1 '\" te
   2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
   3 .\" Copyright 2015, Joyent, Inc. All Rights Reserved.
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   5 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
   6 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH PRIVILEGES 5 "Oct 30, 2015"
   8 .SH NAME
   9 privileges \- process privilege model
  10 .SH DESCRIPTION
  11 .LP
  12 Solaris software implements a set of privileges that provide fine-grained
  13 control over the actions of processes. The possession of a certain privilege
  14 allows a process to perform a specific set of restricted operations.
  15 .sp
  16 .LP
  17 The change to a primarily privilege-based security model in the Solaris
  18 operating system gives developers an opportunity to restrict processes to those
  19 privileged operations actually needed instead of all (super-user) or no
  20 privileges (non-zero UIDs). Additionally, a set of previously unrestricted
  21 operations now requires a privilege; these privileges are dubbed the "basic"
  22 privileges.
  23 .sp
  24 .LP
  25 The "basic" privileges, and certain privileges representing concepts not
  26 traditionally present are, by default, given to all processes.  These are the
  27 "default" set of privileges.
  28 .sp
  29 .LP
  30 Taken together, all defined privileges with the exception of the "default"
  31 privileges compose the set of privileges that are traditionally associated with
  32 the root user. The "basic" privileges are "privileges" unprivileged processes
  33 were accustomed to having, and the "default" privileges are the "basic"
  34 privileges plus additions that while unprivileged processes aren't accustomed to,
  35 they should now have.
  36 .sp
  37 .LP
  38 The defined privileges are:
  39 .sp
  40 .ne 2
  41 .na
  42 \fB\fBPRIV_CONTRACT_EVENT\fR\fR
  43 .ad
  44 .sp .6
  45 .RS 4n
  46 Allow a process to request reliable delivery of events to an event endpoint.
  47 .sp
  48 Allow a process to include events in the critical event set term of a template
  49 which could be generated in volume by the user.
  50 .RE
  51 
  52 .sp
  53 .ne 2
  54 .na
  55 \fB\fBPRIV_CONTRACT_IDENTITY\fR\fR
  56 .ad
  57 .sp .6
  58 .RS 4n
  59 Allows a process to set the service FMRI value of a process contract template.
  60 .RE
  61 
  62 .sp
  63 .ne 2
  64 .na
  65 \fB\fBPRIV_CONTRACT_OBSERVER\fR\fR
  66 .ad
  67 .sp .6
  68 .RS 4n
  69 Allow a process to observe contract events generated by contracts created and
  70 owned by users other than the process's effective user ID.
  71 .sp
  72 Allow a process to open contract event endpoints belonging to contracts created
  73 and owned by users other than the process's effective user ID.
  74 .RE
  75 
  76 .sp
  77 .ne 2
  78 .na
  79 \fB\fBPRIV_CPC_CPU\fR\fR
  80 .ad
  81 .sp .6
  82 .RS 4n
  83 Allow a process to access per-CPU hardware performance counters.
  84 .RE
  85 
  86 .sp
  87 .ne 2
  88 .na
  89 \fB\fBPRIV_DTRACE_KERNEL\fR\fR
  90 .ad
  91 .sp .6
  92 .RS 4n
  93 Allow DTrace kernel-level tracing.
  94 .RE
  95 
  96 .sp
  97 .ne 2
  98 .na
  99 \fB\fBPRIV_DTRACE_PROC\fR\fR
 100 .ad
 101 .sp .6
 102 .RS 4n
 103 Allow DTrace process-level tracing. Allow process-level tracing probes to be
 104 placed and enabled in processes to which the user has permissions.
 105 .RE
 106 
 107 .sp
 108 .ne 2
 109 .na
 110 \fB\fBPRIV_DTRACE_USER\fR\fR
 111 .ad
 112 .sp .6
 113 .RS 4n
 114 Allow DTrace user-level tracing. Allow use of the syscall and profile DTrace
 115 providers to examine processes to which the user has permissions.
 116 .RE
 117 
 118 .sp
 119 .ne 2
 120 .na
 121 \fB\fBPRIV_FILE_CHOWN\fR\fR
 122 .ad
 123 .sp .6
 124 .RS 4n
 125 Allow a process to change a file's owner user ID. Allow a process to change a
 126 file's group ID to one other than the process's effective group ID or one of
 127 the process's supplemental group IDs.
 128 .RE
 129 
 130 .sp
 131 .ne 2
 132 .na
 133 \fB\fBPRIV_FILE_CHOWN_SELF\fR\fR
 134 .ad
 135 .sp .6
 136 .RS 4n
 137 Allow a process to give away its files. A process with this privilege runs as
 138 if {\fB_POSIX_CHOWN_RESTRICTED\fR} is not in effect.
 139 .RE
 140 
 141 .sp
 142 .ne 2
 143 .na
 144 \fB\fBPRIV_FILE_DAC_EXECUTE\fR\fR
 145 .ad
 146 .sp .6
 147 .RS 4n
 148 Allow a process to execute an executable file whose permission bits or ACL
 149 would otherwise disallow the process execute permission.
 150 .RE
 151 
 152 .sp
 153 .ne 2
 154 .na
 155 \fB\fBPRIV_FILE_DAC_READ\fR\fR
 156 .ad
 157 .sp .6
 158 .RS 4n
 159 Allow a process to read a file or directory whose permission bits or ACL would
 160 otherwise disallow the process read permission.
 161 .RE
 162 
 163 .sp
 164 .ne 2
 165 .na
 166 \fB\fBPRIV_FILE_DAC_SEARCH\fR\fR
 167 .ad
 168 .sp .6
 169 .RS 4n
 170 Allow a process to search a directory whose permission bits or ACL would not
 171 otherwise allow the process search permission.
 172 .RE
 173 
 174 .sp
 175 .ne 2
 176 .na
 177 \fB\fBPRIV_FILE_DAC_WRITE\fR\fR
 178 .ad
 179 .sp .6
 180 .RS 4n
 181 Allow a process to write a file or directory whose permission bits or ACL do
 182 not allow the process write permission. All privileges are required to write
 183 files owned by UID 0 in the absence of an effective UID of 0.
 184 .RE
 185 
 186 .sp
 187 .ne 2
 188 .na
 189 \fB\fBPRIV_FILE_DOWNGRADE_SL\fR\fR
 190 .ad
 191 .sp .6
 192 .RS 4n
 193 Allow a process to set the sensitivity label of a file or directory to a
 194 sensitivity label that does not dominate the existing sensitivity label.
 195 .sp
 196 This privilege is interpreted only if the system is configured with Trusted
 197 Extensions.
 198 .RE
 199 
 200 .sp
 201 .ne 2
 202 .na
 203 \fB\fBPRIV_FILE_FLAG_SET\fR\fR
 204 .ad
 205 .sp .6
 206 .RS 4n
 207 Allows a process to set immutable, nounlink or appendonly file attributes.
 208 .RE
 209 
 210 .sp
 211 .ne 2
 212 .na
 213 \fB\fBPRIV_FILE_LINK_ANY\fR\fR
 214 .ad
 215 .sp .6
 216 .RS 4n
 217 Allow a process to create hardlinks to files owned by a UID different from the
 218 process's effective UID.
 219 .RE
 220 
 221 .sp
 222 .ne 2
 223 .na
 224 \fB\fBPRIV_FILE_OWNER\fR\fR
 225 .ad
 226 .sp .6
 227 .RS 4n
 228 Allow a process that is not the owner of a file to modify that file's access
 229 and modification times. Allow a process that is not the owner of a directory to
 230 modify that directory's access and modification times. Allow a process that is
 231 not the owner of a file or directory to remove or rename a file or directory
 232 whose parent directory has the "save text image after execution" (sticky) bit
 233 set. Allow a process that is not the owner of a file to mount a \fBnamefs\fR
 234 upon that file. Allow a process that is not the owner of a file or directory to
 235 modify that file's or directory's permission bits or ACL.
 236 .RE
 237 
 238 .sp
 239 .ne 2
 240 .na
 241 \fB\fBPRIV_FILE_READ\fR\fR
 242 .ad
 243 .sp .6
 244 .RS 4n
 245 Allow a process to open objects in the filesystem for reading. This
 246 privilege is not necessary to read from an already open file which was opened
 247 before dropping the \fBPRIV_FILE_READ\fR privilege.
 248 .RE
 249 
 250 .sp
 251 .ne 2
 252 .na
 253 \fB\fBPRIV_FILE_SETID\fR\fR
 254 .ad
 255 .sp .6
 256 .RS 4n
 257 Allow a process to change the ownership of a file or write to a file without
 258 the set-user-ID and set-group-ID bits being cleared. Allow a process to set the
 259 set-group-ID bit on a file or directory whose group is not the process's
 260 effective group or one of the process's supplemental groups. Allow a process to
 261 set the set-user-ID bit on a file with different ownership in the presence of
 262 \fBPRIV_FILE_OWNER\fR. Additional restrictions apply when creating or modifying
 263 a setuid 0 file.
 264 .RE
 265 
 266 .sp
 267 .ne 2
 268 .na
 269 \fB\fBPRIV_FILE_UPGRADE_SL\fR\fR
 270 .ad
 271 .sp .6
 272 .RS 4n
 273 Allow a process to set the sensitivity label of a file or directory to a
 274 sensitivity label that dominates the existing sensitivity label.
 275 .sp
 276 This privilege is interpreted only if the system is configured with Trusted
 277 Extensions.
 278 .RE
 279 
 280 .sp
 281 .ne 2
 282 .na
 283 \fB\fBPRIV_FILE_WRITE\fR\fR
 284 .ad
 285 .sp .6
 286 .RS 4n
 287 Allow a process to open objects in the filesytem for writing, or otherwise
 288 modify them. This privilege is not necessary to write to an already open file
 289 which was opened before dropping the \fBPRIV_FILE_WRITE\fR privilege.
 290 .RE
 291 
 292 .sp
 293 .ne 2
 294 .na
 295 \fB\fBPRIV_GRAPHICS_ACCESS\fR\fR
 296 .ad
 297 .sp .6
 298 .RS 4n
 299 Allow a process to make privileged ioctls to graphics devices. Typically only
 300 an xserver process needs to have this privilege. A process with this privilege
 301 is also allowed to perform privileged graphics device mappings.
 302 .RE
 303 
 304 .sp
 305 .ne 2
 306 .na
 307 \fB\fBPRIV_GRAPHICS_MAP\fR\fR
 308 .ad
 309 .sp .6
 310 .RS 4n
 311 Allow a process to perform privileged mappings through a graphics device.
 312 .RE
 313 
 314 .sp
 315 .ne 2
 316 .na
 317 \fB\fBPRIV_IPC_DAC_READ\fR\fR
 318 .ad
 319 .sp .6
 320 .RS 4n
 321 Allow a process to read a System V IPC Message Queue, Semaphore Set, or Shared
 322 Memory Segment whose permission bits would not otherwise allow the process read
 323 permission.
 324 .RE
 325 
 326 .sp
 327 .ne 2
 328 .na
 329 \fB\fBPRIV_IPC_DAC_WRITE\fR\fR
 330 .ad
 331 .sp .6
 332 .RS 4n
 333 Allow a process to write a System V IPC Message Queue, Semaphore Set, or Shared
 334 Memory Segment whose permission bits would not otherwise allow the process
 335 write permission.
 336 .RE
 337 
 338 .sp
 339 .ne 2
 340 .na
 341 \fB\fBPRIV_IPC_OWNER\fR\fR
 342 .ad
 343 .sp .6
 344 .RS 4n
 345 Allow a process that is not the owner of a System V IPC Message Queue,
 346 Semaphore Set, or Shared Memory Segment to remove, change ownership of, or
 347 change permission bits of the Message Queue, Semaphore Set, or Shared Memory
 348 Segment.
 349 .RE
 350 
 351 .sp
 352 .ne 2
 353 .na
 354 \fB\fBPRIV_NET_ACCESS\fR\fR
 355 .ad
 356 .sp .6
 357 .RS 4n
 358 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint. This
 359 privilege is not necessary to communicate using an existing endpoint already
 360 opened before dropping the \fBPRIV_NET_ACCESS\fR privilege.
 361 .RE
 362 
 363 .sp
 364 .ne 2
 365 .na
 366 \fB\fBPRIV_NET_BINDMLP\fR\fR
 367 .ad
 368 .sp .6
 369 .RS 4n
 370 Allow a process to bind to a port that is configured as a multi-level port
 371 (MLP) for the process's zone. This privilege applies to both shared address and
 372 zone-specific address MLPs. See \fBtnzonecfg\fR(\fB4\fR) from the Trusted
 373 Extensions manual pages for information on configuring MLP ports.
 374 .sp
 375 This privilege is interpreted only if the system is configured with Trusted
 376 Extensions.
 377 .RE
 378 
 379 .sp
 380 .ne 2
 381 .na
 382 \fB\fBPRIV_NET_ICMPACCESS\fR\fR
 383 .ad
 384 .sp .6
 385 .RS 4n
 386 Allow a process to send and receive ICMP packets.
 387 .RE
 388 
 389 .sp
 390 .ne 2
 391 .na
 392 \fB\fBPRIV_NET_MAC_AWARE\fR\fR
 393 .ad
 394 .sp .6
 395 .RS 4n
 396 Allow a process to set the \fBNET_MAC_AWARE\fR process flag by using
 397 \fBsetpflags\fR(2). This privilege also allows a process to set the
 398 \fBSO_MAC_EXEMPT\fR socket option by using \fBsetsockopt\fR(3SOCKET). The
 399 \fBNET_MAC_AWARE\fR process flag and the \fBSO_MAC_EXEMPT\fR socket option both
 400 allow a local process to communicate with an unlabeled peer if the local
 401 process's label dominates the peer's default label, or if the local process
 402 runs in the global zone.
 403 .sp
 404 This privilege is interpreted only if the system is configured with Trusted
 405 Extensions.
 406 .RE
 407 
 408 .sp
 409 .ne 2
 410 .na
 411 \fB\fBPRIV_NET_MAC_IMPLICIT\fR\fR
 412 .ad
 413 .sp .6
 414 .RS 4n
 415 Allow a proces to set \fBSO_MAC_IMPLICIT\fR option by using
 416 \fBsetsockopt\fR(3SOCKET).  This allows a privileged process to transmit
 417 implicitly-labeled packets to a peer.
 418 .sp
 419 This privilege is interpreted only if the system is configured with
 420 Trusted Extensions.
 421 .RE
 422 
 423 .sp
 424 .ne 2
 425 .na
 426 \fB\fBPRIV_NET_OBSERVABILITY\fR\fR
 427 .ad
 428 .sp .6
 429 .RS 4n
 430 Allow a process to open a device for just receiving network traffic, sending
 431 traffic is disallowed.
 432 .RE
 433 
 434 .sp
 435 .ne 2
 436 .na
 437 \fB\fBPRIV_NET_PRIVADDR\fR\fR
 438 .ad
 439 .sp .6
 440 .RS 4n
 441 Allow a process to bind to a privileged port number. The privilege port numbers
 442 are 1-1023 (the traditional UNIX privileged ports) as well as those ports
 443 marked as "\fBudp/tcp_extra_priv_ports\fR" with the exception of the ports
 444 reserved for use by NFS and SMB.
 445 .RE
 446 
 447 .sp
 448 .ne 2
 449 .na
 450 \fB\fBPRIV_NET_RAWACCESS\fR\fR
 451 .ad
 452 .sp .6
 453 .RS 4n
 454 Allow a process to have direct access to the network layer.
 455 .RE
 456 
 457 .sp
 458 .ne 2
 459 .na
 460 \fB\fBPRIV_PROC_AUDIT\fR\fR
 461 .ad
 462 .sp .6
 463 .RS 4n
 464 Allow a process to generate audit records. Allow a process to get its own audit
 465 pre-selection information.
 466 .RE
 467 
 468 .sp
 469 .ne 2
 470 .na
 471 \fB\fBPRIV_PROC_CHROOT\fR\fR
 472 .ad
 473 .sp .6
 474 .RS 4n
 475 Allow a process to change its root directory.
 476 .RE
 477 
 478 .sp
 479 .ne 2
 480 .na
 481 \fB\fBPRIV_PROC_CLOCK_HIGHRES\fR\fR
 482 .ad
 483 .sp .6
 484 .RS 4n
 485 Allow a process to use high resolution timers.
 486 .RE
 487 
 488 .sp
 489 .ne 2
 490 .na
 491 \fB\fBPRIV_PROC_EXEC\fR\fR
 492 .ad
 493 .sp .6
 494 .RS 4n
 495 Allow a process to call \fBexec\fR(2).
 496 .RE
 497 
 498 .sp
 499 .ne 2
 500 .na
 501 \fB\fBPRIV_PROC_FORK\fR\fR
 502 .ad
 503 .sp .6
 504 .RS 4n
 505 Allow a process to call \fBfork\fR(2), \fBfork1\fR(2), or \fBvfork\fR(2).
 506 .RE
 507 
 508 .sp
 509 .ne 2
 510 .na
 511 \fB\fBPRIV_PROC_INFO\fR\fR
 512 .ad
 513 .sp .6
 514 .RS 4n
 515 Allow a process to examine the status of processes other than those to which it
 516 can send signals. Processes that cannot be examined cannot be seen in
 517 \fB/proc\fR and appear not to exist.
 518 .RE
 519 
 520 .sp
 521 .ne 2
 522 .na
 523 \fB\fBPRIV_PROC_LOCK_MEMORY\fR\fR
 524 .ad
 525 .sp .6
 526 .RS 4n
 527 Allow a process to lock pages in physical memory.
 528 .RE
 529 
 530 .sp
 531 .ne 2
 532 .na
 533 \fB\fBPRIV_PROC_MEMINFO\fR\fR
 534 .ad
 535 .sp .6
 536 .RS 4n
 537 Allow a process to access physical memory information.
 538 .RE
 539 
 540 .sp
 541 .ne 2
 542 .na
 543 \fB\fBPRIV_PROC_OWNER\fR\fR
 544 .ad
 545 .sp .6
 546 .RS 4n
 547 Allow a process to send signals to other processes and inspect and modify the
 548 process state in other processes, regardless of ownership. When modifying
 549 another process, additional restrictions apply: the effective privilege set of
 550 the attaching process must be a superset of the target process's effective,
 551 permitted, and inheritable sets; the limit set must be a superset of the
 552 target's limit set; if the target process has any UID set to 0 all privilege
 553 must be asserted unless the effective UID is 0. Allow a process to bind
 554 arbitrary processes to CPUs.
 555 .RE
 556 
 557 .sp
 558 .ne 2
 559 .na
 560 \fB\fBPRIV_PROC_PRIOUP\fR\fR
 561 .ad
 562 .sp .6
 563 .RS 4n
 564 Allow a process to elevate its priority above its current level.
 565 .RE
 566 
 567 .sp
 568 .ne 2
 569 .na
 570 \fB\fBPRIV_PROC_PRIOCNTL\fR\fR
 571 .ad
 572 .sp .6
 573 .RS 4n
 574 Allows all that PRIV_PROC_PRIOUP allows.
 575 Allow a process to change its scheduling class to any scheduling class,
 576 including the RT class.
 577 .RE
 578 
 579 .sp
 580 .ne 2
 581 .na
 582 \fB\fBPRIV_PROC_SESSION\fR\fR
 583 .ad
 584 .sp .6
 585 .RS 4n
 586 Allow a process to send signals or trace processes outside its session.
 587 .RE
 588 
 589 .sp
 590 .ne 2
 591 .na
 592 \fB\fBPRIV_PROC_SETID\fR\fR
 593 .ad
 594 .sp .6
 595 .RS 4n
 596 Allow a process to set its UIDs at will, assuming UID 0 requires all privileges
 597 to be asserted.
 598 .RE
 599 
 600 .sp
 601 .ne 2
 602 .na
 603 \fB\fBPRIV_PROC_TASKID\fR\fR
 604 .ad
 605 .sp .6
 606 .RS 4n
 607 Allow a process to assign a new task ID to the calling process.
 608 .RE
 609 
 610 .sp
 611 .ne 2
 612 .na
 613 \fB\fBPRIV_PROC_ZONE\fR\fR
 614 .ad
 615 .sp .6
 616 .RS 4n
 617 Allow a process to trace or send signals to processes in other zones. See
 618 \fBzones\fR(5).
 619 .RE
 620 
 621 .sp
 622 .ne 2
 623 .na
 624 \fB\fBPRIV_SYS_ACCT\fR\fR
 625 .ad
 626 .sp .6
 627 .RS 4n
 628 Allow a process to enable and disable and manage accounting through
 629 \fBacct\fR(2).
 630 .RE
 631 
 632 .sp
 633 .ne 2
 634 .na
 635 \fB\fBPRIV_SYS_ADMIN\fR\fR
 636 .ad
 637 .sp .6
 638 .RS 4n
 639 Allow a process to perform system administration tasks such as setting node and
 640 domain name and specifying \fBcoreadm\fR(1M) and \fBnscd\fR(1M) settings
 641 .RE
 642 
 643 .sp
 644 .ne 2
 645 .na
 646 \fB\fBPRIV_SYS_AUDIT\fR\fR
 647 .ad
 648 .sp .6
 649 .RS 4n
 650 Allow a process to start the (kernel) audit daemon. Allow a process to view and
 651 set audit state (audit user ID, audit terminal ID, audit sessions ID, audit
 652 pre-selection mask). Allow a process to turn off and on auditing. Allow a
 653 process to configure the audit parameters (cache and queue sizes, event to
 654 class mappings, and policy options).
 655 .RE
 656 
 657 .sp
 658 .ne 2
 659 .na
 660 \fB\fBPRIV_SYS_CONFIG\fR\fR
 661 .ad
 662 .sp .6
 663 .RS 4n
 664 Allow a process to perform various system configuration tasks. Allow
 665 filesystem-specific administrative procedures, such as filesystem configuration
 666 ioctls, quota calls, creation and deletion of snapshots, and manipulating the
 667 PCFS bootsector.
 668 .RE
 669 
 670 .sp
 671 .ne 2
 672 .na
 673 \fB\fBPRIV_SYS_DEVICES\fR\fR
 674 .ad
 675 .sp .6
 676 .RS 4n
 677 Allow a process to create device special files. Allow a process to successfully
 678 call a kernel module that calls the kernel \fBdrv_priv\fR(9F) function to check
 679 for allowed access. Allow a process to open the real console device directly.
 680 Allow a process to open devices that have been exclusively opened.
 681 .RE
 682 
 683 .sp
 684 .ne 2
 685 .na
 686 \fB\fBPRIV_SYS_DL_CONFIG\fR\fR
 687 .ad
 688 .sp .6
 689 .RS 4n
 690 Allow a process to configure a system's datalink interfaces.
 691 .RE
 692 
 693 .sp
 694 .ne 2
 695 .na
 696 \fB\fBPRIV_SYS_IP_CONFIG\fR\fR
 697 .ad
 698 .sp .6
 699 .RS 4n
 700 Allow a process to configure a system's IP interfaces and routes. Allow a
 701 process to configure network parameters for \fBTCP/IP\fR using \fBndd\fR. Allow
 702 a process access to otherwise restricted \fBTCP/IP\fR information using
 703 \fBndd\fR. Allow a process to configure \fBIPsec\fR. Allow a process to pop
 704 anchored \fBSTREAM\fRs modules with matching \fBzoneid\fR.
 705 .RE
 706 
 707 .sp
 708 .ne 2
 709 .na
 710 \fB\fBPRIV_SYS_IPC_CONFIG\fR\fR
 711 .ad
 712 .sp .6
 713 .RS 4n
 714 Allow a process to increase the size of a System V IPC Message Queue buffer.
 715 .RE
 716 
 717 .sp
 718 .ne 2
 719 .na
 720 \fB\fBPRIV_SYS_IPTUN_CONFIG\fR\fR
 721 .ad
 722 .sp .6
 723 .RS 4n
 724 Allow a process to configure IP tunnel links.
 725 .RE
 726 
 727 .sp
 728 .ne 2
 729 .na
 730 \fB\fBPRIV_SYS_LINKDIR\fR\fR
 731 .ad
 732 .sp .6
 733 .RS 4n
 734 Allow a process to unlink and link directories.
 735 .RE
 736 
 737 .sp
 738 .ne 2
 739 .na
 740 \fB\fBPRIV_SYS_MOUNT\fR\fR
 741 .ad
 742 .sp .6
 743 .RS 4n
 744 Allow a process to mount and unmount filesystems that would otherwise be
 745 restricted (that is, most filesystems except \fBnamefs\fR). Allow a process to
 746 add and remove swap devices.
 747 .RE
 748 
 749 .sp
 750 .ne 2
 751 .na
 752 \fB\fBPRIV_SYS_NET_CONFIG\fR\fR
 753 .ad
 754 .sp .6
 755 .RS 4n
 756 Allow a process to do all that \fBPRIV_SYS_IP_CONFIG\fR,
 757 \fBPRIV_SYS_DL_CONFIG\fR, and \fBPRIV_SYS_PPP_CONFIG\fR allow, plus the
 758 following: use the \fBrpcmod\fR STREAMS module and insert/remove STREAMS
 759 modules on locations other than the top of the module stack.
 760 .RE
 761 
 762 .sp
 763 .ne 2
 764 .na
 765 \fB\fBPRIV_SYS_NFS\fR\fR
 766 .ad
 767 .sp .6
 768 .RS 4n
 769 Allow a process to provide NFS service: start NFS kernel threads, perform NFS
 770 locking operations, bind to NFS reserved ports: ports 2049 (\fBnfs\fR) and port
 771 4045 (\fBlockd\fR).
 772 .RE
 773 
 774 .sp
 775 .ne 2
 776 .na
 777 \fB\fBPRIV_SYS_PPP_CONFIG\fR\fR
 778 .ad
 779 .sp .6
 780 .RS 4n
 781 Allow a process to create, configure, and destroy PPP instances with pppd(1M)
 782 \fBpppd\fR(1M) and control PPPoE plumbing with \fBsppptun\fR(1M)sppptun(1M).
 783 This privilege is granted by default to exclusive IP stack instance zones.
 784 .RE
 785 
 786 .sp
 787 .ne 2
 788 .na
 789 \fB\fBPRIV_SYS_RES_BIND\fR\fR
 790 .ad
 791 .sp .6
 792 .RS 4n
 793 Allows a process to bind processes to processor sets.
 794 .RE
 795 
 796 .sp
 797 .ne 2
 798 .na
 799 \fB\fBPRIV_SYS_RES_CONFIG\fR\fR
 800 .ad
 801 .sp .6
 802 .RS 4n
 803 Allows all that PRIV_SYS_RES_BIND allows.
 804 Allow a process to create and delete processor sets, assign CPUs to processor
 805 sets and override the \fBPSET_NOESCAPE\fR property. Allow a process to change
 806 the operational status of CPUs in the system using \fBp_online\fR(2). Allow a
 807 process to configure filesystem quotas. Allow a process to configure resource
 808 pools and bind processes to pools.
 809 .RE
 810 
 811 .sp
 812 .ne 2
 813 .na
 814 \fB\fBPRIV_SYS_RESOURCE\fR\fR
 815 .ad
 816 .sp .6
 817 .RS 4n
 818 Allow a process to exceed the resource limits imposed on it by
 819 \fBsetrlimit\fR(2) and \fBsetrctl\fR(2).
 820 .RE
 821 
 822 .sp
 823 .ne 2
 824 .na
 825 \fB\fBPRIV_SYS_SMB\fR\fR
 826 .ad
 827 .sp .6
 828 .RS 4n
 829 Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or
 830 bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445
 831 (SMB).
 832 .RE
 833 
 834 .sp
 835 .ne 2
 836 .na
 837 \fB\fBPRIV_SYS_SUSER_COMPAT\fR\fR
 838 .ad
 839 .sp .6
 840 .RS 4n
 841 Allow a process to successfully call a third party loadable module that calls
 842 the kernel \fBsuser()\fR function to check for allowed access. This privilege
 843 exists only for third party loadable module compatibility and is not used by
 844 Solaris proper.
 845 .RE
 846 
 847 .sp
 848 .ne 2
 849 .na
 850 \fB\fBPRIV_SYS_TIME\fR\fR
 851 .ad
 852 .sp .6
 853 .RS 4n
 854 Allow a process to manipulate system time using any of the appropriate system
 855 calls: \fBstime\fR(2), \fBadjtime\fR(2), and \fBntp_adjtime\fR(2).
 856 .RE
 857 
 858 .sp
 859 .ne 2
 860 .na
 861 \fB\fBPRIV_SYS_TRANS_LABEL\fR\fR
 862 .ad
 863 .sp .6
 864 .RS 4n
 865 Allow a process to translate labels that are not dominated by the process's
 866 sensitivity label to and from an external string form.
 867 .sp
 868 This privilege is interpreted only if the system is configured with Trusted
 869 Extensions.
 870 .RE
 871 
 872 .sp
 873 .ne 2
 874 .na
 875 \fB\fBPRIV_VIRT_MANAGE\fR\fR
 876 .ad
 877 .sp .6
 878 .RS 4n
 879 Allows a process to manage virtualized environments such as \fBxVM\fR(5).
 880 .RE
 881 
 882 .sp
 883 .ne 2
 884 .na
 885 \fB\fBPRIV_WIN_COLORMAP\fR\fR
 886 .ad
 887 .sp .6
 888 .RS 4n
 889 Allow a process to override colormap restrictions.
 890 .sp
 891 Allow a process to install or remove colormaps.
 892 .sp
 893 Allow a process to retrieve colormap cell entries allocated by other processes.
 894 .sp
 895 This privilege is interpreted only if the system is configured with Trusted
 896 Extensions.
 897 .RE
 898 
 899 .sp
 900 .ne 2
 901 .na
 902 \fB\fBPRIV_WIN_CONFIG\fR\fR
 903 .ad
 904 .sp .6
 905 .RS 4n
 906 Allow a process to configure or destroy resources that are permanently retained
 907 by the X server.
