1 PRIVILEGES(5) Standards, Environments, and Macros PRIVILEGES(5)
2
3
4
5 NAME
6 privileges - process privilege model
7
8 DESCRIPTION
9 Solaris software implements a set of privileges that provide fine-
10 grained control over the actions of processes. The possession of a
11 certain privilege allows a process to perform a specific set of
12 restricted operations.
13
14
15 The change to a primarily privilege-based security model in the Solaris
16 operating system gives developers an opportunity to restrict processes
17 to those privileged operations actually needed instead of all (super-
18 user) or no privileges (non-zero UIDs). Additionally, a set of
19 previously unrestricted operations now requires a privilege; these
20 privileges are dubbed the "basic" privileges and are by default given
21 to all processes.
22
23
24 Taken together, all defined privileges with the exception of the
25 "basic" privileges compose the set of privileges that are traditionally
26 associated with the root user. The "basic" privileges are "privileges"
27 unprivileged processes were accustomed to having.
28
29
30 The defined privileges are:
31
32 PRIV_CONTRACT_EVENT
33 Allow a process to request reliable delivery of events to an event
34 endpoint.
35
36 Allow a process to include events in the critical event set term of
37 a template which could be generated in volume by the user.
38
39
40 PRIV_CONTRACT_IDENTITY
41 Allows a process to set the service FMRI value of a process
42 contract template.
43
44
45 PRIV_CONTRACT_OBSERVER
46 Allow a process to observe contract events generated by contracts
47 created and owned by users other than the process's effective user
48 ID.
49
50 Allow a process to open contract event endpoints belonging to
51 contracts created and owned by users other than the process's
52 effective user ID.
53
54
55 PRIV_CPC_CPU
56 Allow a process to access per-CPU hardware performance counters.
57
58
59 PRIV_DTRACE_KERNEL
60 Allow DTrace kernel-level tracing.
61
62
63 PRIV_DTRACE_PROC
64 Allow DTrace process-level tracing. Allow process-level tracing
65 probes to be placed and enabled in processes to which the user has
66 permissions.
67
68
69 PRIV_DTRACE_USER
70 Allow DTrace user-level tracing. Allow use of the syscall and
71 profile DTrace providers to examine processes to which the user has
72 permissions.
73
74
75 PRIV_FILE_CHOWN
76 Allow a process to change a file's owner user ID. Allow a process
77 to change a file's group ID to one other than the process's
78 effective group ID or one of the process's supplemental group IDs.
79
80
81 PRIV_FILE_CHOWN_SELF
82 Allow a process to give away its files. A process with this
83 privilege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect.
84
85
86 PRIV_FILE_DAC_EXECUTE
87 Allow a process to execute an executable file whose permission bits
88 or ACL would otherwise disallow the process execute permission.
89
90
91 PRIV_FILE_DAC_READ
92 Allow a process to read a file or directory whose permission bits
93 or ACL would otherwise disallow the process read permission.
94
95
96 PRIV_FILE_DAC_SEARCH
97 Allow a process to search a directory whose permission bits or ACL
98 would not otherwise allow the process search permission.
99
100
101 PRIV_FILE_DAC_WRITE
102 Allow a process to write a file or directory whose permission bits
103 or ACL do not allow the process write permission. All privileges
104 are required to write files owned by UID 0 in the absence of an
105 effective UID of 0.
106
107
108 PRIV_FILE_DOWNGRADE_SL
109 Allow a process to set the sensitivity label of a file or directory
110 to a sensitivity label that does not dominate the existing
111 sensitivity label.
112
113 This privilege is interpreted only if the system is configured with
114 Trusted Extensions.
115
116
117 PRIV_FILE_FLAG_SET
118 Allows a process to set immutable, nounlink or appendonly file
119 attributes.
120
121
122 PRIV_FILE_LINK_ANY
123 Allow a process to create hardlinks to files owned by a UID
124 different from the process's effective UID.
