1 '\" te
2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 .\" Copyright 2015, Joyent, Inc. All Rights Reserved.
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
6 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH PRIVILEGES 5 "Feb 28, 2018"
8 .SH NAME
9 privileges \- process privilege model
10 .SH DESCRIPTION
11 .LP
12 Solaris software implements a set of privileges that provide fine-grained
13 control over the actions of processes. The possession of a certain privilege
14 allows a process to perform a specific set of restricted operations.
15 .sp
16 .LP
17 The change to a primarily privilege-based security model in the Solaris
18 operating system gives developers an opportunity to restrict processes to those
19 privileged operations actually needed instead of all (super-user) or no
20 privileges (non-zero UIDs). Additionally, a set of previously unrestricted
21 operations now requires a privilege; these privileges are dubbed the "basic"
22 privileges and are by default given to all processes.
23 .sp
24 .LP
25 Taken together, all defined privileges with the exception of the "basic"
26 privileges compose the set of privileges that are traditionally associated with
27 the root user. The "basic" privileges are "privileges" unprivileged processes
28 were accustomed to having.
29 .sp
30 .LP
31 The defined privileges are:
32 .sp
33 .ne 2
34 .na
35 \fB\fBPRIV_CONTRACT_EVENT\fR\fR
36 .ad
37 .sp .6
624
625 .sp
626 .ne 2
627 .na
628 \fB\fBPRIV_SYS_ACCT\fR\fR
629 .ad
630 .sp .6
631 .RS 4n
632 Allow a process to enable and disable and manage accounting through
633 \fBacct\fR(2).
634 .RE
635
636 .sp
637 .ne 2
638 .na
639 \fB\fBPRIV_SYS_ADMIN\fR\fR
640 .ad
641 .sp .6
642 .RS 4n
643 Allow a process to perform system administration tasks such as setting node and
644 domain name and specifying \fBcoreadm\fR(1M) and \fBnscd\fR(1M) settings
645 .RE
646
647 .sp
648 .ne 2
649 .na
650 \fB\fBPRIV_SYS_AUDIT\fR\fR
651 .ad
652 .sp .6
653 .RS 4n
654 Allow a process to start the (kernel) audit daemon. Allow a process to view and
655 set audit state (audit user ID, audit terminal ID, audit sessions ID, audit
656 pre-selection mask). Allow a process to turn off and on auditing. Allow a
657 process to configure the audit parameters (cache and queue sizes, event to
658 class mappings, and policy options).
659 .RE
660
661 .sp
662 .ne 2
663 .na
664 \fB\fBPRIV_SYS_CONFIG\fR\fR
828 .na
829 \fB\fBPRIV_SYS_SMB\fR\fR
830 .ad
831 .sp .6
832 .RS 4n
833 Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or
834 bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445
835 (SMB).
836 .RE
837
838 .sp
839 .ne 2
840 .na
841 \fB\fBPRIV_SYS_SUSER_COMPAT\fR\fR
842 .ad
843 .sp .6
844 .RS 4n
845 Allow a process to successfully call a third party loadable module that calls
846 the kernel \fBsuser()\fR function to check for allowed access. This privilege
847 exists only for third party loadable module compatibility and is not used by
848 Solaris proper.
849 .RE
850
851 .sp
852 .ne 2
853 .na
854 \fB\fBPRIV_SYS_TIME\fR\fR
855 .ad
856 .sp .6
857 .RS 4n
858 Allow a process to manipulate system time using any of the appropriate system
859 calls: \fBstime\fR(2), \fBadjtime\fR(2), and \fBntp_adjtime\fR(2).
860 .RE
861
862 .sp
863 .ne 2
864 .na
865 \fB\fBPRIV_SYS_TRANS_LABEL\fR\fR
866 .ad
867 .sp .6
868 .RS 4n
1079 Allows a process access to the \fBxVM\fR(5) control devices for managing guest
1080 domains and the hypervisor. This privilege is used only if booted into xVM on
1081 x86 platforms.
