1 PRIVILEGES(5) Standards, Environments, and Macros PRIVILEGES(5)
2
3
4
5 NAME
6 privileges - process privilege model
7
8 DESCRIPTION
9 Solaris software implements a set of privileges that provide fine-
10 grained control over the actions of processes. The possession of a
11 certain privilege allows a process to perform a specific set of
12 restricted operations.
13
14
15 The change to a primarily privilege-based security model in the Solaris
16 operating system gives developers an opportunity to restrict processes
17 to those privileged operations actually needed instead of all (super-
18 user) or no privileges (non-zero UIDs). Additionally, a set of
19 previously unrestricted operations now requires a privilege; these
20 privileges are dubbed the "basic" privileges.
21
22
23 The "basic" privileges, and certain privileges representing concepts
24 not traditionally present are, by default, given to all processes.
25 These are the "default" set of privileges.
26
27
28 Taken together, all defined privileges with the exception of the
29 "default" privileges compose the set of privileges that are
30 traditionally associated with the root user. The "basic" privileges are
31 "privileges" unprivileged processes were accustomed to having, and the
32 "default" privileges are the "basic" privileges plus additions that
33 while unprivileged processes aren't accustomed to, they should now
34 have.
35
36
37 The defined privileges are:
38
39 PRIV_CONTRACT_EVENT
40
41 Allow a process to request reliable delivery of events to an event
42 endpoint.
43
44 Allow a process to include events in the critical event set term of
45 a template which could be generated in volume by the user.
46
47
48 PRIV_CONTRACT_IDENTITY
49
50 Allows a process to set the service FMRI value of a process
51 contract template.
52
53
54 PRIV_CONTRACT_OBSERVER
55
56 Allow a process to observe contract events generated by contracts
57 created and owned by users other than the process's effective user
58 ID.
59
60 Allow a process to open contract event endpoints belonging to
61 contracts created and owned by users other than the process's
62 effective user ID.
63
64
65 PRIV_CPC_CPU
66
67 Allow a process to access per-CPU hardware performance counters.
68
69
70 PRIV_DTRACE_KERNEL
71
72 Allow DTrace kernel-level tracing.
73
74
75 PRIV_DTRACE_PROC
76
77 Allow DTrace process-level tracing. Allow process-level tracing
78 probes to be placed and enabled in processes to which the user has
79 permissions.
80
81
82 PRIV_DTRACE_USER
83
84 Allow DTrace user-level tracing. Allow use of the syscall and
85 profile DTrace providers to examine processes to which the user has
86 permissions.
87
88
89 PRIV_FILE_CHOWN
90
91 Allow a process to change a file's owner user ID. Allow a process
92 to change a file's group ID to one other than the process's
93 effective group ID or one of the process's supplemental group IDs.
94
95
96 PRIV_FILE_CHOWN_SELF
97
98 Allow a process to give away its files. A process with this
99 privilege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect.
100
101
102 PRIV_FILE_DAC_EXECUTE
103
104 Allow a process to execute an executable file whose permission bits
105 or ACL would otherwise disallow the process execute permission.
106
107
108 PRIV_FILE_DAC_READ
109
110 Allow a process to read a file or directory whose permission bits
111 or ACL would otherwise disallow the process read permission.
112
113
114 PRIV_FILE_DAC_SEARCH
115
116 Allow a process to search a directory whose permission bits or ACL
117 would not otherwise allow the process search permission.
118
119
120 PRIV_FILE_DAC_WRITE
121
122 Allow a process to write a file or directory whose permission bits
123 or ACL do not allow the process write permission. All privileges
124 are required to write files owned by UID 0 in the absence of an
125 effective UID of 0.
126
127
128 PRIV_FILE_DOWNGRADE_SL
129
130 Allow a process to set the sensitivity label of a file or directory
131 to a sensitivity label that does not dominate the existing
132 sensitivity label.
133
134 This privilege is interpreted only if the system is configured with
135 Trusted Extensions.
136
137
138 PRIV_FILE_FLAG_SET
139
140 Allows a process to set immutable, nounlink or appendonly file
141 attributes.