125
126
127 PRIV_FILE_OWNER
128 Allow a process that is not the owner of a file to modify that
129 file's access and modification times. Allow a process that is not
130 the owner of a directory to modify that directory's access and
131 modification times. Allow a process that is not the owner of a file
132 or directory to remove or rename a file or directory whose parent
133 directory has the "save text image after execution" (sticky) bit
134 set. Allow a process that is not the owner of a file to mount a
135 namefs upon that file. Allow a process that is not the owner of a
136 file or directory to modify that file's or directory's permission
137 bits or ACL.
138
139
140 PRIV_FILE_READ
141 Allow a process to read objects in the filesystem.
142
143
144 PRIV_FILE_SETID
145 Allow a process to change the ownership of a file or write to a
146 file without the set-user-ID and set-group-ID bits being cleared. Allow
147 a process to set the set-group-ID bit on a file or directory whose
148 group is not the process's effective group or one of the process's
149 supplemental groups. Allow a process to set the set-user-ID bit on a
150 file with different ownership in the presence of PRIV_FILE_OWNER.
151 Additional restrictions apply when creating or modifying a setuid 0
152 file.
153
154
155 PRIV_FILE_UPGRADE_SL
156 Allow a process to set the sensitivity label of a file or directory
157 to a sensitivity label that dominates the existing sensitivity
158 label.
159
160 This privilege is interpreted only if the system is configured with
161 Trusted Extensions.
162
163
164 PRIV_FILE_WRITE
165 Allow a process to modify objects in the filesytem.
166
167
168 PRIV_GRAPHICS_ACCESS
169 Allow a process to make privileged ioctls to graphics devices.
170 Typically only an xserver process needs to have this privilege. A
171 process with this privilege is also allowed to perform privileged
172 graphics device mappings.
173
174
175 PRIV_GRAPHICS_MAP
176 Allow a process to perform privileged mappings through a graphics
177 device.
178
179
180 PRIV_IPC_DAC_READ
181 Allow a process to read a System V IPC Message Queue, Semaphore
182 Set, or Shared Memory Segment whose permission bits would not
183 otherwise allow the process read permission.
184
185
186 PRIV_IPC_DAC_WRITE
187 Allow a process to write a System V IPC Message Queue, Semaphore
188 Set, or Shared Memory Segment whose permission bits would not
189 otherwise allow the process write permission.
190
191
192 PRIV_IPC_OWNER
193 Allow a process that is not the owner of a System V IPC Message
194 Queue, Semaphore Set, or Shared Memory Segment to remove, change
195 ownership of, or change permission bits of the Message Queue,
196 Semaphore Set, or Shared Memory Segment.
197
198
199 PRIV_NET_ACCESS
200 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint.
201
202
203 PRIV_NET_BINDMLP
204 Allow a process to bind to a port that is configured as a multi-
205 level port (MLP) for the process's zone. This privilege applies to
206 both shared address and zone-specific address MLPs. See tnzonecfg(4)
207 from the Trusted Extensions manual pages for information on
208 configuring MLP ports.
209
210 This privilege is interpreted only if the system is configured with
211 Trusted Extensions.
212
213
214 PRIV_NET_ICMPACCESS
215 Allow a process to send and receive ICMP packets.
216
217
218 PRIV_NET_MAC_AWARE
219 Allow a process to set the NET_MAC_AWARE process flag by using
220 setpflags(2). This privilege also allows a process to set the
221 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). The
222 NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both
223 allow a local process to communicate with an unlabeled peer if the
224 local process's label dominates the peer's default label, or if the
225 local process runs in the global zone.
226
227 This privilege is interpreted only if the system is configured with
228 Trusted Extensions.
229
230
231 PRIV_NET_MAC_IMPLICIT
232 Allow a proces to set SO_MAC_IMPLICIT option by using
233 setsockopt(3SOCKET). This allows a privileged process to transmit
234 implicitly-labeled packets to a peer.