1082 .RE
1083
1084 .sp
1085 .LP
1086 Of the privileges listed above, the privileges \fBPRIV_FILE_LINK_ANY\fR,
1087 \fBPRIV_PROC_INFO\fR, \fBPRIV_PROC_SESSION\fR, \fBPRIV_PROC_FORK\fR,
1088 \fBPRIV_FILE_READ\fR, \fBPRIV_FILE_WRITE\fR, \fBPRIV_NET_ACCESS\fR and
1089 \fBPRIV_PROC_EXEC\fR are considered "basic" privileges. These are privileges
1090 that used to be always available to unprivileged processes. By default,
1091 processes still have the basic privileges.
1092 .sp
1093 .LP
1094 The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present
1095 in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
1096 to be successful, that is, get an effective UID of 0 and additional privileges.
1097 .sp
1098 .LP
1099 The privilege implementation in Solaris extends the process credential with
1100 four privilege sets:
1101 .sp
1102 .ne 2
1103 .na
1104 \fBI, the inheritable set\fR
1105 .ad
1106 .RS 26n
1107 The privileges inherited on \fBexec\fR.
1108 .RE
1109
1110 .sp
1111 .ne 2
1112 .na
1113 \fBP, the permitted set\fR
1114 .ad
1115 .RS 26n
1116 The maximum set of privileges for the process.
1117 .RE
1118
1119 .sp
1242 remain the same, as E, P and I are already identical.
1243 .sp
1244 .LP
1245 The limit set is enforced at \fBexec\fR time.
1246 .sp
1247 .LP
1248 To run a non-privilege-aware application in a backward-compatible manner, a
1249 privilege-aware application should start the non-privilege-aware application
1250 with I=basic.
1251 .sp
1252 .LP
1253 For most privileges, absence of the privilege simply results in a failure. In
1254 some instances, the absence of a privilege can cause system calls to behave
1255 differently. In other instances, the removal of a privilege can force a set-uid
1256 application to seriously malfunction. Privileges of this type are considered
1257 "unsafe". When a process is lacking any of the unsafe privileges from its limit
1258 set, the system does not honor the set-uid bit of set-uid root applications.
1259 The following unsafe privileges have been identified: \fBproc_setid\fR,
1260 \fBsys_resource\fR and \fBproc_audit\fR.
1261 .SS "Privilege Escalation"
1262 .LP
1263 In certain circumstances, a single privilege could lead to a process gaining
1264 one or more additional privileges that were not explicitly granted to that
1265 process. To prevent such an escalation of privileges, the security policy
1266 requires explicit permission for those additional privileges.
1267 .sp
1268 .LP
1269 Common examples of escalation are those mechanisms that allow modification of
1270 system resources through "raw'' interfaces; for example, changing kernel data
1271 structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
1272 Escalation also occurs when a process controls processes with more privileges
1273 than the controlling process. A special case of this is manipulating or
1274 creating objects owned by UID 0 or trying to obtain UID 0 using
1275 \fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0
1276 owns all system configuration files and ordinary file protection mechanisms
1277 allow processes with UID 0 to modify the system configuration. With appropriate
1278 file modifications, a given process running with an effective UID of 0 can gain
1279 all privileges.
1280 .sp
1281 .LP
1282 In situations where a process might obtain UID 0, the security policy requires
1283 additional privileges, up to the full set of privileges. Such restrictions
1284 could be relaxed or removed at such time as additional mechanisms for
1285 protection of system files became available. There are no such mechanisms in
1286 the current Solaris release.
1287 .sp
1288 .LP
1289 The use of UID 0 processes should be limited as much as possible. They should
1290 be replaced with programs running under a different UID but with exactly the
1291 privileges they need.
1292 .sp
1293 .LP
1294 Daemons that never need to \fBexec\fR subprocesses should remove the
1295 \fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets.