142
143
144 PRIV_FILE_LINK_ANY
145
146 Allow a process to create hardlinks to files owned by a UID
147 different from the process's effective UID.
148
149
150 PRIV_FILE_OWNER
151
152 Allow a process that is not the owner of a file to modify that
153 file's access and modification times. Allow a process that is not
154 the owner of a directory to modify that directory's access and
155 modification times. Allow a process that is not the owner of a file
156 or directory to remove or rename a file or directory whose parent
157 directory has the "save text image after execution" (sticky) bit
158 set. Allow a process that is not the owner of a file to mount a
159 namefs upon that file. Allow a process that is not the owner of a
160 file or directory to modify that file's or directory's permission
161 bits or ACL.
162
163
164 PRIV_FILE_READ
165
166 Allow a process to open objects in the filesystem for reading. This
167 privilege is not necessary to read from an already open file which
168 was opened before dropping the PRIV_FILE_READ privilege.
169
170
171 PRIV_FILE_SETID
172
173 Allow a process to change the ownership of a file or write to a
174 file without the set-user-ID and set-group-ID bits being cleared.
175 Allow a process to set the set-group-ID bit on a file or directory
176 whose group is not the process's effective group or one of the
177 process's supplemental groups. Allow a process to set the set-user-
178 ID bit on a file with different ownership in the presence of
179 PRIV_FILE_OWNER. Additional restrictions apply when creating or
180 modifying a setuid 0 file.
181
182
183 PRIV_FILE_UPGRADE_SL
184
185 Allow a process to set the sensitivity label of a file or directory
186 to a sensitivity label that dominates the existing sensitivity
187 label.
188
189 This privilege is interpreted only if the system is configured with
190 Trusted Extensions.
191
192
193 PRIV_FILE_WRITE
194
195 Allow a process to open objects in the filesytem for writing, or
196 otherwise modify them. This privilege is not necessary to write to
197 an already open file which was opened before dropping the
198 PRIV_FILE_WRITE privilege.
199
200
201 PRIV_GRAPHICS_ACCESS
202
203 Allow a process to make privileged ioctls to graphics devices.
204 Typically only an xserver process needs to have this privilege. A
205 process with this privilege is also allowed to perform privileged
206 graphics device mappings.
207
208
209 PRIV_GRAPHICS_MAP
210
211 Allow a process to perform privileged mappings through a graphics
212 device.
213
214
215 PRIV_IPC_DAC_READ
216
217 Allow a process to read a System V IPC Message Queue, Semaphore
218 Set, or Shared Memory Segment whose permission bits would not
219 otherwise allow the process read permission.
220
221
222 PRIV_IPC_DAC_WRITE
223
224 Allow a process to write a System V IPC Message Queue, Semaphore
225 Set, or Shared Memory Segment whose permission bits would not
226 otherwise allow the process write permission.
227
228
229 PRIV_IPC_OWNER
230
231 Allow a process that is not the owner of a System V IPC Message
232 Queue, Semaphore Set, or Shared Memory Segment to remove, change
233 ownership of, or change permission bits of the Message Queue,
234 Semaphore Set, or Shared Memory Segment.
235
236
237 PRIV_NET_ACCESS
238
239 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint.
240 This privilege is not necessary to communicate using an existing
241 endpoint already opened before dropping the PRIV_NET_ACCESS
242 privilege.
243
244
245 PRIV_NET_BINDMLP
246
247 Allow a process to bind to a port that is configured as a multi-
248 level port (MLP) for the process's zone. This privilege applies to
249 both shared address and zone-specific address MLPs. See
250 tnzonecfg(4) from the Trusted Extensions manual pages for
251 information on configuring MLP ports.
252
253 This privilege is interpreted only if the system is configured with
254 Trusted Extensions.
255
256
257 PRIV_NET_ICMPACCESS
258
259 Allow a process to send and receive ICMP packets.
260
261
262 PRIV_NET_MAC_AWARE
263
264 Allow a process to set the NET_MAC_AWARE process flag by using
265 setpflags(2). This privilege also allows a process to set the
266 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). The
267 NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both
268 allow a local process to communicate with an unlabeled peer if the
269 local process's label dominates the peer's default label, or if the
270 local process runs in the global zone.