235
236 This privilege is interpreted only if the system is configured with
237 Trusted Extensions.
238
239
240 PRIV_NET_OBSERVABILITY
241 Allow a process to open a device for just receiving network
242 traffic, sending traffic is disallowed.
243
244
245 PRIV_NET_PRIVADDR
246 Allow a process to bind to a privileged port number. The privilege
247 port numbers are 1-1023 (the traditional UNIX privileged ports) as
248 well as those ports marked as "udp/tcp_extra_priv_ports" with the
249 exception of the ports reserved for use by NFS and SMB.
250
251
252 PRIV_NET_RAWACCESS
253 Allow a process to have direct access to the network layer.
254
255
256 PRIV_PROC_AUDIT
257 Allow a process to generate audit records. Allow a process to get
258 its own audit pre-selection information.
259
260
261 PRIV_PROC_CHROOT
262 Allow a process to change its root directory.
263
264
265 PRIV_PROC_CLOCK_HIGHRES
266 Allow a process to use high resolution timers.
267
268
269 PRIV_PROC_EXEC
270 Allow a process to call exec(2).
271
272
273 PRIV_PROC_FORK
274 Allow a process to call fork(2), fork1(2), or vfork(2).
275
276
277 PRIV_PROC_INFO
278 Allow a process to examine the status of processes other than those
279 to which it can send signals. Processes that cannot be examined
280 cannot be seen in /proc and appear not to exist.
281
282
283 PRIV_PROC_LOCK_MEMORY
284 Allow a process to lock pages in physical memory.
285
286
287 PRIV_PROC_OWNER
288 Allow a process to send signals to other processes and inspect and
289 modify the process state in other processes, regardless of
290 ownership. When modifying another process, additional restrictions
291 apply: the effective privilege set of the attaching process must be
292 a superset of the target process's effective, permitted, and
293 inheritable sets; the limit set must be a superset of the target's
294 limit set; if the target process has any UID set to 0 all privilege
295 must be asserted unless the effective UID is 0. Allow a process to
296 bind arbitrary processes to CPUs.
297
298
299 PRIV_PROC_PRIOUP
300 Allow a process to elevate its priority above its current level.
301
302
303 PRIV_PROC_PRIOCNTL
304 Allows all that PRIV_PROC_PRIOUP allows. Allow a process to change
305 its scheduling class to any scheduling class, including the RT
306 class.
307
308
309 PRIV_PROC_SECFLAGS
310 Allow a process to manipulate the secflags of processes (subject
311 to, additionally, the ability to signal that process)
312
313
314 PRIV_PROC_SESSION
315 Allow a process to send signals or trace processes outside its
316 session.
317
318
319 PRIV_PROC_SETID
320 Allow a process to set its UIDs at will, assuming UID 0 requires
321 all privileges to be asserted.
322
323
324 PRIV_PROC_TASKID
325 Allow a process to assign a new task ID to the calling process.
326
327
328 PRIV_PROC_ZONE
329 Allow a process to trace or send signals to processes in other
330 zones. See zones(5).
331
332
333 PRIV_SYS_ACCT
334 Allow a process to enable and disable and manage accounting through
335 acct(2).
336
337
338 PRIV_SYS_ADMIN
339 Allow a process to perform system administration tasks such as
340 setting node and domain name and specifying coreadm(1M) and
341 nscd(1M) settings
342
343
344 PRIV_SYS_AUDIT
345 Allow a process to start the (kernel) audit daemon. Allow a process
346 to view and set audit state (audit user ID, audit terminal ID,
347 audit sessions ID, audit pre-selection mask). Allow a process to
348 turn off and on auditing. Allow a process to configure the audit
349 parameters (cache and queue sizes, event to class mappings, and
350 policy options).
351
352
353 PRIV_SYS_CONFIG
354 Allow a process to perform various system configuration tasks.
355 Allow filesystem-specific administrative procedures, such as
356 filesystem configuration ioctls, quota calls, creation and deletion
357 of snapshots, and manipulating the PCFS bootsector.