1296 .SS "Assigned Privileges and Safeguards"
1297 .LP
1298 When privileges are assigned to a user, the system administrator could give
1299 that user more powers than intended. The administrator should consider whether
1300 safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR
1301 privilege is given to a user, the administrator should consider setting the
1302 \fBproject.max-locked-memory\fR resource control as well, to prevent that user
1303 from locking all memory.
1304 .SS "Privilege Debugging"
1305 .LP
1306 When a system call fails with a permission error, it is not always immediately
1307 obvious what caused the problem. To debug such a problem, you can use a tool
1308 called \fBprivilege debugging\fR. When privilege debugging is enabled for a
1309 process, the kernel reports missing privileges on the controlling terminal of
1310 the process. (Enable debugging for a process with the \fB-D\fR option of
1311 \fBppriv\fR(1).) Additionally, the administrator can enable system-wide
1312 privilege debugging by setting the \fBsystem\fR(4) variable \fBpriv_debug\fR
1313 using:
1314 .sp
1315 .in +2
1316 .nf
1317 set priv_debug = 1
1318 .fi
1319 .in -2
1320
1321 .sp
1322 .LP
1323 On a running system, you can use \fBmdb\fR(1) to change this variable.
1324 .SS "Privilege Administration"
1325 .LP
1326 Use \fBusermod\fR(1M) or \fBrolemod\fR(1M)
1327 to assign privileges to or modify privileges for, respectively, a user or a
1328 role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
1329 \fBtruss\fR(1) to determine which privileges a program requires.
1330 .SH SEE ALSO
1331 .LP
1332 \fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M),
1333 \fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M),
1334 \fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2),
1335 \fBaccess\fR(2), \fBacct\fR(2), \fBacl\fR(2), \fBadjtime\fR(2), \fBaudit\fR(2),
1336 \fBauditon\fR(2), \fBchmod\fR(2), \fBchown\fR(2), \fBchroot\fR(2),
1337 \fBcreat\fR(2), \fBexec\fR(2), \fBfcntl\fR(2), \fBfork\fR(2),
1338 \fBfpathconf\fR(2), \fBgetacct\fR(2), \fBgetpflags\fR(2), \fBgetppriv\fR(2),
1339 \fBgetsid\fR(2), \fBkill\fR(2), \fBlink\fR(2), \fBmemcntl\fR(2),
1340 \fBmknod\fR(2), \fBmount\fR(2), \fBmsgctl\fR(2), \fBnice\fR(2),
1341 \fBntp_adjtime\fR(2), \fBopen\fR(2), \fBp_online\fR(2), \fBpriocntl\fR(2),
1342 \fBpriocntlset\fR(2), \fBprocessor_bind\fR(2), \fBpset_bind\fR(2),
1343 \fBpset_create\fR(2), \fBreadlink\fR(2), \fBresolvepath\fR(2), \fBrmdir\fR(2),
1344 \fBsemctl\fR(2), \fBsetauid\fR(2), \fBsetegid\fR(2), \fBseteuid\fR(2),
1345 \fBsetgid\fR(2), \fBsetgroups\fR(2), \fBsetpflags\fR(2), \fBsetppriv\fR(2),
1346 \fBsetrctl\fR(2), \fBsetregid\fR(2), \fBsetreuid\fR(2), \fBsetrlimit\fR(2),
1347 \fBsettaskid\fR(2), \fBsetuid\fR(2), \fBshmctl\fR(2), \fBshmget\fR(2),
1348 \fBshmop\fR(2), \fBsigsend\fR(2), \fBstat\fR(2), \fBstatvfs\fR(2),
1349 \fBstime\fR(2), \fBswapctl\fR(2), \fBsysinfo\fR(2), \fBuadmin\fR(2),
1350 \fBulimit\fR(2), \fBumount\fR(2), \fBunlink\fR(2), \fButime\fR(2),
1351 \fButimes\fR(2), \fBbind\fR(3SOCKET), \fBdoor_ucred\fR(3C),
|
1 '\" te
2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 .\" Copyright 2015, Joyent, Inc. All Rights Reserved.