271
272 This privilege is interpreted only if the system is configured with
273 Trusted Extensions.
274
275
276 PRIV_NET_MAC_IMPLICIT
277
278 Allow a proces to set SO_MAC_IMPLICIT option by using
279 setsockopt(3SOCKET). This allows a privileged process to transmit
280 implicitly-labeled packets to a peer.
281
282 This privilege is interpreted only if the system is configured with
283 Trusted Extensions.
284
285
286 PRIV_NET_OBSERVABILITY
287
288 Allow a process to open a device for just receiving network
289 traffic, sending traffic is disallowed.
290
291
292 PRIV_NET_PRIVADDR
293
294 Allow a process to bind to a privileged port number. The privilege
295 port numbers are 1-1023 (the traditional UNIX privileged ports) as
296 well as those ports marked as "udp/tcp_extra_priv_ports" with the
297 exception of the ports reserved for use by NFS and SMB.
298
299
300 PRIV_NET_RAWACCESS
301
302 Allow a process to have direct access to the network layer.
303
304
305 PRIV_PROC_AUDIT
306
307 Allow a process to generate audit records. Allow a process to get
308 its own audit pre-selection information.
309
310
311 PRIV_PROC_CHROOT
312
313 Allow a process to change its root directory.
314
315
316 PRIV_PROC_CLOCK_HIGHRES
317
318 Allow a process to use high resolution timers.
319
320
321 PRIV_PROC_EXEC
322
323 Allow a process to call exec(2).
324
325
326 PRIV_PROC_FORK
327
328 Allow a process to call fork(2), fork1(2), or vfork(2).
329
330
331 PRIV_PROC_INFO
332
333 Allow a process to examine the status of processes other than those
334 to which it can send signals. Processes that cannot be examined
335 cannot be seen in /proc and appear not to exist.
336
337
338 PRIV_PROC_LOCK_MEMORY
339
340 Allow a process to lock pages in physical memory.
341
342
343 PRIV_PROC_MEMINFO
344
345 Allow a process to access physical memory information.
346
347
348 PRIV_PROC_OWNER
349
350 Allow a process to send signals to other processes and inspect and
351 modify the process state in other processes, regardless of
352 ownership. When modifying another process, additional restrictions
353 apply: the effective privilege set of the attaching process must be
354 a superset of the target process's effective, permitted, and
355 inheritable sets; the limit set must be a superset of the target's
356 limit set; if the target process has any UID set to 0 all privilege
357 must be asserted unless the effective UID is 0. Allow a process to
358 bind arbitrary processes to CPUs.
359
360
361 PRIV_PROC_PRIOUP
362
363 Allow a process to elevate its priority above its current level.
364
365
366 PRIV_PROC_PRIOCNTL
367
368 Allows all that PRIV_PROC_PRIOUP allows. Allow a process to change
369 its scheduling class to any scheduling class, including the RT
370 class.
371
372
373 PRIV_PROC_SESSION
374
375 Allow a process to send signals or trace processes outside its
376 session.
377
378
379 PRIV_PROC_SETID
380
381 Allow a process to set its UIDs at will, assuming UID 0 requires
382 all privileges to be asserted.
383
384
385 PRIV_PROC_TASKID
386
387 Allow a process to assign a new task ID to the calling process.
388
389
390 PRIV_PROC_ZONE
391
392 Allow a process to trace or send signals to processes in other
393 zones. See zones(5).
394
395
396 PRIV_SYS_ACCT
397
398 Allow a process to enable and disable and manage accounting through
399 acct(2).
400
401
402 PRIV_SYS_ADMIN
403
404 Allow a process to perform system administration tasks such as
405 setting node and domain name and specifying coreadm(1M) and
406 nscd(1M) settings
407
408
409 PRIV_SYS_AUDIT
410
411 Allow a process to start the (kernel) audit daemon. Allow a process
412 to view and set audit state (audit user ID, audit terminal ID,
413 audit sessions ID, audit pre-selection mask). Allow a process to
414 turn off and on auditing. Allow a process to configure the audit
415 parameters (cache and queue sizes, event to class mappings, and
416 policy options).