358
359
360 PRIV_SYS_DEVICES
361 Allow a process to create device special files. Allow a process to
362 successfully call a kernel module that calls the kernel
363 drv_priv(9F) function to check for allowed access. Allow a process
364 to open the real console device directly. Allow a process to open
365 devices that have been exclusively opened.
366
367
368 PRIV_SYS_DL_CONFIG
369 Allow a process to configure a system's datalink interfaces.
370
371
372 PRIV_SYS_IP_CONFIG
373 Allow a process to configure a system's IP interfaces and routes.
374 Allow a process to configure network parameters for TCP/IP using
375 ndd. Allow a process access to otherwise restricted TCP/IP
376 information using ndd. Allow a process to configure IPsec. Allow a
377 process to pop anchored STREAMs modules with matching zoneid.
378
379
380 PRIV_SYS_IPC_CONFIG
381 Allow a process to increase the size of a System V IPC Message
382 Queue buffer.
383
384
385 PRIV_SYS_IPTUN_CONFIG
386 Allow a process to configure IP tunnel links.
387
388
389 PRIV_SYS_LINKDIR
390 Allow a process to unlink and link directories.
391
392
393 PRIV_SYS_MOUNT
394 Allow a process to mount and unmount filesystems that would
395 otherwise be restricted (that is, most filesystems except namefs).
396 Allow a process to add and remove swap devices.
397
398
399 PRIV_SYS_NET_CONFIG
400 Allow a process to do all that PRIV_SYS_IP_CONFIG,
401 PRIV_SYS_DL_CONFIG, and PRIV_SYS_PPP_CONFIG allow, plus the
402 following: use the rpcmod STREAMS module and insert/remove STREAMS
403 modules on locations other than the top of the module stack.
404
405
406 PRIV_SYS_NFS
407 Allow a process to provide NFS service: start NFS kernel threads,
408 perform NFS locking operations, bind to NFS reserved ports: ports
409 2049 (nfs) and port 4045 (lockd).
410
411
412 PRIV_SYS_PPP_CONFIG
413 Allow a process to create, configure, and destroy PPP instances
414 with pppd(1M) pppd(1M) and control PPPoE plumbing with
415 sppptun(1M)sppptun(1M). This privilege is granted by default to
416 exclusive IP stack instance zones.
417
418
419 PRIV_SYS_RES_BIND
420 Allows a process to bind processes to processor sets.
421
422
423 PRIV_SYS_RES_CONFIG
424 Allows all that PRIV_SYS_RES_BIND allows. Allow a process to
425 create and delete processor sets, assign CPUs to processor sets and
426 override the PSET_NOESCAPE property. Allow a process to change the
427 operational status of CPUs in the system using p_online(2). Allow a
428 process to configure filesystem quotas. Allow a process to
429 configure resource pools and bind processes to pools.
430
431
432 PRIV_SYS_RESOURCE
433 Allow a process to exceed the resource limits imposed on it by
434 setrlimit(2) and setrctl(2).
435
436
437 PRIV_SYS_SMB
438 Allow a process to provide NetBIOS or SMB services: start SMB
439 kernel threads or bind to NetBIOS or SMB reserved ports: ports 137,
440 138, 139 (NetBIOS) and 445 (SMB).
441
442
443 PRIV_SYS_SUSER_COMPAT
444 Allow a process to successfully call a third party loadable module
445 that calls the kernel suser() function to check for allowed access.
446 This privilege exists only for third party loadable module
447 compatibility and is not used by Solaris proper.
448
449
450 PRIV_SYS_TIME
451 Allow a process to manipulate system time using any of the
452 appropriate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
453
454
455 PRIV_SYS_TRANS_LABEL
456 Allow a process to translate labels that are not dominated by the
457 process's sensitivity label to and from an external string form.