4 .\" Copyright 2019 Peter Tribble
5 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
6 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
7 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
8 .TH PRIVILEGES 5 "Aug 26, 2019"
9 .SH NAME
10 privileges \- process privilege model
11 .SH DESCRIPTION
12 In illumos, software implements a set of privileges that provide fine-grained
13 control over the actions of processes. The possession of a certain privilege
14 allows a process to perform a specific set of restricted operations.
15 .sp
16 .LP
17 The change to a primarily privilege-based security model in the
18 operating system gives developers an opportunity to restrict processes to those
19 privileged operations actually needed instead of all (super-user) or no
20 privileges (non-zero UIDs). Additionally, a set of previously unrestricted
21 operations now requires a privilege; these privileges are dubbed the "basic"
22 privileges and are by default given to all processes.
23 .sp
24 .LP
25 Taken together, all defined privileges with the exception of the "basic"
26 privileges compose the set of privileges that are traditionally associated with
27 the root user. The "basic" privileges are "privileges" unprivileged processes
28 were accustomed to having.
29 .sp
30 .LP
31 The defined privileges are:
32 .sp
33 .ne 2
34 .na
35 \fB\fBPRIV_CONTRACT_EVENT\fR\fR
36 .ad
37 .sp .6
624
625 .sp
626 .ne 2
627 .na
628 \fB\fBPRIV_SYS_ACCT\fR\fR
629 .ad
630 .sp .6
631 .RS 4n
632 Allow a process to enable and disable and manage accounting through
633 \fBacct\fR(2).
634 .RE
635
636 .sp
637 .ne 2
638 .na
639 \fB\fBPRIV_SYS_ADMIN\fR\fR
640 .ad
641 .sp .6
642 .RS 4n
643 Allow a process to perform system administration tasks such as setting node and
644 domain name and managing \fBfmd\fR(1M) and \fBnscd\fR(1M).
645 .RE
646
647 .sp
648 .ne 2
649 .na
650 \fB\fBPRIV_SYS_AUDIT\fR\fR
651 .ad
652 .sp .6
653 .RS 4n
654 Allow a process to start the (kernel) audit daemon. Allow a process to view and
655 set audit state (audit user ID, audit terminal ID, audit sessions ID, audit
656 pre-selection mask). Allow a process to turn off and on auditing. Allow a
657 process to configure the audit parameters (cache and queue sizes, event to
658 class mappings, and policy options).
659 .RE
660
661 .sp
662 .ne 2
663 .na
664 \fB\fBPRIV_SYS_CONFIG\fR\fR
828 .na
829 \fB\fBPRIV_SYS_SMB\fR\fR
830 .ad
831 .sp .6
832 .RS 4n
833 Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or
834 bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445
835 (SMB).
836 .RE
837
838 .sp
839 .ne 2
840 .na
841 \fB\fBPRIV_SYS_SUSER_COMPAT\fR\fR
842 .ad
843 .sp .6
844 .RS 4n
845 Allow a process to successfully call a third party loadable module that calls
846 the kernel \fBsuser()\fR function to check for allowed access. This privilege
847 exists only for third party loadable module compatibility and is not used by
848 illumos.
849 .RE
850
851 .sp
852 .ne 2
853 .na
854 \fB\fBPRIV_SYS_TIME\fR\fR
855 .ad
856 .sp .6
857 .RS 4n
858 Allow a process to manipulate system time using any of the appropriate system
859 calls: \fBstime\fR(2), \fBadjtime\fR(2), and \fBntp_adjtime\fR(2).
860 .RE
861
862 .sp
863 .ne 2
864 .na
865 \fB\fBPRIV_SYS_TRANS_LABEL\fR\fR
866 .ad
867 .sp .6
868 .RS 4n
1079 Allows a process access to the \fBxVM\fR(5) control devices for managing guest
1080 domains and the hypervisor. This privilege is used only if booted into xVM on
1081 x86 platforms.
