Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man5/privileges.5
+++ new/usr/src/man/man5/privileges.5
1 1 '\" te
2 2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" Copyright 2015, Joyent, Inc. All Rights Reserved.
4 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
6 6 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 -.TH PRIVILEGES 5 "Oct 30, 2015"
7 +.TH PRIVILEGES 5 "Jun 6, 2016"
8 8 .SH NAME
9 9 privileges \- process privilege model
10 10 .SH DESCRIPTION
11 11 .LP
12 12 Solaris software implements a set of privileges that provide fine-grained
13 13 control over the actions of processes. The possession of a certain privilege
14 14 allows a process to perform a specific set of restricted operations.
15 15 .sp
16 16 .LP
17 17 The change to a primarily privilege-based security model in the Solaris
18 18 operating system gives developers an opportunity to restrict processes to those
19 19 privileged operations actually needed instead of all (super-user) or no
20 20 privileges (non-zero UIDs). Additionally, a set of previously unrestricted
21 21 operations now requires a privilege; these privileges are dubbed the "basic"
22 22 privileges and are by default given to all processes.
23 23 .sp
24 24 .LP
25 25 Taken together, all defined privileges with the exception of the "basic"
26 26 privileges compose the set of privileges that are traditionally associated with
27 27 the root user. The "basic" privileges are "privileges" unprivileged processes
28 28 were accustomed to having.
29 29 .sp
30 30 .LP
31 31 The defined privileges are:
32 32 .sp
33 33 .ne 2
34 34 .na
35 35 \fB\fBPRIV_CONTRACT_EVENT\fR\fR
36 36 .ad
37 37 .sp .6
38 38 .RS 4n
39 39 Allow a process to request reliable delivery of events to an event endpoint.
40 40 .sp
41 41 Allow a process to include events in the critical event set term of a template
42 42 which could be generated in volume by the user.
43 43 .RE
44 44
45 45 .sp
46 46 .ne 2
47 47 .na
48 48 \fB\fBPRIV_CONTRACT_IDENTITY\fR\fR
49 49 .ad
50 50 .sp .6
51 51 .RS 4n
52 52 Allows a process to set the service FMRI value of a process contract template.
53 53 .RE
54 54
55 55 .sp
56 56 .ne 2
57 57 .na
58 58 \fB\fBPRIV_CONTRACT_OBSERVER\fR\fR
59 59 .ad
60 60 .sp .6
61 61 .RS 4n
62 62 Allow a process to observe contract events generated by contracts created and
63 63 owned by users other than the process's effective user ID.
64 64 .sp
65 65 Allow a process to open contract event endpoints belonging to contracts created
66 66 and owned by users other than the process's effective user ID.
67 67 .RE
68 68
69 69 .sp
70 70 .ne 2
71 71 .na
72 72 \fB\fBPRIV_CPC_CPU\fR\fR
73 73 .ad
74 74 .sp .6
75 75 .RS 4n
76 76 Allow a process to access per-CPU hardware performance counters.
77 77 .RE
78 78
79 79 .sp
80 80 .ne 2
81 81 .na
82 82 \fB\fBPRIV_DTRACE_KERNEL\fR\fR
83 83 .ad
84 84 .sp .6
85 85 .RS 4n
86 86 Allow DTrace kernel-level tracing.
87 87 .RE
88 88
89 89 .sp
90 90 .ne 2
91 91 .na
92 92 \fB\fBPRIV_DTRACE_PROC\fR\fR
93 93 .ad
94 94 .sp .6
95 95 .RS 4n
96 96 Allow DTrace process-level tracing. Allow process-level tracing probes to be
97 97 placed and enabled in processes to which the user has permissions.
98 98 .RE
99 99
100 100 .sp
101 101 .ne 2
102 102 .na
103 103 \fB\fBPRIV_DTRACE_USER\fR\fR
104 104 .ad
105 105 .sp .6
106 106 .RS 4n
107 107 Allow DTrace user-level tracing. Allow use of the syscall and profile DTrace
108 108 providers to examine processes to which the user has permissions.
109 109 .RE
110 110
111 111 .sp
112 112 .ne 2
113 113 .na
114 114 \fB\fBPRIV_FILE_CHOWN\fR\fR
115 115 .ad
116 116 .sp .6
117 117 .RS 4n
118 118 Allow a process to change a file's owner user ID. Allow a process to change a
119 119 file's group ID to one other than the process's effective group ID or one of
120 120 the process's supplemental group IDs.
121 121 .RE
122 122
123 123 .sp
124 124 .ne 2
125 125 .na
126 126 \fB\fBPRIV_FILE_CHOWN_SELF\fR\fR
127 127 .ad
128 128 .sp .6
129 129 .RS 4n
130 130 Allow a process to give away its files. A process with this privilege runs as
131 131 if {\fB_POSIX_CHOWN_RESTRICTED\fR} is not in effect.
132 132 .RE
133 133
134 134 .sp
135 135 .ne 2
136 136 .na
137 137 \fB\fBPRIV_FILE_DAC_EXECUTE\fR\fR
138 138 .ad
139 139 .sp .6
140 140 .RS 4n
141 141 Allow a process to execute an executable file whose permission bits or ACL
142 142 would otherwise disallow the process execute permission.
143 143 .RE
144 144
145 145 .sp
146 146 .ne 2
147 147 .na
148 148 \fB\fBPRIV_FILE_DAC_READ\fR\fR
149 149 .ad
150 150 .sp .6
151 151 .RS 4n
152 152 Allow a process to read a file or directory whose permission bits or ACL would
153 153 otherwise disallow the process read permission.
154 154 .RE
155 155
156 156 .sp
157 157 .ne 2
158 158 .na
159 159 \fB\fBPRIV_FILE_DAC_SEARCH\fR\fR
160 160 .ad
161 161 .sp .6
162 162 .RS 4n
163 163 Allow a process to search a directory whose permission bits or ACL would not
164 164 otherwise allow the process search permission.
165 165 .RE
166 166
167 167 .sp
168 168 .ne 2
169 169 .na
170 170 \fB\fBPRIV_FILE_DAC_WRITE\fR\fR
171 171 .ad
172 172 .sp .6
173 173 .RS 4n
174 174 Allow a process to write a file or directory whose permission bits or ACL do
175 175 not allow the process write permission. All privileges are required to write
176 176 files owned by UID 0 in the absence of an effective UID of 0.
177 177 .RE
178 178
179 179 .sp
180 180 .ne 2
181 181 .na
182 182 \fB\fBPRIV_FILE_DOWNGRADE_SL\fR\fR
183 183 .ad
184 184 .sp .6
185 185 .RS 4n
186 186 Allow a process to set the sensitivity label of a file or directory to a
187 187 sensitivity label that does not dominate the existing sensitivity label.
188 188 .sp
189 189 This privilege is interpreted only if the system is configured with Trusted
190 190 Extensions.
191 191 .RE
192 192
193 193 .sp
194 194 .ne 2
195 195 .na
196 196 \fB\fBPRIV_FILE_FLAG_SET\fR\fR
197 197 .ad
198 198 .sp .6
199 199 .RS 4n
200 200 Allows a process to set immutable, nounlink or appendonly file attributes.
201 201 .RE
202 202
203 203 .sp
204 204 .ne 2
205 205 .na
206 206 \fB\fBPRIV_FILE_LINK_ANY\fR\fR
207 207 .ad
208 208 .sp .6
209 209 .RS 4n
210 210 Allow a process to create hardlinks to files owned by a UID different from the
211 211 process's effective UID.
212 212 .RE
213 213
214 214 .sp
215 215 .ne 2
216 216 .na
217 217 \fB\fBPRIV_FILE_OWNER\fR\fR
218 218 .ad
219 219 .sp .6
220 220 .RS 4n
221 221 Allow a process that is not the owner of a file to modify that file's access
222 222 and modification times. Allow a process that is not the owner of a directory to
223 223 modify that directory's access and modification times. Allow a process that is
224 224 not the owner of a file or directory to remove or rename a file or directory
225 225 whose parent directory has the "save text image after execution" (sticky) bit
226 226 set. Allow a process that is not the owner of a file to mount a \fBnamefs\fR
227 227 upon that file. Allow a process that is not the owner of a file or directory to
228 228 modify that file's or directory's permission bits or ACL.