458
459 This privilege is interpreted only if the system is configured with
460 Trusted Extensions.
461
462
463 PRIV_VIRT_MANAGE
464 Allows a process to manage virtualized environments such as xVM(5).
465
466
467 PRIV_WIN_COLORMAP
468 Allow a process to override colormap restrictions.
469
470 Allow a process to install or remove colormaps.
471
472 Allow a process to retrieve colormap cell entries allocated by
473 other processes.
474
475 This privilege is interpreted only if the system is configured with
476 Trusted Extensions.
477
478
479 PRIV_WIN_CONFIG
480 Allow a process to configure or destroy resources that are
481 permanently retained by the X server.
482
483 Allow a process to use SetScreenSaver to set the screen saver
484 timeout value
485
486 Allow a process to use ChangeHosts to modify the display access
487 control list.
488
489 Allow a process to use GrabServer.
490
491 Allow a process to use the SetCloseDownMode request that can retain
492 window, pixmap, colormap, property, cursor, font, or graphic
493 context resources.
494
495 This privilege is interpreted only if the system is configured with
496 Trusted Extensions.
497
498
499 PRIV_WIN_DAC_READ
500 Allow a process to read from a window resource that it does not own
501 (has a different user ID).
502
503 This privilege is interpreted only if the system is configured with
504 Trusted Extensions.
505
506
507 PRIV_WIN_DAC_WRITE
508 Allow a process to write to or create a window resource that it
509 does not own (has a different user ID). A newly created window
510 property is created with the window's user ID.
511
512 This privilege is interpreted only if the system is configured with
513 Trusted Extensions.
514
515
516 PRIV_WIN_DEVICES
517 Allow a process to perform operations on window input devices.
518
519 Allow a process to get and set keyboard and pointer controls.
520
521 Allow a process to modify pointer button and key mappings.
522
523 This privilege is interpreted only if the system is configured with
524 Trusted Extensions.
525
526
527 PRIV_WIN_DGA
528 Allow a process to use the direct graphics access (DGA) X protocol
529 extensions. Direct process access to the frame buffer is still
530 required. Thus the process must have MAC and DAC privileges that
531 allow access to the frame buffer, or the frame buffer must be
532 allocated to the process.
533
534 This privilege is interpreted only if the system is configured with
535 Trusted Extensions.
536
537
538 PRIV_WIN_DOWNGRADE_SL
539 Allow a process to set the sensitivity label of a window resource
540 to a sensitivity label that does not dominate the existing
541 sensitivity label.
542
543 This privilege is interpreted only if the system is configured with
544 Trusted Extensions.
545
546
547 PRIV_WIN_FONTPATH
548 Allow a process to set a font path.
549
550 This privilege is interpreted only if the system is configured with
551 Trusted Extensions.
552
553
554 PRIV_WIN_MAC_READ
555 Allow a process to read from a window resource whose sensitivity
556 label is not equal to the process sensitivity label.
557
558 This privilege is interpreted only if the system is configured with
559 Trusted Extensions.
560
561
562 PRIV_WIN_MAC_WRITE
563 Allow a process to create a window resource whose sensitivity label
564 is not equal to the process sensitivity label. A newly created
565 window property is created with the window's sensitivity label.
566
567 This privilege is interpreted only if the system is configured with
568 Trusted Extensions.
569
570
571 PRIV_WIN_SELECTION
572 Allow a process to request inter-window data moves without the
573 intervention of the selection confirmer.
574
575 This privilege is interpreted only if the system is configured with
576 Trusted Extensions.
577
578
579 PRIV_WIN_UPGRADE_SL
580 Allow a process to set the sensitivity label of a window resource
581 to a sensitivity label that dominates the existing sensitivity
582 label.
583
584 This privilege is interpreted only if the system is configured with
585 Trusted Extensions.
586
587
588 PRIV_XVM_CONTROL
589 Allows a process access to the xVM(5) control devices for managing
590 guest domains and the hypervisor. This privilege is used only if
591 booted into xVM on x86 platforms.