1082 .RE
1083
1084 .sp
1085 .LP
1086 Of the privileges listed above, the privileges \fBPRIV_FILE_LINK_ANY\fR,
1087 \fBPRIV_PROC_INFO\fR, \fBPRIV_PROC_SESSION\fR, \fBPRIV_PROC_FORK\fR,
1088 \fBPRIV_FILE_READ\fR, \fBPRIV_FILE_WRITE\fR, \fBPRIV_NET_ACCESS\fR and
1089 \fBPRIV_PROC_EXEC\fR are considered "basic" privileges. These are privileges
1090 that used to be always available to unprivileged processes. By default,
1091 processes still have the basic privileges.
1092 .sp
1093 .LP
1094 The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present
1095 in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
1096 to be successful, that is, get an effective UID of 0 and additional privileges.
1097 .sp
1098 .LP
1099 The privilege implementation in illumos extends the process credential with
1100 four privilege sets:
1101 .sp
1102 .ne 2
1103 .na
1104 \fBI, the inheritable set\fR
1105 .ad
1106 .RS 26n
1107 The privileges inherited on \fBexec\fR.
1108 .RE
1109
1110 .sp
1111 .ne 2
1112 .na
1113 \fBP, the permitted set\fR
1114 .ad
1115 .RS 26n
1116 The maximum set of privileges for the process.
1117 .RE
1118
1119 .sp
1242 remain the same, as E, P and I are already identical.
1243 .sp
1244 .LP
1245 The limit set is enforced at \fBexec\fR time.
1246 .sp
1247 .LP
1248 To run a non-privilege-aware application in a backward-compatible manner, a
1249 privilege-aware application should start the non-privilege-aware application
1250 with I=basic.
1251 .sp
1252 .LP
1253 For most privileges, absence of the privilege simply results in a failure. In
1254 some instances, the absence of a privilege can cause system calls to behave
1255 differently. In other instances, the removal of a privilege can force a set-uid
1256 application to seriously malfunction. Privileges of this type are considered
1257 "unsafe". When a process is lacking any of the unsafe privileges from its limit
1258 set, the system does not honor the set-uid bit of set-uid root applications.
1259 The following unsafe privileges have been identified: \fBproc_setid\fR,
1260 \fBsys_resource\fR and \fBproc_audit\fR.
1261 .SS "Privilege Escalation"
1262 In certain circumstances, a single privilege could lead to a process gaining
1263 one or more additional privileges that were not explicitly granted to that
1264 process. To prevent such an escalation of privileges, the security policy
1265 requires explicit permission for those additional privileges.
1266 .sp
1267 .LP
1268 Common examples of escalation are those mechanisms that allow modification of
1269 system resources through "raw" interfaces; for example, changing kernel data
1270 structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
1271 Escalation also occurs when a process controls processes with more privileges
1272 than the controlling process. A special case of this is manipulating or
1273 creating objects owned by UID 0 or trying to obtain UID 0 using
1274 \fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0
1275 owns all system configuration files and ordinary file protection mechanisms
1276 allow processes with UID 0 to modify the system configuration. With appropriate
1277 file modifications, a given process running with an effective UID of 0 can gain
1278 all privileges.
1279 .sp
1280 .LP
1281 In situations where a process might obtain UID 0, the security policy requires
1282 additional privileges, up to the full set of privileges. Such restrictions
1283 could be relaxed or removed at such time as additional mechanisms for
1284 protection of system files became available. There are no such mechanisms in
1285 the current release.
1286 .sp
1287 .LP
1288 The use of UID 0 processes should be limited as much as possible. They should
1289 be replaced with programs running under a different UID but with exactly the
1290 privileges they need.
1291 .sp
1292 .LP
1293 Daemons that never need to \fBexec\fR subprocesses should remove the
1294 \fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets.