417
418
419 PRIV_SYS_CONFIG
420
421 Allow a process to perform various system configuration tasks.
422 Allow filesystem-specific administrative procedures, such as
423 filesystem configuration ioctls, quota calls, creation and deletion
424 of snapshots, and manipulating the PCFS bootsector.
425
426
427 PRIV_SYS_DEVICES
428
429 Allow a process to create device special files. Allow a process to
430 successfully call a kernel module that calls the kernel
431 drv_priv(9F) function to check for allowed access. Allow a process
432 to open the real console device directly. Allow a process to open
433 devices that have been exclusively opened.
434
435
436 PRIV_SYS_DL_CONFIG
437
438 Allow a process to configure a system's datalink interfaces.
439
440
441 PRIV_SYS_IP_CONFIG
442
443 Allow a process to configure a system's IP interfaces and routes.
444 Allow a process to configure network parameters for TCP/IP using
445 ndd. Allow a process access to otherwise restricted TCP/IP
446 information using ndd. Allow a process to configure IPsec. Allow a
447 process to pop anchored STREAMs modules with matching zoneid.
448
449
450 PRIV_SYS_IPC_CONFIG
451
452 Allow a process to increase the size of a System V IPC Message
453 Queue buffer.
454
455
456 PRIV_SYS_IPTUN_CONFIG
457
458 Allow a process to configure IP tunnel links.
459
460
461 PRIV_SYS_LINKDIR
462
463 Allow a process to unlink and link directories.
464
465
466 PRIV_SYS_MOUNT
467
468 Allow a process to mount and unmount filesystems that would
469 otherwise be restricted (that is, most filesystems except namefs).
470 Allow a process to add and remove swap devices.
471
472
473 PRIV_SYS_NET_CONFIG
474
475 Allow a process to do all that PRIV_SYS_IP_CONFIG,
476 PRIV_SYS_DL_CONFIG, and PRIV_SYS_PPP_CONFIG allow, plus the
477 following: use the rpcmod STREAMS module and insert/remove STREAMS
478 modules on locations other than the top of the module stack.
479
480
481 PRIV_SYS_NFS
482
483 Allow a process to provide NFS service: start NFS kernel threads,
484 perform NFS locking operations, bind to NFS reserved ports: ports
485 2049 (nfs) and port 4045 (lockd).
486
487
488 PRIV_SYS_PPP_CONFIG
489
490 Allow a process to create, configure, and destroy PPP instances
491 with pppd(1M) pppd(1M) and control PPPoE plumbing with
492 sppptun(1M)sppptun(1M). This privilege is granted by default to
493 exclusive IP stack instance zones.
494
495
496 PRIV_SYS_RES_BIND
497
498 Allows a process to bind processes to processor sets.
499
500
501 PRIV_SYS_RES_CONFIG
502
503 Allows all that PRIV_SYS_RES_BIND allows. Allow a process to
504 create and delete processor sets, assign CPUs to processor sets and
505 override the PSET_NOESCAPE property. Allow a process to change the
506 operational status of CPUs in the system using p_online(2). Allow a
507 process to configure filesystem quotas. Allow a process to
508 configure resource pools and bind processes to pools.
509
510
511 PRIV_SYS_RESOURCE
512
513 Allow a process to exceed the resource limits imposed on it by
514 setrlimit(2) and setrctl(2).
515
516
517 PRIV_SYS_SMB
518
519 Allow a process to provide NetBIOS or SMB services: start SMB
520 kernel threads or bind to NetBIOS or SMB reserved ports: ports 137,
521 138, 139 (NetBIOS) and 445 (SMB).
522
523
524 PRIV_SYS_SUSER_COMPAT
525
526 Allow a process to successfully call a third party loadable module
527 that calls the kernel suser() function to check for allowed access.
528 This privilege exists only for third party loadable module
529 compatibility and is not used by Solaris proper.