592
593
594
595 Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
596 PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK and PRIV_PROC_EXEC
597 are considered "basic" privileges. These are privileges that used to be
598 always available to unprivileged processes. By default, processes still
599 have the basic privileges.
600
601
602 The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
603 the Limit set (see below) of a process in order for set-uid root execs
604 to be successful, that is, get an effective UID of 0 and additional
605 privileges.
606
607
608 The privilege implementation in Solaris extends the process credential
609 with four privilege sets:
610
611 I, the inheritable set
612 The privileges inherited on exec.
613
614
615 P, the permitted set
616 The maximum set of privileges for the
617 process.
618
619
620 E, the effective set
621 The privileges currently in effect.
622
623
624 L, the limit set
625 The upper bound of the privileges a process
626 and its offspring can obtain. Changes to L
627 take effect on the next exec.
628
629
630
631 The sets I, P and E are typically identical to the basic set of
632 privileges for unprivileged processes. The limit set is typically the
633 full set of privileges.
634
635
636 Each process has a Privilege Awareness State (PAS) that can take the
637 value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
638 mechanism that allows a choice between full compatibility with the old
639 superuser model and completely ignoring the effective UID.
640
641
642 To facilitate the discussion, we introduce the notion of "observed
643 effective set" (oE) and "observed permitted set" (oP) and the
644 implementation sets iE and iP.
645
646
647 A process becomes privilege-aware either by manipulating the effective,
648 permitted, or limit privilege sets through setppriv(2) or by using
649 setpflags(2). In all cases, oE and oP are invariant in the process of
650 becoming privilege-aware. In the process of becoming privilege-aware, the
651 following assignments take place:
652
653 iE = oE
654 iP = oP
655
656
657
658 When a process is privilege-aware, oE and oP are invariant under UID
659 changes. When a process is not privilege-aware, oE and oP are observed
660 as follows:
661
662 oE = euid == 0 ? L : iE
663 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
664
665
666
667 When a non-privilege-aware process has an effective UID of 0, it can
668 exercise the privileges contained in its limit set, the upper bound of
669 its privileges. If a non-privilege-aware process has any of the UIDs 0,
670 it appears to be capable of potentially exercising all privileges in L.
671
672
673 It is possible for a process to return to the non-privilege aware state
674 using setpflags(). The kernel always attempts this on exec(2). This
675 operation is permitted only if the following conditions are met:
676
677 o If any of the UIDs is equal to 0, P must be equal to L.
678
679 o If the effective UID is equal to 0, E must be equal to L.
680
681
682 When a process gives up privilege awareness, the following assignments
683 take place:
684
685 if (euid == 0) iE = L & I
686 if (any uid == 0) iP = L & I
687
688
689
690 The privileges obtained when not having a UID of 0 are the inheritable
691 set of the process restricted by the limit set.
692
693
694 Only privileges in the process's (observed) effective privilege set
695 allow the process to perform restricted operations. A process can use
696 any of the privilege manipulation functions to add or remove privileges
697 from the privilege sets. Privileges can be removed always. Only
698 privileges found in the permitted set can be added to the effective and
699 inheritable set. The limit set cannot grow. The inheritable set can be
700 larger than the permitted set.
701
702
703 When a process performs an exec(2), the kernel first tries to
704 relinquish privilege awareness before making the following privilege
705 set modifications:
706
707 E' = P' = I' = L & I
708 L is unchanged
709
710
711
712 If a process has not manipulated its privileges, the privilege sets
713 effectively remain the same, as E, P and I are already identical.
714
715
716 The limit set is enforced at exec time.
717
718
719 To run a non-privilege-aware application in a backward-compatible manner,
720 a privilege-aware application should start the non-privilege-aware
721 application with I=basic.
722
723
724 For most privileges, absence of the privilege simply results in a
725 failure. In some instances, the absense of a privilege can cause system
726 calls to behave differently. In other instances, the removal of a
727 privilege can force a set-uid application to seriously malfunction.