1295 .SS "Assigned Privileges and Safeguards"
1296 When privileges are assigned to a user, the system administrator could give
1297 that user more powers than intended. The administrator should consider whether
1298 safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR
1299 privilege is given to a user, the administrator should consider setting the
1300 \fBproject.max-locked-memory\fR resource control as well, to prevent that user
1301 from locking all memory.
1302 .SS "Privilege Debugging"
1303 When a system call fails with a permission error, it is not always immediately
1304 obvious what caused the problem. To debug such a problem, you can use a tool
1305 called \fBprivilege debugging\fR. When privilege debugging is enabled for a
1306 process, the kernel reports missing privileges on the controlling terminal of
1307 the process. (Enable debugging for a process with the \fB-D\fR option of
1308 \fBppriv\fR(1).) Additionally, the administrator can enable system-wide
1309 privilege debugging by setting the \fBsystem\fR(4) variable \fBpriv_debug\fR
1310 using:
1311 .sp
1312 .in +2
1313 .nf
1314 set priv_debug = 1
1315 .fi
1316 .in -2
1317
1318 .sp
1319 .LP
1320 On a running system, you can use \fBmdb\fR(1) to change this variable.
1321 .SS "Privilege Administration"
1322 Use \fBusermod\fR(1M) or \fBrolemod\fR(1M)
1323 to assign privileges to or modify privileges for, respectively, a user or a
1324 role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
1325 \fBtruss\fR(1) to determine which privileges a program requires.
1326 .SH SEE ALSO
1327 \fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M),
1328 \fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M),
1329 \fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2),
1330 \fBaccess\fR(2), \fBacct\fR(2), \fBacl\fR(2), \fBadjtime\fR(2), \fBaudit\fR(2),
1331 \fBauditon\fR(2), \fBchmod\fR(2), \fBchown\fR(2), \fBchroot\fR(2),
1332 \fBcreat\fR(2), \fBexec\fR(2), \fBfcntl\fR(2), \fBfork\fR(2),
1333 \fBfpathconf\fR(2), \fBgetacct\fR(2), \fBgetpflags\fR(2), \fBgetppriv\fR(2),
1334 \fBgetsid\fR(2), \fBkill\fR(2), \fBlink\fR(2), \fBmemcntl\fR(2),
1335 \fBmknod\fR(2), \fBmount\fR(2), \fBmsgctl\fR(2), \fBnice\fR(2),
1336 \fBntp_adjtime\fR(2), \fBopen\fR(2), \fBp_online\fR(2), \fBpriocntl\fR(2),
1337 \fBpriocntlset\fR(2), \fBprocessor_bind\fR(2), \fBpset_bind\fR(2),
1338 \fBpset_create\fR(2), \fBreadlink\fR(2), \fBresolvepath\fR(2), \fBrmdir\fR(2),
1339 \fBsemctl\fR(2), \fBsetauid\fR(2), \fBsetegid\fR(2), \fBseteuid\fR(2),
1340 \fBsetgid\fR(2), \fBsetgroups\fR(2), \fBsetpflags\fR(2), \fBsetppriv\fR(2),
1341 \fBsetrctl\fR(2), \fBsetregid\fR(2), \fBsetreuid\fR(2), \fBsetrlimit\fR(2),
1342 \fBsettaskid\fR(2), \fBsetuid\fR(2), \fBshmctl\fR(2), \fBshmget\fR(2),
1343 \fBshmop\fR(2), \fBsigsend\fR(2), \fBstat\fR(2), \fBstatvfs\fR(2),
1344 \fBstime\fR(2), \fBswapctl\fR(2), \fBsysinfo\fR(2), \fBuadmin\fR(2),
1345 \fBulimit\fR(2), \fBumount\fR(2), \fBunlink\fR(2), \fButime\fR(2),
1346 \fButimes\fR(2), \fBbind\fR(3SOCKET), \fBdoor_ucred\fR(3C),
|