530
531
532 PRIV_SYS_TIME
533
534 Allow a process to manipulate system time using any of the
535 appropriate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
536
537
538 PRIV_SYS_TRANS_LABEL
539
540 Allow a process to translate labels that are not dominated by the
541 process's sensitivity label to and from an external string form.
542
543 This privilege is interpreted only if the system is configured with
544 Trusted Extensions.
545
546
547 PRIV_VIRT_MANAGE
548
549 Allows a process to manage virtualized environments such as xVM(5).
550
551
552 PRIV_WIN_COLORMAP
553
554 Allow a process to override colormap restrictions.
555
556 Allow a process to install or remove colormaps.
557
558 Allow a process to retrieve colormap cell entries allocated by
559 other processes.
560
561 This privilege is interpreted only if the system is configured with
562 Trusted Extensions.
563
564
565 PRIV_WIN_CONFIG
566
567 Allow a process to configure or destroy resources that are
568 permanently retained by the X server.
569
570 Allow a process to use SetScreenSaver to set the screen saver
571 timeout value
572
573 Allow a process to use ChangeHosts to modify the display access
574 control list.
575
576 Allow a process to use GrabServer.
577
578 Allow a process to use the SetCloseDownMode request that can retain
579 window, pixmap, colormap, property, cursor, font, or graphic
580 context resources.
581
582 This privilege is interpreted only if the system is configured with
583 Trusted Extensions.
584
585
586 PRIV_WIN_DAC_READ
587
588 Allow a process to read from a window resource that it does not own
589 (has a different user ID).
590
591 This privilege is interpreted only if the system is configured with
592 Trusted Extensions.
593
594
595 PRIV_WIN_DAC_WRITE
596
597 Allow a process to write to or create a window resource that it
598 does not own (has a different user ID). A newly created window
599 property is created with the window's user ID.
600
601 This privilege is interpreted only if the system is configured with
602 Trusted Extensions.
603
604
605 PRIV_WIN_DEVICES
606
607 Allow a process to perform operations on window input devices.
608
609 Allow a process to get and set keyboard and pointer controls.
610
611 Allow a process to modify pointer button and key mappings.
612
613 This privilege is interpreted only if the system is configured with
614 Trusted Extensions.
615
616
617 PRIV_WIN_DGA
618
619 Allow a process to use the direct graphics access (DGA) X protocol
620 extensions. Direct process access to the frame buffer is still
621 required. Thus the process must have MAC and DAC privileges that
622 allow access to the frame buffer, or the frame buffer must be
623 allocated to the process.
624
625 This privilege is interpreted only if the system is configured with
626 Trusted Extensions.
627
628
629 PRIV_WIN_DOWNGRADE_SL
630
631 Allow a process to set the sensitivity label of a window resource
632 to a sensitivity label that does not dominate the existing
633 sensitivity label.
634
635 This privilege is interpreted only if the system is configured with
636 Trusted Extensions.
637
638
639 PRIV_WIN_FONTPATH
640
641 Allow a process to set a font path.
642
643 This privilege is interpreted only if the system is configured with
644 Trusted Extensions.
645
646
647 PRIV_WIN_MAC_READ
648
649 Allow a process to read from a window resource whose sensitivity
650 label is not equal to the process sensitivity label.
651
652 This privilege is interpreted only if the system is configured with
653 Trusted Extensions.
654
655
656 PRIV_WIN_MAC_WRITE
657
658 Allow a process to create a window resource whose sensitivity label
659 is not equal to the process sensitivity label. A newly created
660 window property is created with the window's sensitivity label.
661
662 This privilege is interpreted only if the system is configured with
663 Trusted Extensions.
664
665
666 PRIV_WIN_SELECTION
667
668 Allow a process to request inter-window data moves without the
669 intervention of the selection confirmer.
670
671 This privilege is interpreted only if the system is configured with
672 Trusted Extensions.
673
674
675 PRIV_WIN_UPGRADE_SL
676
677 Allow a process to set the sensitivity label of a window resource
678 to a sensitivity label that dominates the existing sensitivity
679 label.
680
681 This privilege is interpreted only if the system is configured with
682 Trusted Extensions.
683
684
685 PRIV_XVM_CONTROL
686
687 Allows a process access to the xVM(5) control devices for managing
688 guest domains and the hypervisor. This privilege is used only if
689 booted into xVM on x86 platforms.