728 Privileges of this type are considered "unsafe". When a process is
729 lacking any of the unsafe privileges from its limit set, the system
730 does not honor the set-uid bit of set-uid root applications. The
731 following unsafe privileges have been identified: proc_setid,
732 sys_resource and proc_audit.
733
734 Privilege Escalation
735 In certain circumstances, a single privilege could lead to a process
736 gaining one or more additional privileges that were not explicitly
737 granted to that process. To prevent such an escalation of privileges,
738 the security policy requires explicit permission for those additional
739 privileges.
740
741
742 Common examples of escalation are those mechanisms that allow
743 modification of system resources through "raw'' interfaces; for
744 example, changing kernel data structures through /dev/kmem or changing
745 files through /dev/dsk/*. Escalation also occurs when a process
746 controls processes with more privileges than the controlling process. A
747 special case of this is manipulating or creating objects owned by UID 0
748 or trying to obtain UID 0 using setuid(2). The special treatment of UID
749 0 is needed because the UID 0 owns all system configuration files and
750 ordinary file protection mechanisms allow processes with UID 0 to
751 modify the system configuration. With appropriate file modifications, a
752 given process running with an effective UID of 0 can gain all
753 privileges.
754
755
756 In situations where a process might obtain UID 0, the security policy
757 requires additional privileges, up to the full set of privileges. Such
758 restrictions could be relaxed or removed at such time as additional
759 mechanisms for protection of system files became available. There are
760 no such mechanisms in the current Solaris release.
761
762
763 The use of UID 0 processes should be limited as much as possible. They
764 should be replaced with programs running under a different UID but with
765 exactly the privileges they need.
766
767
768 Daemons that never need to exec subprocesses should remove the
769 PRIV_PROC_EXEC privilege from their permitted and limit sets.
770
771 Assigned Privileges and Safeguards
772 When privileges are assigned to a user, the system administrator could
773 give that user more powers than intended. The administrator should
774 consider whether safeguards are needed. For example, if the
775 PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
776 should consider setting the project.max-locked-memory resource control as
777 well, to prevent that user from locking all memory.
778
779 Privilege Debugging
780 When a system call fails with a permission error, it is not always
781 immediately obvious what caused the problem. To debug such a problem,
782 you can use a tool called privilege debugging. When privilege debugging
783 is enabled for a process, the kernel reports missing privileges on the
784 controlling terminal of the process. (Enable debugging for a process
785 with the -D option of ppriv(1).) Additionally, the administrator can
786 enable system-wide privilege debugging by setting the system(4) variable
787 priv_debug using:
788
789 set priv_debug = 1
790
791
792
793 On a running system, you can use mdb(1) to change this variable.
794
795 Privilege Administration
796 The Solaris Management Console (see smc(1M)) is the preferred method of
797 modifying privileges for a command. Use usermod(1M) or smrole(1M) to
798 assign privileges to or modify privileges for, respectively, a user or
799 a role. Use ppriv(1) to enumerate the privileges supported on a system
800 and truss(1) to determine which privileges a program requires.
801
802 SEE ALSO
803 mdb(1), ppriv(1), add_drv(1M), ifconfig(1M), lockd(1M), nfsd(1M),
804 pppd(1M), rem_drv(1M), smbd(1M), sppptun(1M), update_drv(1M), Intro(2),
805 access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2),
806 chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2),
807 fpathconf(2), getacct(2), getpflags(2), getppriv(2), getsid(2),
808 kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2),
809 ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2),
810 processor_bind(2), pset_bind(2), pset_create(2), readlink(2),
811 resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2),
812 seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2),
813 setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2),
814 setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2),
815 statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2),
816 umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET),
817 door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C),
818 priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C),
819 socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C),
820 exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F),
821 drv_priv(9F), priv_getbyname(9F), priv_policy(9F),
822 priv_policy_choice(9F), priv_policy_only(9F)
823
824
825 System Administration Guide: Security Services
826
827
828
829 February 3, 2015 PRIVILEGES(5)