debugging
882 881 is enabled for a process, the kernel reports missing privileges on the
883 882 controlling terminal of the process. (Enable debugging for a process
884 883 with the -D option of ppriv(1).) Additionally, the administrator can
885 884 enable system-wide privilege debugging by setting the system(4)
886 885 variable priv_debug using:
887 886
888 887 set priv_debug = 1
889 888
890 889
891 890
892 891 On a running system, you can use mdb(1) to change this variable.
893 892
894 893 Privilege Administration
895 894 Use usermod(1M) or rolemod(1M) to assign privileges to or modify
896 895 privileges for, respectively, a user or a role. Use ppriv(1) to
897 896 enumerate the privileges supported on a system and truss(1) to
898 897 determine which privileges a program requires.
899 898
900 899 SEE ALSO
901 900 mdb(1), ppriv(1), add_drv(1M), ifconfig(1M), lockd(1M), nfsd(1M),
902 901 pppd(1M), rem_drv(1M), smbd(1M), sppptun(1M), update_drv(1M), Intro(2),
903 902 access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2),
904 903 chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2),
905 904 fpathconf(2), getacct(2), getpflags(2), getppriv(2), getsid(2),
906 905 kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2),
907 906 ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2),
908 907 processor_bind(2), pset_bind(2), pset_create(2), readlink(2),
909 908 resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2),
910 909 seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2),
911 910 setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2),
912 911 setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2),
913 912 statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2),
914 913 umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET),
915 914 door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C),
916 915 priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C),
|
↓ open down ↓ |
47 lines elided |
↑ open up ↑ |
917 916 socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C),
918 917 exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F),
919 918 drv_priv(9F), priv_getbyname(9F), priv_policy(9F),
920 919 priv_policy_choice(9F), priv_policy_only(9F)
921 920
922 921
923 922 System Administration Guide: Security Services
924 923
925 924
926 925
927 - February 28, 2018 PRIVILEGES(5)
926 + August 26, 2019 PRIVILEGES(5)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX