PRIVILEGES(5) Standards, Environments, and Macros PRIVILEGES(5) NNAAMMEE privileges - process privilege model DDEESSCCRRIIPPTTIIOONN Solaris software implements a set of privileges that provide fine- grained control over the actions of processes. The possession of a certain privilege allows a process to perform a specific set of restricted operations. The change to a primarily privilege-based security model in the Solaris operating system gives developers an opportunity to restrict processes to those privileged operations actually needed instead of all (super- user) or no privileges (non-zero UIDs). Additionally, a set of previously unrestricted operations now requires a privilege; these privileges are dubbed the "basic" privileges and are by default given to all processes. Taken together, all defined privileges with the exception of the "basic" privileges compose the set of privileges that are traditionally associated with the root user. The "basic" privileges are "privileges" unprivileged processes were accustomed to having. The defined privileges are: PPRRIIVV__CCOONNTTRRAACCTT__EEVVEENNTT Allow a process to request reliable delivery of events to an event endpoint. Allow a process to include events in the critical event set term of a template which could be generated in volume by the user. PPRRIIVV__CCOONNTTRRAACCTT__IIDDEENNTTIITTYY Allows a process to set the service FMRI value of a process contract template. PPRRIIVV__CCOONNTTRRAACCTT__OOBBSSEERRVVEERR Allow a process to observe contract events generated by contracts created and owned by users other than the process's effective user ID. Allow a process to open contract event endpoints belonging to contracts created and owned by users other than the process's effective user ID. PPRRIIVV__CCPPCC__CCPPUU Allow a process to access per-CPU hardware performance counters. PPRRIIVV__DDTTRRAACCEE__KKEERRNNEELL Allow DTrace kernel-level tracing. PPRRIIVV__DDTTRRAACCEE__PPRROOCC Allow DTrace process-level tracing. Allow process-level tracing probes to be placed and enabled in processes to which the user has permissions. PPRRIIVV__DDTTRRAACCEE__UUSSEERR Allow DTrace user-level tracing. Allow use of the syscall and profile DTrace providers to examine processes to which the user has permissions. PPRRIIVV__FFIILLEE__CCHHOOWWNN Allow a process to change a file's owner user ID. Allow a process to change a file's group ID to one other than the process's effective group ID or one of the process's supplemental group IDs. PPRRIIVV__FFIILLEE__CCHHOOWWNN__SSEELLFF Allow a process to give away its files. A process with this privilege runs as if {__PPOOSSIIXX__CCHHOOWWNN__RREESSTTRRIICCTTEEDD} is not in effect. PPRRIIVV__FFIILLEE__DDAACC__EEXXEECCUUTTEE Allow a process to execute an executable file whose permission bits or ACL would otherwise disallow the process execute permission. PPRRIIVV__FFIILLEE__DDAACC__RREEAADD Allow a process to read a file or directory whose permission bits or ACL would otherwise disallow the process read permission. PPRRIIVV__FFIILLEE__DDAACC__SSEEAARRCCHH Allow a process to search a directory whose permission bits or ACL would not otherwise allow the process search permission. PPRRIIVV__FFIILLEE__DDAACC__WWRRIITTEE Allow a process to write a file or directory whose permission bits or ACL do not allow the process write permission. All privileges are required to write files owned by UID 0 in the absence of an effective UID of 0. PPRRIIVV__FFIILLEE__DDOOWWNNGGRRAADDEE__SSLL Allow a process to set the sensitivity label of a file or directory to a sensitivity label that does not dominate the existing sensitivity label. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__FFIILLEE__FFLLAAGG__SSEETT Allows a process to set immutable, nounlink or appendonly file attributes. PPRRIIVV__FFIILLEE__LLIINNKK__AANNYY Allow a process to create hardlinks to files owned by a UID different from the process's effective UID. PPRRIIVV__FFIILLEE__OOWWNNEERR Allow a process that is not the owner of a file to modify that file's access and modification times. Allow a process that is not the owner of a directory to modify that directory's access and modification times. Allow a process that is not the owner of a file or directory to remove or rename a file or directory whose parent directory has the "save text image after execution" (sticky) bit set. Allow a process that is not the owner of a file to mount a nnaammeeffss upon that file. Allow a process that is not the owner of a file or directory to modify that file's or directory's permission bits or ACL. PPRRIIVV__FFIILLEE__RREEAADD Allow a process to open objects in the filesystem for reading. This privilege is not necessary to read from an already open file which was opened before dropping the PPRRIIVV__FFIILLEE__RREEAADD privilege. PPRRIIVV__FFIILLEE__SSEETTIIDD Allow a process to change the ownership of a file or write to a file without the set-user-ID and set-group-ID bits being cleared. Allow a process to set the set-group-ID bit on a file or directory whose group is not the process's effective group or one of the process's supplemental groups. Allow a process to set the set-user- ID bit on a file with different ownership in the presence of PPRRIIVV__FFIILLEE__OOWWNNEERR. Additional restrictions apply when creating or modifying a setuid 0 file. PPRRIIVV__FFIILLEE__UUPPGGRRAADDEE__SSLL Allow a process to set the sensitivity label of a file or directory to a sensitivity label that dominates the existing sensitivity label. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__FFIILLEE__WWRRIITTEE Allow a process to open objects in the filesytem for writing, or otherwise modify them. This privilege is not necessary to write to an already open file which was opened before dropping the PPRRIIVV__FFIILLEE__WWRRIITTEE privilege. PPRRIIVV__GGRRAAPPHHIICCSS__AACCCCEESSSS Allow a process to make privileged ioctls to graphics devices. Typically only an xserver process needs to have this privilege. A process with this privilege is also allowed to perform privileged graphics device mappings. PPRRIIVV__GGRRAAPPHHIICCSS__MMAAPP Allow a process to perform privileged mappings through a graphics device. PPRRIIVV__IIPPCC__DDAACC__RREEAADD Allow a process to read a System V IPC Message Queue, Semaphore Set, or Shared Memory Segment whose permission bits would not otherwise allow the process read permission. PPRRIIVV__IIPPCC__DDAACC__WWRRIITTEE Allow a process to write a System V IPC Message Queue, Semaphore Set, or Shared Memory Segment whose permission bits would not otherwise allow the process write permission. PPRRIIVV__IIPPCC__OOWWNNEERR Allow a process that is not the owner of a System V IPC Message Queue, Semaphore Set, or Shared Memory Segment to remove, change ownership of, or change permission bits of the Message Queue, Semaphore Set, or Shared Memory Segment. PPRRIIVV__NNEETT__AACCCCEESSSS Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint. This privilege is not necessary to communicate using an existing endpoint already opened before dropping the PPRRIIVV__NNEETT__AACCCCEESSSS privilege. PPRRIIVV__NNEETT__BBIINNDDMMLLPP Allow a process to bind to a port that is configured as a multi- level port (MLP) for the process's zone. This privilege applies to both shared address and zone-specific address MLPs. See ttnnzzoonneeccffgg(44) from the Trusted Extensions manual pages for information on configuring MLP ports. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__NNEETT__IICCMMPPAACCCCEESSSS Allow a process to send and receive ICMP packets. PPRRIIVV__NNEETT__MMAACC__AAWWAARREE Allow a process to set the NNEETT__MMAACC__AAWWAARREE process flag by using sseettppffllaaggss(2). This privilege also allows a process to set the SSOO__MMAACC__EEXXEEMMPPTT socket option by using sseettssoocckkoopptt(3SOCKET). The NNEETT__MMAACC__AAWWAARREE process flag and the SSOO__MMAACC__EEXXEEMMPPTT socket option both allow a local process to communicate with an unlabeled peer if the local process's label dominates the peer's default label, or if the local process runs in the global zone. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__NNEETT__MMAACC__IIMMPPLLIICCIITT Allow a proces to set SSOO__MMAACC__IIMMPPLLIICCIITT option by using sseettssoocckkoopptt(3SOCKET). This allows a privileged process to transmit implicitly-labeled packets to a peer. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__NNEETT__OOBBSSEERRVVAABBIILLIITTYY Allow a process to open a device for just receiving network traffic, sending traffic is disallowed. PPRRIIVV__NNEETT__PPRRIIVVAADDDDRR Allow a process to bind to a privileged port number. The privilege port numbers are 1-1023 (the traditional UNIX privileged ports) as well as those ports marked as "uuddpp//ttccpp__eexxttrraa__pprriivv__ppoorrttss" with the exception of the ports reserved for use by NFS and SMB. PPRRIIVV__NNEETT__RRAAWWAACCCCEESSSS Allow a process to have direct access to the network layer. PPRRIIVV__PPRROOCC__AAUUDDIITT Allow a process to generate audit records. Allow a process to get its own audit pre-selection information. PPRRIIVV__PPRROOCC__CCHHRROOOOTT Allow a process to change its root directory. PPRRIIVV__PPRROOCC__CCLLOOCCKK__HHIIGGHHRREESS Allow a process to use high resolution timers. PPRRIIVV__PPRROOCC__EEXXEECC Allow a process to call eexxeecc(2). PPRRIIVV__PPRROOCC__FFOORRKK Allow a process to call ffoorrkk(2), ffoorrkk11(2), or vvffoorrkk(2). PPRRIIVV__PPRROOCC__IINNFFOO Allow a process to examine the status of processes other than those to which it can send signals. Processes that cannot be examined cannot be seen in //pprroocc and appear not to exist. PPRRIIVV__PPRROOCC__LLOOCCKK__MMEEMMOORRYY Allow a process to lock pages in physical memory. PPRRIIVV__PPRROOCC__MMEEMMIINNFFOO Allow a process to access physical memory information. PPRRIIVV__PPRROOCC__OOWWNNEERR Allow a process to send signals to other processes and inspect and modify the process state in other processes, regardless of ownership. When modifying another process, additional restrictions apply: the effective privilege set of the attaching process must be a superset of the target process's effective, permitted, and inheritable sets; the limit set must be a superset of the target's limit set; if the target process has any UID set to 0 all privilege must be asserted unless the effective UID is 0. Allow a process to bind arbitrary processes to CPUs. PPRRIIVV__PPRROOCC__PPRRIIOOUUPP Allow a process to elevate its priority above its current level. PPRRIIVV__PPRROOCC__PPRRIIOOCCNNTTLL Allows all that PRIV_PROC_PRIOUP allows. Allow a process to change its scheduling class to any scheduling class, including the RT class. PPRRIIVV__PPRROOCC__SSEECCFFLLAAGGSS Allow a process to manipulate the secflags of processes (subject to, additionally, the ability to signal that process). PPRRIIVV__PPRROOCC__SSEESSSSIIOONN Allow a process to send signals or trace processes outside its session. PPRRIIVV__PPRROOCC__SSEETTIIDD Allow a process to set its UIDs at will, assuming UID 0 requires all privileges to be asserted. PPRRIIVV__PPRROOCC__TTAASSKKIIDD Allow a process to assign a new task ID to the calling process. PPRRIIVV__PPRROOCC__ZZOONNEE Allow a process to trace or send signals to processes in other zones. See zzoonneess(5). PPRRIIVV__SSYYSS__AACCCCTT Allow a process to enable and disable and manage accounting through aacccctt(2). PPRRIIVV__SSYYSS__AADDMMIINN Allow a process to perform system administration tasks such as setting node and domain name and specifying ccoorreeaaddmm(1M) and nnssccdd(1M) settings PPRRIIVV__SSYYSS__AAUUDDIITT Allow a process to start the (kernel) audit daemon. Allow a process to view and set audit state (audit user ID, audit terminal ID, audit sessions ID, audit pre-selection mask). Allow a process to turn off and on auditing. Allow a process to configure the audit parameters (cache and queue sizes, event to class mappings, and policy options). PPRRIIVV__SSYYSS__CCOONNFFIIGG Allow a process to perform various system configuration tasks. Allow filesystem-specific administrative procedures, such as filesystem configuration ioctls, quota calls, creation and deletion of snapshots, and manipulating the PCFS bootsector. PPRRIIVV__SSYYSS__DDEEVVIICCEESS Allow a process to create device special files. Allow a process to successfully call a kernel module that calls the kernel ddrrvv__pprriivv(9F) function to check for allowed access. Allow a process to open the real console device directly. Allow a process to open devices that have been exclusively opened. PPRRIIVV__SSYYSS__DDLL__CCOONNFFIIGG Allow a process to configure a system's datalink interfaces. PPRRIIVV__SSYYSS__IIPP__CCOONNFFIIGG Allow a process to configure a system's IP interfaces and routes. Allow a process to configure network parameters for TTCCPP//IIPP using nndddd. Allow a process access to otherwise restricted TTCCPP//IIPP information using nndddd. Allow a process to configure IIPPsseecc. Allow a process to pop anchored SSTTRREEAAMMs modules with matching zzoonneeiidd. PPRRIIVV__SSYYSS__IIPPCC__CCOONNFFIIGG Allow a process to increase the size of a System V IPC Message Queue buffer. PPRRIIVV__SSYYSS__IIPPTTUUNN__CCOONNFFIIGG Allow a process to configure IP tunnel links. PPRRIIVV__SSYYSS__LLIINNKKDDIIRR Allow a process to unlink and link directories. PPRRIIVV__SSYYSS__MMOOUUNNTT Allow a process to mount and unmount filesystems that would otherwise be restricted (that is, most filesystems except nnaammeeffss). Allow a process to add and remove swap devices. PPRRIIVV__SSYYSS__NNEETT__CCOONNFFIIGG Allow a process to do all that PPRRIIVV__SSYYSS__IIPP__CCOONNFFIIGG, PPRRIIVV__SSYYSS__DDLL__CCOONNFFIIGG, and PPRRIIVV__SSYYSS__PPPPPP__CCOONNFFIIGG allow, plus the following: use the rrppccmmoodd STREAMS module and insert/remove STREAMS modules on locations other than the top of the module stack. PPRRIIVV__SSYYSS__NNFFSS Allow a process to provide NFS service: start NFS kernel threads, perform NFS locking operations, bind to NFS reserved ports: ports 2049 (nnffss) and port 4045 (lloocckkdd). PPRRIIVV__SSYYSS__PPPPPP__CCOONNFFIIGG Allow a process to create, configure, and destroy PPP instances with pppd(1M) ppppppdd(1M) and control PPPoE plumbing with ssppppppttuunn(1M)sppptun(1M). This privilege is granted by default to exclusive IP stack instance zones. PPRRIIVV__SSYYSS__RREESS__BBIINNDD Allows a process to bind processes to processor sets. PPRRIIVV__SSYYSS__RREESS__CCOONNFFIIGG Allows all that PRIV_SYS_RES_BIND allows. Allow a process to create and delete processor sets, assign CPUs to processor sets and override the PPSSEETT__NNOOEESSCCAAPPEE property. Allow a process to change the operational status of CPUs in the system using pp__oonnlliinnee(2). Allow a process to configure filesystem quotas. Allow a process to configure resource pools and bind processes to pools. PPRRIIVV__SSYYSS__RREESSOOUURRCCEE Allow a process to exceed the resource limits imposed on it by sseettrrlliimmiitt(2) and sseettrrccttll(2). PPRRIIVV__SSYYSS__SSMMBB Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445 (SMB). PPRRIIVV__SSYYSS__SSUUSSEERR__CCOOMMPPAATT Allow a process to successfully call a third party loadable module that calls the kernel ssuusseerr(()) function to check for allowed access. This privilege exists only for third party loadable module compatibility and is not used by Solaris proper. PPRRIIVV__SSYYSS__TTIIMMEE Allow a process to manipulate system time using any of the appropriate system calls: ssttiimmee(2), aaddjjttiimmee(2), and nnttpp__aaddjjttiimmee(2). PPRRIIVV__SSYYSS__TTRRAANNSS__LLAABBEELL Allow a process to translate labels that are not dominated by the process's sensitivity label to and from an external string form. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__VVIIRRTT__MMAANNAAGGEE Allows a process to manage virtualized environments such as xxVVMM(5). PPRRIIVV__WWIINN__CCOOLLOORRMMAAPP Allow a process to override colormap restrictions. Allow a process to install or remove colormaps. Allow a process to retrieve colormap cell entries allocated by other processes. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__WWIINN__CCOONNFFIIGG Allow a process to configure or destroy resources that are permanently retained by the X server. Allow a process to use SetScreenSaver to set the screen saver timeout value Allow a process to use ChangeHosts to modify the display access control list. Allow a process to use GrabServer. Allow a process to use the SetCloseDownMode request that can retain window, pixmap, colormap, property, cursor, font, or graphic context resources. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__WWIINN__DDAACC__RREEAADD Allow a process to read from a window resource that it does not own (has a different user ID). This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__WWIINN__DDAACC__WWRRIITTEE Allow a process to write to or create a window resource that it does not own (has a different user ID). A newly created window property is created with the window's user ID. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__WWIINN__DDEEVVIICCEESS Allow a process to perform operations on window input devices. Allow a process to get and set keyboard and pointer controls. Allow a process to modify pointer button and key mappings. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__WWIINN__DDGGAA Allow a process to use the direct graphics access (DGA) X protocol extensions. Direct process access to the frame buffer is still required. Thus the process must have MAC and DAC privileges that allow access to the frame buffer, or the frame buffer must be allocated to the process. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__WWIINN__DDOOWWNNGGRRAADDEE__SSLL Allow a process to set the sensitivity label of a window resource to a sensitivity label that does not dominate the existing sensitivity label. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__WWIINN__FFOONNTTPPAATTHH Allow a process to set a font path. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__WWIINN__MMAACC__RREEAADD Allow a process to read from a window resource whose sensitivity label is not equal to the process sensitivity label. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__WWIINN__MMAACC__WWRRIITTEE Allow a process to create a window resource whose sensitivity label is not equal to the process sensitivity label. A newly created window property is created with the window's sensitivity label. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__WWIINN__SSEELLEECCTTIIOONN Allow a process to request inter-window data moves without the intervention of the selection confirmer. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__WWIINN__UUPPGGRRAADDEE__SSLL Allow a process to set the sensitivity label of a window resource to a sensitivity label that dominates the existing sensitivity label. This privilege is interpreted only if the system is configured with Trusted Extensions. PPRRIIVV__XXVVMM__CCOONNTTRROOLL Allows a process access to the xxVVMM(5) control devices for managing guest domains and the hypervisor. This privilege is used only if booted into xVM on x86 platforms. Of the privileges listed above, the privileges PPRRIIVV__FFIILLEE__LLIINNKK__AANNYY, PPRRIIVV__PPRROOCC__IINNFFOO, PPRRIIVV__PPRROOCC__SSEESSSSIIOONN, PPRRIIVV__PPRROOCC__FFOORRKK, PPRRIIVV__FFIILLEE__RREEAADD, PPRRIIVV__FFIILLEE__WWRRIITTEE, PPRRIIVV__NNEETT__AACCCCEESSSS and PPRRIIVV__PPRROOCC__EEXXEECC are considered "basic" privileges. These are privileges that used to be always available to unprivileged processes. By default, processes still have the basic privileges. The privileges PPRRIIVV__PPRROOCC__SSEETTIIDD and PPRRIIVV__PPRROOCC__AAUUDDIITT must be present in the Limit set (see below) of a process in order for set-uid root eexxeeccs to be successful, that is, get an effective UID of 0 and additional privileges. The privilege implementation in Solaris extends the process credential with four privilege sets: II,, tthhee iinnhheerriittaabbllee sseett The privileges inherited on eexxeecc. PP,, tthhee ppeerrmmiitttteedd sseett The maximum set of privileges for the process. EE,, tthhee eeffffeeccttiivvee sseett The privileges currently in effect. LL,, tthhee lliimmiitt sseett The upper bound of the privileges a process and its offspring can obtain. Changes to L take effect on the next eexxeecc. The sets I, P and E are typically identical to the basic set of privileges for unprivileged processes. The limit set is typically the full set of privileges. Each process has a Privilege Awareness State (PAS) that can take the value PA (privilege-aware) and NPA (not-PA). PAS is a transitional mechanism that allows a choice between full compatibility with the old superuser model and completely ignoring the effective UID. To facilitate the discussion, we introduce the notion of "observed effective set" (oE) and "observed permitted set" (oP) and the implementation sets iE and iP. A process becomes privilege-aware either by manipulating the effective, permitted, or limit privilege sets through sseettpppprriivv(2) or by using sseettppffllaaggss(2). In all cases, oE and oP are invariant in the process of becoming privilege-aware. In the process of becoming privilege-aware, the following assignments take place: iE = oE iP = oP When a process is privilege-aware, oE and oP are invariant under UID changes. When a process is not privilege-aware, oE and oP are observed as follows: oE = euid == 0 ? L : iE oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP When a non-privilege-aware process has an effective UID of 0, it can exercise the privileges contained in its limit set, the upper bound of its privileges. If a non-privilege-aware process has any of the UIDs 0, it appears to be capable of potentially exercising all privileges in L. It is possible for a process to return to the non-privilege aware state using sseettppffllaaggss(()). The kernel always attempts this on eexxeecc(2). This operation is permitted only if the following conditions are met: o If any of the UIDs is equal to 0, P must be equal to L. o If the effective UID is equal to 0, E must be equal to L. When a process gives up privilege awareness, the following assignments take place: if (euid == 0) iE = L & I if (any uid == 0) iP = L & I The privileges obtained when not having a UID of 00 are the inheritable set of the process restricted by the limit set. Only privileges in the process's (observed) effective privilege set allow the process to perform restricted operations. A process can use any of the privilege manipulation functions to add or remove privileges from the privilege sets. Privileges can be removed always. Only privileges found in the permitted set can be added to the effective and inheritable set. The limit set cannot grow. The inheritable set can be larger than the permitted set. When a process performs an eexxeecc(2), the kernel first tries to relinquish privilege awareness before making the following privilege set modifications: E' = P' = I' = L & I L is unchanged If a process has not manipulated its privileges, the privilege sets effectively remain the same, as E, P and I are already identical. The limit set is enforced at eexxeecc time. To run a non-privilege-aware application in a backward-compatible manner, a privilege-aware application should start the non-privilege- aware application with I=basic. For most privileges, absence of the privilege simply results in a failure. In some instances, the absense of a privilege can cause system calls to behave differently. In other instances, the removal of a privilege can force a set-uid application to seriously malfunction. Privileges of this type are considered "unsafe". When a process is lacking any of the unsafe privileges from its limit set, the system does not honor the set-uid bit of set-uid root applications. The following unsafe privileges have been identified: pprroocc__sseettiidd, ssyyss__rreessoouurrccee and pprroocc__aauuddiitt. PPrriivviilleeggee EEssccaallaattiioonn In certain circumstances, a single privilege could lead to a process gaining one or more additional privileges that were not explicitly granted to that process. To prevent such an escalation of privileges, the security policy requires explicit permission for those additional privileges. Common examples of escalation are those mechanisms that allow modification of system resources through "raw'' interfaces; for example, changing kernel data structures through //ddeevv//kkmmeemm or changing files through //ddeevv//ddsskk//**. Escalation also occurs when a process controls processes with more privileges than the controlling process. A special case of this is manipulating or creating objects owned by UID 0 or trying to obtain UID 0 using sseettuuiidd(2). The special treatment of UID 0 is needed because the UID 0 owns all system configuration files and ordinary file protection mechanisms allow processes with UID 0 to modify the system configuration. With appropriate file modifications, a given process running with an effective UID of 0 can gain all privileges. In situations where a process might obtain UID 0, the security policy requires additional privileges, up to the full set of privileges. Such restrictions could be relaxed or removed at such time as additional mechanisms for protection of system files became available. There are no such mechanisms in the current Solaris release. The use of UID 0 processes should be limited as much as possible. They should be replaced with programs running under a different UID but with exactly the privileges they need. Daemons that never need to eexxeecc subprocesses should remove the PPRRIIVV__PPRROOCC__EEXXEECC privilege from their permitted and limit sets. AAssssiiggnneedd PPrriivviilleeggeess aanndd SSaaffeegguuaarrddss When privileges are assigned to a user, the system administrator could give that user more powers than intended. The administrator should consider whether safeguards are needed. For example, if the PPRRIIVV__PPRROOCC__LLOOCCKK__MMEEMMOORRYY privilege is given to a user, the administrator should consider setting the pprroojjeecctt..mmaaxx--lloocckkeedd--mmeemmoorryy resource control as well, to prevent that user from locking all memory. PPrriivviilleeggee DDeebbuuggggiinngg When a system call fails with a permission error, it is not always immediately obvious what caused the problem. To debug such a problem, you can use a tool called pprriivviilleeggee ddeebbuuggggiinngg. When privilege debugging is enabled for a process, the kernel reports missing privileges on the controlling terminal of the process. (Enable debugging for a process with the --DD option of pppprriivv(1).) Additionally, the administrator can enable system-wide privilege debugging by setting the ssyysstteemm(4) variable pprriivv__ddeebbuugg using: set priv_debug = 1 On a running system, you can use mmddbb(1) to change this variable. PPrriivviilleeggee AAddmmiinniissttrraattiioonn The Solaris Management Console (see ssmmcc(1M)) is the preferred method of modifying privileges for a command. Use uusseerrmmoodd(1M) or ssmmrroollee(1M) to assign privileges to or modify privileges for, respectively, a user or a role. Use pppprriivv(1) to enumerate the privileges supported on a system and ttrruussss(1) to determine which privileges a program requires. SSEEEE AALLSSOO mmddbb(1), pppprriivv(1), aadddd__ddrrvv(1M), iiffccoonnffiigg(1M), lloocckkdd(1M), nnffssdd(1M), ppppppdd(1M), rreemm__ddrrvv(1M), ssmmbbdd(1M), ssppppppttuunn(1M), uuppddaattee__ddrrvv(1M), IInnttrroo(2), aacccceessss(2), aacccctt(2), aaccll(2), aaddjjttiimmee(2), aauuddiitt(2), aauuddiittoonn(2), cchhmmoodd(2), cchhoowwnn(2), cchhrroooott(2), ccrreeaatt(2), eexxeecc(2), ffccnnttll(2), ffoorrkk(2), ffppaatthhccoonnff(2), ggeettaacccctt(2), ggeettppffllaaggss(2), ggeettpppprriivv(2), ggeettssiidd(2), kkiillll(2), lliinnkk(2), mmeemmccnnttll(2), mmkknnoodd(2), mmoouunntt(2), mmssggccttll(2), nniiccee(2), nnttpp__aaddjjttiimmee(2), ooppeenn(2), pp__oonnlliinnee(2), pprriiooccnnttll(2), pprriiooccnnttllsseett(2), pprroocceessssoorr__bbiinndd(2), ppsseett__bbiinndd(2), ppsseett__ccrreeaattee(2), rreeaaddlliinnkk(2), rreessoollvveeppaatthh(2), rrmmddiirr(2), sseemmccttll(2), sseettaauuiidd(2), sseetteeggiidd(2), sseetteeuuiidd(2), sseettggiidd(2), sseettggrroouuppss(2), sseettppffllaaggss(2), sseettpppprriivv(2), sseettrrccttll(2), sseettrreeggiidd(2), sseettrreeuuiidd(2), sseettrrlliimmiitt(2), sseettttaasskkiidd(2), sseettuuiidd(2), sshhmmccttll(2), sshhmmggeett(2), sshhmmoopp(2), ssiiggsseenndd(2), ssttaatt(2), ssttaattvvffss(2), ssttiimmee(2), sswwaappccttll(2), ssyyssiinnffoo(2), uuaaddmmiinn(2), uulliimmiitt(2), uummoouunntt(2), uunnlliinnkk(2), uuttiimmee(2), uuttiimmeess(2), bbiinndd(3SOCKET), ddoooorr__uuccrreedd(3C), pprriivv__aaddddsseett(3C), pprriivv__sseett(3C), pprriivv__ggeettbbyynnaammee(3C), pprriivv__ggeettbbyynnuumm(3C), pprriivv__sseett__ttoo__ssttrr(3C), pprriivv__ssttrr__ttoo__sseett(3C), ssoocckkeett(3SOCKET), tt__bbiinndd(3NSL), ttiimmeerr__ccrreeaattee(3C), uuccrreedd__ggeett(3C), eexxeecc__aattttrr(4), pprroocc(4), ssyysstteemm(4), uusseerr__aattttrr(4), xxVVMM(5), ddddii__ccrreedd(9F), ddrrvv__pprriivv(9F), pprriivv__ggeettbbyynnaammee(9F), pprriivv__ppoolliiccyy(9F), pprriivv__ppoolliiccyy__cchhooiiccee(9F), pprriivv__ppoolliiccyy__oonnllyy(9F) _S_y_s_t_e_m _A_d_m_i_n_i_s_t_r_a_t_i_o_n _G_u_i_d_e_: _S_e_c_u_r_i_t_y _S_e_r_v_i_c_e_s June 6, 2016 PRIVILEGES(5)