 908 .sp
 909 Allow a process to use SetScreenSaver to set the screen saver timeout value
 910 .sp
 911 Allow a process to use ChangeHosts to modify the display access control list.
 912 .sp
 913 Allow a process to use GrabServer.
 914 .sp
 915 Allow a process to use the SetCloseDownMode request that can retain window,
 916 pixmap, colormap, property, cursor, font, or graphic context resources.
 917 .sp
 918 This privilege is interpreted only if the system is configured with Trusted
 919 Extensions.
 920 .RE
 921 
 922 .sp
 923 .ne 2
 924 .na
 925 \fB\fBPRIV_WIN_DAC_READ\fR\fR
 926 .ad
 927 .sp .6
 928 .RS 4n
 929 Allow a process to read from a window resource that it does not own (has a
 930 different user ID).
 931 .sp
 932 This privilege is interpreted only if the system is configured with Trusted
 933 Extensions.
 934 .RE
 935 
 936 .sp
 937 .ne 2
 938 .na
 939 \fB\fBPRIV_WIN_DAC_WRITE\fR\fR
 940 .ad
 941 .sp .6
 942 .RS 4n
 943 Allow a process to write to or create a window resource that it does not own
 944 (has a different user ID). A newly created window property is created with the
 945 window's user ID.
 946 .sp
 947 This privilege is interpreted only if the system is configured with Trusted
 948 Extensions.
 949 .RE
 950 
 951 .sp
 952 .ne 2
 953 .na
 954 \fB\fBPRIV_WIN_DEVICES\fR\fR
 955 .ad
 956 .sp .6
 957 .RS 4n
 958 Allow a process to perform operations on window input devices.
 959 .sp
 960 Allow a process to get and set keyboard and pointer controls.
 961 .sp
 962 Allow a process to modify pointer button and key mappings.
 963 .sp
 964 This privilege is interpreted only if the system is configured with Trusted
 965 Extensions.
 966 .RE
 967 
 968 .sp
 969 .ne 2
 970 .na
 971 \fB\fBPRIV_WIN_DGA\fR\fR
 972 .ad
 973 .sp .6
 974 .RS 4n
 975 Allow a process to use the direct graphics access (DGA) X protocol extensions.
 976 Direct process access to the frame buffer is still required. Thus the process
 977 must have MAC and DAC privileges that allow access to the frame buffer, or the
 978 frame buffer must be allocated to the process.
 979 .sp
 980 This privilege is interpreted only if the system is configured with Trusted
 981 Extensions.
 982 .RE
 983 
 984 .sp
 985 .ne 2
 986 .na
 987 \fB\fBPRIV_WIN_DOWNGRADE_SL\fR\fR
 988 .ad
 989 .sp .6
 990 .RS 4n
 991 Allow a process to set the sensitivity label of a window resource to a
 992 sensitivity label that does not dominate the existing sensitivity label.
 993 .sp
 994 This privilege is interpreted only if the system is configured with Trusted
 995 Extensions.
 996 .RE
 997 
 998 .sp
 999 .ne 2
1000 .na
1001 \fB\fBPRIV_WIN_FONTPATH\fR\fR
1002 .ad
1003 .sp .6
1004 .RS 4n
1005 Allow a process to set a font path.
1006 .sp
1007 This privilege is interpreted only if the system is configured with Trusted
1008 Extensions.
1009 .RE
1010 
1011 .sp
1012 .ne 2
1013 .na
1014 \fB\fBPRIV_WIN_MAC_READ\fR\fR
1015 .ad
1016 .sp .6
1017 .RS 4n
1018 Allow a process to read from a window resource whose sensitivity label is not
1019 equal to the process sensitivity label.
1020 .sp
1021 This privilege is interpreted only if the system is configured with Trusted
1022 Extensions.
1023 .RE
1024 
1025 .sp
1026 .ne 2
1027 .na
1028 \fB\fBPRIV_WIN_MAC_WRITE\fR\fR
1029 .ad
1030 .sp .6
1031 .RS 4n
1032 Allow a process to create a window resource whose sensitivity label is not
1033 equal to the process sensitivity label. A newly created window property is
1034 created with the window's sensitivity label.
1035 .sp
1036 This privilege is interpreted only if the system is configured with Trusted
1037 Extensions.
1038 .RE
1039 
1040 .sp
1041 .ne 2
1042 .na
1043 \fB\fBPRIV_WIN_SELECTION\fR\fR
1044 .ad
1045 .sp .6
1046 .RS 4n
1047 Allow a process to request inter-window data moves without the intervention of
1048 the selection confirmer.
1049 .sp
1050 This privilege is interpreted only if the system is configured with Trusted
1051 Extensions.
1052 .RE
1053 
1054 .sp
1055 .ne 2
1056 .na
1057 \fB\fBPRIV_WIN_UPGRADE_SL\fR\fR
1058 .ad
1059 .sp .6
1060 .RS 4n
1061 Allow a process to set the sensitivity label of a window resource to a
1062 sensitivity label that dominates the existing sensitivity label.
1063 .sp
1064 This privilege is interpreted only if the system is configured with Trusted
1065 Extensions.
1066 .RE
1067 
1068 .sp
1069 .ne 2
1070 .na
1071 \fB\fBPRIV_XVM_CONTROL\fR\fR
1072 .ad
1073 .sp .6
1074 .RS 4n
1075 Allows a process access to the \fBxVM\fR(5) control devices for managing guest
1076 domains and the hypervisor. This privilege is used only if booted into xVM on
1077 x86 platforms.
1078 .RE
1079 
1080 .sp
1081 .LP
1082 Of the privileges listed above, the privileges \fBPRIV_FILE_LINK_ANY\fR,
1083 \fBPRIV_PROC_INFO\fR, \fBPRIV_PROC_SESSION\fR, \fBPRIV_PROC_FORK\fR,
1084 \fBPRIV_FILE_READ\fR, \fBPRIV_FILE_WRITE\fR, \fBPRIV_NET_ACCESS\fR and
1085 \fBPRIV_PROC_EXEC\fR are considered "basic" privileges. These are privileges
1086 that used to be always available to unprivileged processes. By default,
1087 processes still have the basic privileges.