690
691
692
693 Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
694 PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK, PRIV_FILE_READ,
695 PRIV_FILE_WRITE, PRIV_NET_ACCESS and PRIV_PROC_EXEC are considered
696 "basic" privileges. These are privileges that used to be always
697 available to unprivileged processes. By default, processes still have
698 the basic privileges.
699
700
701 The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
702 the Limit set (see below) of a process in order for set-uid root execs
703 to be successful, that is, get an effective UID of 0 and additional
704 privileges.
705
706
707 The privilege implementation in Solaris extends the process credential
708 with four privilege sets:
709
710 I, the inheritable set
711 The privileges inherited on exec.
712
713
714 P, the permitted set
715 The maximum set of privileges for the
716 process.
717
718
719 E, the effective set
720 The privileges currently in effect.
721
722
723 L, the limit set
724 The upper bound of the privileges a process
725 and its offspring can obtain. Changes to L
726 take effect on the next exec.
727
728
729
730 The sets I, P and E are typically identical to the basic set of
731 privileges for unprivileged processes. The limit set is typically the
732 full set of privileges.
733
734
735 Each process has a Privilege Awareness State (PAS) that can take the
736 value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
737 mechanism that allows a choice between full compatibility with the old
738 superuser model and completely ignoring the effective UID.
739
740
741 To facilitate the discussion, we introduce the notion of "observed
742 effective set" (oE) and "observed permitted set" (oP) and the
743 implementation sets iE and iP.
744
745
746 A process becomes privilege-aware either by manipulating the effective,
747 permitted, or limit privilege sets through setppriv(2) or by using
748 setpflags(2). In all cases, oE and oP are invariant in the process of
749 becoming privilege-aware. In the process of becoming privilege-aware,
750 the following assignments take place:
751
752 iE = oE
753 iP = oP
754
755
756
757 When a process is privilege-aware, oE and oP are invariant under UID
758 changes. When a process is not privilege-aware, oE and oP are observed
759 as follows:
760
761 oE = euid == 0 ? L : iE
762 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
763
764
765
766 When a non-privilege-aware process has an effective UID of 0, it can
767 exercise the privileges contained in its limit set, the upper bound of
768 its privileges. If a non-privilege-aware process has any of the UIDs
769 0, it appears to be capable of potentially exercising all privileges in
770 L.
771
772
773 It is possible for a process to return to the non-privilege aware state
774 using setpflags(). The kernel always attempts this on exec(2). This
775 operation is permitted only if the following conditions are met:
776
777 o If any of the UIDs is equal to 0, P must be equal to L.
778
779 o If the effective UID is equal to 0, E must be equal to L.
780
781
782 When a process gives up privilege awareness, the following assignments
783 take place:
784
785 if (euid == 0) iE = L & I
786 if (any uid == 0) iP = L & I
787
788
789
790 The privileges obtained when not having a UID of 0 are the inheritable
791 set of the process restricted by the limit set.
792
793
794 Only privileges in the process's (observed) effective privilege set
795 allow the process to perform restricted operations. A process can use
796 any of the privilege manipulation functions to add or remove privileges
797 from the privilege sets. Privileges can be removed always. Only
798 privileges found in the permitted set can be added to the effective and
799 inheritable set. The limit set cannot grow. The inheritable set can be
800 larger than the permitted set.
801
802
803 When a process performs an exec(2), the kernel first tries to
804 relinquish privilege awareness before making the following privilege
805 set modifications:
806
807 E' = P' = I' = L & I
808 L is unchanged
809
810
811
812 If a process has not manipulated its privileges, the privilege sets
813 effectively remain the same, as E, P and I are already identical.
814
815
816 The limit set is enforced at exec time.
817
818
819 To run a non-privilege-aware application in a backward-compatible
820 manner, a privilege-aware application should start the non-privilege-
821 aware application with I=basic.
822
823
824 For most privileges, absence of the privilege simply results in a
825 failure. In some instances, the absense of a privilege can cause system
826 calls to behave differently. In other instances, the removal of a
827 privilege can force a set-uid application to seriously malfunction.