1088 .sp
1089 .LP
1090 The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present
1091 in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
1092 to be successful, that is, get an effective UID of 0 and additional privileges.
1093 .sp
1094 .LP
1095 The privilege implementation in Solaris extends the process credential with
1096 four privilege sets:
1097 .sp
1098 .ne 2
1099 .na
1100 \fBI, the inheritable set\fR
1101 .ad
1102 .RS 26n
1103 The privileges inherited on \fBexec\fR.
1104 .RE
1105 
1106 .sp
1107 .ne 2
1108 .na
1109 \fBP, the permitted set\fR
1110 .ad
1111 .RS 26n
1112 The maximum set of privileges for the process.
1113 .RE
1114 
1115 .sp
1116 .ne 2
1117 .na
1118 \fBE, the effective set\fR
1119 .ad
1120 .RS 26n
1121 The privileges currently in effect.
1122 .RE
1123 
1124 .sp
1125 .ne 2
1126 .na
1127 \fBL, the limit set\fR
1128 .ad
1129 .RS 26n
1130 The upper bound of the privileges a process and its offspring can obtain.
1131 Changes to L take effect on the next \fBexec\fR.
1132 .RE
1133 
1134 .sp
1135 .LP
1136 The sets I, P and E are typically identical to the basic set of privileges for
1137 unprivileged processes. The limit set is typically the full set of privileges.
1138 .sp
1139 .LP
1140 Each process has a Privilege Awareness State (PAS) that can take the value PA
1141 (privilege-aware) and NPA (not-PA). PAS is a transitional mechanism that allows
1142 a choice between full compatibility with the old superuser model and completely
1143 ignoring the effective UID.
1144 .sp
1145 .LP
1146 To facilitate the discussion, we introduce the notion of "observed effective
1147 set" (oE) and "observed permitted set" (oP) and the implementation sets iE and
1148 iP.
1149 .sp
1150 .LP
1151 A process becomes privilege-aware either by manipulating the effective,
1152 permitted, or limit privilege sets through \fBsetppriv\fR(2) or by using
1153 \fBsetpflags\fR(2). In all cases, oE and oP are invariant in the process of
1154 becoming privilege-aware. In the process of becoming privilege-aware, the
1155 following assignments take place:
1156 .sp
1157 .in +2
1158 .nf
1159 iE = oE
1160 iP = oP
1161 .fi
1162 .in -2
1163 
1164 .sp
1165 .LP
1166 When a process is privilege-aware, oE and oP are invariant under UID changes.
1167 When a process is not privilege-aware, oE and oP are observed as follows:
1168 .sp
1169 .in +2
1170 .nf
1171 oE = euid == 0 ? L : iE
1172 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
1173 .fi
1174 .in -2
1175 
1176 .sp
1177 .LP
1178 When a non-privilege-aware process has an effective UID of 0, it can exercise
1179 the privileges contained in its limit set, the upper bound of its privileges.
1180 If a non-privilege-aware process has any of the UIDs 0, it appears to be
1181 capable of potentially exercising all privileges in L.
1182 .sp
1183 .LP
1184 It is possible for a process to return to the non-privilege aware state using
1185 \fBsetpflags()\fR. The kernel always attempts this on \fBexec\fR(2). This
1186 operation is permitted only if the following conditions are met:
1187 .RS +4
1188 .TP
1189 .ie t \(bu
1190 .el o
1191 If any of the UIDs is equal to 0, P must be equal to L.
1192 .RE
1193 .RS +4
1194 .TP
1195 .ie t \(bu
1196 .el o
1197 If the effective UID is equal to 0, E must be equal to L.
1198 .RE
1199 .sp
1200 .LP
1201 When a process gives up privilege awareness, the following assignments take
1202 place:
1203 .sp
1204 .in +2
1205 .nf
1206 if (euid == 0) iE = L & I
1207 if (any uid == 0) iP = L & I
1208 .fi
1209 .in -2
1210 
1211 .sp
1212 .LP
1213 The privileges obtained when not having a UID of \fB0\fR are the inheritable
1214 set of the process restricted by the limit set.
1215 .sp
1216 .LP
1217 Only privileges in the process's (observed) effective privilege set allow the
1218 process to perform restricted operations. A process can use any of the
1219 privilege manipulation functions to add or remove privileges from the privilege
1220 sets. Privileges can be removed always. Only privileges found in the permitted
1221 set can be added to the effective and inheritable set. The limit set cannot
1222 grow. The inheritable set can be larger than the permitted set.
1223 .sp
1224 .LP
1225 When a process performs an \fBexec\fR(2), the kernel first tries to relinquish
1226 privilege awareness before making the following privilege set modifications:
1227 .sp
1228 .in +2
1229 .nf
1230 E' = P' = I' = L & I
1231 L is unchanged
1232 .fi
1233 .in -2
1234 
1235 .sp
1236 .LP
1237 If a process has not manipulated its privileges, the privilege sets effectively
1238 remain the same, as E, P and I are already identical.
1239 .sp
1240 .LP
1241 The limit set is enforced at \fBexec\fR time.
1242 .sp
1243 .LP
1244 To run a non-privilege-aware application in a backward-compatible manner, a
1245 privilege-aware application should start the non-privilege-aware application
1246 with I=basic.
1247 .sp
1248 .LP
1249 For most privileges, absence of the privilege simply results in a failure. In
1250 some instances, the absense of a privilege can cause system calls to behave
1251 differently. In other instances, the removal of a privilege can force a set-uid
1252 application to seriously malfunction. Privileges of this type are considered
1253 "unsafe". When a process is lacking any of the unsafe privileges from its limit
1254 set, the system does not honor the set-uid bit of set-uid root applications.
1255 The following unsafe privileges have been identified: \fBproc_setid\fR,
1256 \fBsys_resource\fR and \fBproc_audit\fR.
1257 .SS "Privilege Escalation"
1258 .LP
1259 In certain circumstances, a single privilege could lead to a process gaining
1260 one or more additional privileges that were not explicitly granted to that
1261 process. To prevent such an escalation of privileges, the security policy
1262 requires explicit permission for those additional privileges.
1263 .sp
1264 .LP
1265 Common examples of escalation are those mechanisms that allow modification of
1266 system resources through "raw'' interfaces; for example, changing kernel data
1267 structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
1268 Escalation also occurs when a process controls processes with more privileges
1269 than the controlling process. A special case of this is manipulating or
1270 creating objects owned by UID 0 or trying to obtain UID 0 using
1271 \fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0
1272 owns all system configuration files and ordinary file protection mechanisms
1273 allow processes with UID 0 to modify the system configuration. With appropriate
1274 file modifications, a given process running with an effective UID of 0 can gain
1275 all privileges.
1276 .sp
1277 .LP
1278 In situations where a process might obtain UID 0, the security policy requires
1279 additional privileges, up to the full set of privileges. Such restrictions
1280 could be relaxed or removed at such time as additional mechanisms for
1281 protection of system files became available. There are no such mechanisms in
1282 the current Solaris release.
1283 .sp
1284 .LP
1285 The use of UID 0 processes should be limited as much as possible. They should
1286 be replaced with programs running under a different UID but with exactly the
1287 privileges they need.
1288 .sp
1289 .LP
1290 Daemons that never need to \fBexec\fR subprocesses should remove the
1291 \fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets.
1292 .SS "Assigned Privileges and Safeguards"
1293 .LP
1294 When privileges are assigned to a user, the system administrator could give
1295 that user more powers than intended. The administrator should consider whether
1296 safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR
1297 privilege is given to a user, the administrator should consider setting the
1298 \fBproject.max-locked-memory\fR resource control as well, to prevent that user
1299 from locking all memory.
1300 .SS "Privilege Debugging"
1301 .LP
1302 When a system call fails with a permission error, it is not always immediately
1303 obvious what caused the problem. To debug such a problem, you can use a tool
1304 called \fBprivilege debugging\fR. When privilege debugging is enabled for a
1305 process, the kernel reports missing privileges on the controlling terminal of
1306 the process. (Enable debugging for a process with the \fB-D\fR option of
1307 \fBppriv\fR(1).) Additionally, the administrator can enable system-wide
1308 privilege debugging by setting the \fBsystem\fR(4) variable \fBpriv_debug\fR
1309 using:
1310 .sp
1311 .in +2
1312 .nf
1313 set priv_debug = 1
1314 .fi
1315 .in -2
1316 
1317 .sp
1318 .LP
1319 On a running system, you can use \fBmdb\fR(1) to change this variable.
1320 .SS "Privilege Administration"
1321 .LP
1322 The Solaris Management Console (see \fBsmc\fR(1M)) is the preferred method of
1323 modifying privileges for a command. Use \fBusermod\fR(1M) or \fBsmrole\fR(1M)
1324 to assign privileges to or modify privileges for, respectively, a user or a
1325 role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
1326 \fBtruss\fR(1) to determine which privileges a program requires.
1327 .SH SEE ALSO
1328 .LP
1329 \fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M),
1330 \fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M),
1331 \fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2),
1332 \fBaccess\fR(2), \fBacct\fR(2), \fBacl\fR(2), \fBadjtime\fR(2), \fBaudit\fR(2),
1333 \fBauditon\fR(2), \fBchmod\fR(2), \fBchown\fR(2), \fBchroot\fR(2),
1334 \fBcreat\fR(2), \fBexec\fR(2), \fBfcntl\fR(2), \fBfork\fR(2),
1335 \fBfpathconf\fR(2), \fBgetacct\fR(2), \fBgetpflags\fR(2), \fBgetppriv\fR(2),
1336 \fBgetsid\fR(2), \fBkill\fR(2), \fBlink\fR(2), \fBmemcntl\fR(2),
1337 \fBmknod\fR(2), \fBmount\fR(2), \fBmsgctl\fR(2), \fBnice\fR(2),
1338 \fBntp_adjtime\fR(2), \fBopen\fR(2), \fBp_online\fR(2), \fBpriocntl\fR(2),
1339 \fBpriocntlset\fR(2), \fBprocessor_bind\fR(2), \fBpset_bind\fR(2),
1340 \fBpset_create\fR(2), \fBreadlink\fR(2), \fBresolvepath\fR(2), \fBrmdir\fR(2),
1341 \fBsemctl\fR(2), \fBsetauid\fR(2), \fBsetegid\fR(2), \fBseteuid\fR(2),
1342 \fBsetgid\fR(2), \fBsetgroups\fR(2), \fBsetpflags\fR(2), \fBsetppriv\fR(2),
1343 \fBsetrctl\fR(2), \fBsetregid\fR(2), \fBsetreuid\fR(2), \fBsetrlimit\fR(2),
1344 \fBsettaskid\fR(2), \fBsetuid\fR(2), \fBshmctl\fR(2), \fBshmget\fR(2),
1345 \fBshmop\fR(2), \fBsigsend\fR(2), \fBstat\fR(2), \fBstatvfs\fR(2),
1346 \fBstime\fR(2), \fBswapctl\fR(2), \fBsysinfo\fR(2), \fBuadmin\fR(2),
1347 \fBulimit\fR(2), \fBumount\fR(2), \fBunlink\fR(2), \fButime\fR(2),
1348 \fButimes\fR(2), \fBbind\fR(3SOCKET), \fBdoor_ucred\fR(3C),
1349 \fBpriv_addset\fR(3C), \fBpriv_set\fR(3C), \fBpriv_getbyname\fR(3C),
1350 \fBpriv_getbynum\fR(3C), \fBpriv_set_to_str\fR(3C), \fBpriv_str_to_set\fR(3C),
1351 \fBsocket\fR(3SOCKET), \fBt_bind\fR(3NSL), \fBtimer_create\fR(3C),
1352 \fBucred_get\fR(3C), \fBexec_attr\fR(4), \fBproc\fR(4), \fBsystem\fR(4),
1353 \fBuser_attr\fR(4), \fBxVM\fR(5), \fBddi_cred\fR(9F), \fBdrv_priv\fR(9F),
1354 \fBpriv_getbyname\fR(9F), \fBpriv_policy\fR(9F), \fBpriv_policy_choice\fR(9F),
1355 \fBpriv_policy_only\fR(9F)
1356 .sp
1357 .LP
1358 \fISystem Administration Guide: Security Services\fR