828 Privileges of this type are considered "unsafe". When a process is
829 lacking any of the unsafe privileges from its limit set, the system
830 does not honor the set-uid bit of set-uid root applications. The
831 following unsafe privileges have been identified: proc_setid,
832 sys_resource and proc_audit.
833
834 Privilege Escalation
835 In certain circumstances, a single privilege could lead to a process
836 gaining one or more additional privileges that were not explicitly
837 granted to that process. To prevent such an escalation of privileges,
838 the security policy requires explicit permission for those additional
839 privileges.
840
841
842 Common examples of escalation are those mechanisms that allow
843 modification of system resources through "raw'' interfaces; for
844 example, changing kernel data structures through /dev/kmem or changing
845 files through /dev/dsk/*. Escalation also occurs when a process
846 controls processes with more privileges than the controlling process. A
847 special case of this is manipulating or creating objects owned by UID 0
848 or trying to obtain UID 0 using setuid(2). The special treatment of UID
849 0 is needed because the UID 0 owns all system configuration files and
850 ordinary file protection mechanisms allow processes with UID 0 to
851 modify the system configuration. With appropriate file modifications, a
852 given process running with an effective UID of 0 can gain all
853 privileges.
854
855
856 In situations where a process might obtain UID 0, the security policy
857 requires additional privileges, up to the full set of privileges. Such
858 restrictions could be relaxed or removed at such time as additional
859 mechanisms for protection of system files became available. There are
860 no such mechanisms in the current Solaris release.
861
862
863 The use of UID 0 processes should be limited as much as possible. They
864 should be replaced with programs running under a different UID but with
865 exactly the privileges they need.
866
867
868 Daemons that never need to exec subprocesses should remove the
869 PRIV_PROC_EXEC privilege from their permitted and limit sets.
870
871 Assigned Privileges and Safeguards
872 When privileges are assigned to a user, the system administrator could
873 give that user more powers than intended. The administrator should
874 consider whether safeguards are needed. For example, if the
875 PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
876 should consider setting the project.max-locked-memory resource control
877 as well, to prevent that user from locking all memory.
878
879 Privilege Debugging
880 When a system call fails with a permission error, it is not always
881 immediately obvious what caused the problem. To debug such a problem,
882 you can use a tool called privilege debugging. When privilege debugging
883 is enabled for a process, the kernel reports missing privileges on the
884 controlling terminal of the process. (Enable debugging for a process
885 with the -D option of ppriv(1).) Additionally, the administrator can
886 enable system-wide privilege debugging by setting the system(4)
887 variable priv_debug using:
888
889 set priv_debug = 1
890
891
892
893 On a running system, you can use mdb(1) to change this variable.
894
895 Privilege Administration
896 The Solaris Management Console (see smc(1M)) is the preferred method of
897 modifying privileges for a command. Use usermod(1M) or smrole(1M) to
898 assign privileges to or modify privileges for, respectively, a user or
899 a role. Use ppriv(1) to enumerate the privileges supported on a system
900 and truss(1) to determine which privileges a program requires.
901
902 SEE ALSO
903 mdb(1), ppriv(1), add_drv(1M), ifconfig(1M), lockd(1M), nfsd(1M),
904 pppd(1M), rem_drv(1M), smbd(1M), sppptun(1M), update_drv(1M), Intro(2),
905 access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2),
906 chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2),
907 fpathconf(2), getacct(2), getpflags(2), getppriv(2), getsid(2),
908 kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2),
909 ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2),
910 processor_bind(2), pset_bind(2), pset_create(2), readlink(2),
911 resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2),
912 seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2),
913 setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2),
914 setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2),
915 statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2),
916 umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET),
917 door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C),
918 priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C),
919 socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C),
920 exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F),
921 drv_priv(9F), priv_getbyname(9F), priv_policy(9F),
922 priv_policy_choice(9F), priv_policy_only(9F)
923
924
925 System Administration Guide: Security Services
926
927
928
929 October 30, 2015 PRIVILEGES(5)