229 229 .RE
230 230
231 231 .sp
232 232 .ne 2
233 233 .na
234 234 \fB\fBPRIV_FILE_READ\fR\fR
235 235 .ad
236 236 .sp .6
237 237 .RS 4n
238 238 Allow a process to open objects in the filesystem for reading. This
239 239 privilege is not necessary to read from an already open file which was opened
240 240 before dropping the \fBPRIV_FILE_READ\fR privilege.
241 241 .RE
242 242
243 243 .sp
244 244 .ne 2
245 245 .na
246 246 \fB\fBPRIV_FILE_SETID\fR\fR
247 247 .ad
248 248 .sp .6
249 249 .RS 4n
250 250 Allow a process to change the ownership of a file or write to a file without
251 251 the set-user-ID and set-group-ID bits being cleared. Allow a process to set the
252 252 set-group-ID bit on a file or directory whose group is not the process's
253 253 effective group or one of the process's supplemental groups. Allow a process to
254 254 set the set-user-ID bit on a file with different ownership in the presence of
255 255 \fBPRIV_FILE_OWNER\fR. Additional restrictions apply when creating or modifying
256 256 a setuid 0 file.
257 257 .RE
258 258
259 259 .sp
260 260 .ne 2
261 261 .na
262 262 \fB\fBPRIV_FILE_UPGRADE_SL\fR\fR
263 263 .ad
264 264 .sp .6
265 265 .RS 4n
266 266 Allow a process to set the sensitivity label of a file or directory to a
267 267 sensitivity label that dominates the existing sensitivity label.
268 268 .sp
269 269 This privilege is interpreted only if the system is configured with Trusted
270 270 Extensions.
271 271 .RE
272 272
273 273 .sp
274 274 .ne 2
275 275 .na
276 276 \fB\fBPRIV_FILE_WRITE\fR\fR
277 277 .ad
278 278 .sp .6
279 279 .RS 4n
280 280 Allow a process to open objects in the filesytem for writing, or otherwise
281 281 modify them. This privilege is not necessary to write to an already open file
282 282 which was opened before dropping the \fBPRIV_FILE_WRITE\fR privilege.
283 283 .RE
284 284
285 285 .sp
286 286 .ne 2
287 287 .na
288 288 \fB\fBPRIV_GRAPHICS_ACCESS\fR\fR
289 289 .ad
290 290 .sp .6
291 291 .RS 4n
292 292 Allow a process to make privileged ioctls to graphics devices. Typically only
293 293 an xserver process needs to have this privilege. A process with this privilege
294 294 is also allowed to perform privileged graphics device mappings.
295 295 .RE
296 296
297 297 .sp
298 298 .ne 2
299 299 .na
300 300 \fB\fBPRIV_GRAPHICS_MAP\fR\fR
301 301 .ad
302 302 .sp .6
303 303 .RS 4n
304 304 Allow a process to perform privileged mappings through a graphics device.
305 305 .RE
306 306
307 307 .sp
308 308 .ne 2
309 309 .na
310 310 \fB\fBPRIV_IPC_DAC_READ\fR\fR
311 311 .ad
312 312 .sp .6
313 313 .RS 4n
314 314 Allow a process to read a System V IPC Message Queue, Semaphore Set, or Shared
315 315 Memory Segment whose permission bits would not otherwise allow the process read
316 316 permission.
317 317 .RE
318 318
319 319 .sp
320 320 .ne 2
321 321 .na
322 322 \fB\fBPRIV_IPC_DAC_WRITE\fR\fR
323 323 .ad
324 324 .sp .6
325 325 .RS 4n
326 326 Allow a process to write a System V IPC Message Queue, Semaphore Set, or Shared
327 327 Memory Segment whose permission bits would not otherwise allow the process
328 328 write permission.
329 329 .RE
330 330
331 331 .sp
332 332 .ne 2
333 333 .na
334 334 \fB\fBPRIV_IPC_OWNER\fR\fR
335 335 .ad
336 336 .sp .6
337 337 .RS 4n
338 338 Allow a process that is not the owner of a System V IPC Message Queue,
339 339 Semaphore Set, or Shared Memory Segment to remove, change ownership of, or
340 340 change permission bits of the Message Queue, Semaphore Set, or Shared Memory
341 341 Segment.
342 342 .RE
343 343
344 344 .sp
345 345 .ne 2
346 346 .na
347 347 \fB\fBPRIV_NET_ACCESS\fR\fR
348 348 .ad
349 349 .sp .6
350 350 .RS 4n
351 351 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint. This
352 352 privilege is not necessary to communicate using an existing endpoint already
353 353 opened before dropping the \fBPRIV_NET_ACCESS\fR privilege.
354 354 .RE
355 355
356 356 .sp
357 357 .ne 2
358 358 .na
359 359 \fB\fBPRIV_NET_BINDMLP\fR\fR
360 360 .ad
361 361 .sp .6
362 362 .RS 4n
363 363 Allow a process to bind to a port that is configured as a multi-level port
364 364 (MLP) for the process's zone. This privilege applies to both shared address and
365 365 zone-specific address MLPs. See \fBtnzonecfg\fR(\fB4\fR) from the Trusted
366 366 Extensions manual pages for information on configuring MLP ports.
367 367 .sp
368 368 This privilege is interpreted only if the system is configured with Trusted
369 369 Extensions.
370 370 .RE
371 371
372 372 .sp
373 373 .ne 2
374 374 .na
375 375 \fB\fBPRIV_NET_ICMPACCESS\fR\fR
376 376 .ad
377 377 .sp .6
378 378 .RS 4n
379 379 Allow a process to send and receive ICMP packets.
380 380 .RE
381 381
382 382 .sp
383 383 .ne 2
384 384 .na
385 385 \fB\fBPRIV_NET_MAC_AWARE\fR\fR
386 386 .ad
387 387 .sp .6
388 388 .RS 4n
389 389 Allow a process to set the \fBNET_MAC_AWARE\fR process flag by using
390 390 \fBsetpflags\fR(2). This privilege also allows a process to set the
391 391 \fBSO_MAC_EXEMPT\fR socket option by using \fBsetsockopt\fR(3SOCKET). The
392 392 \fBNET_MAC_AWARE\fR process flag and the \fBSO_MAC_EXEMPT\fR socket option both
393 393 allow a local process to communicate with an unlabeled peer if the local
394 394 process's label dominates the peer's default label, or if the local process
395 395 runs in the global zone.
396 396 .sp
397 397 This privilege is interpreted only if the system is configured with Trusted
398 398 Extensions.
399 399 .RE
400 400
401 401 .sp
402 402 .ne 2
403 403 .na
404 404 \fB\fBPRIV_NET_MAC_IMPLICIT\fR\fR
405 405 .ad
406 406 .sp .6
407 407 .RS 4n
408 408 Allow a proces to set \fBSO_MAC_IMPLICIT\fR option by using
409 409 \fBsetsockopt\fR(3SOCKET). This allows a privileged process to transmit
410 410 implicitly-labeled packets to a peer.
411 411 .sp
412 412 This privilege is interpreted only if the system is configured with
413 413 Trusted Extensions.
414 414 .RE
415 415
416 416 .sp
417 417 .ne 2
418 418 .na
419 419 \fB\fBPRIV_NET_OBSERVABILITY\fR\fR
420 420 .ad
421 421 .sp .6
422 422 .RS 4n
423 423 Allow a process to open a device for just receiving network traffic, sending
424 424 traffic is disallowed.
425 425 .RE
426 426
427 427 .sp
428 428 .ne 2
429 429 .na
430 430 \fB\fBPRIV_NET_PRIVADDR\fR\fR
431 431 .ad
432 432 .sp .6
433 433 .RS 4n
434 434 Allow a process to bind to a privileged port number. The privilege port numbers
435 435 are 1-1023 (the traditional UNIX privileged ports) as well as those ports
436 436 marked as "\fBudp/tcp_extra_priv_ports\fR" with the exception of the ports
437 437 reserved for use by NFS and SMB.
438 438 .RE
439 439
440 440 .sp
441 441 .ne 2
442 442 .na
443 443 \fB\fBPRIV_NET_RAWACCESS\fR\fR
444 444 .ad
445 445 .sp .6
446 446 .RS 4n
447 447 Allow a process to have direct access to the network layer.
448 448 .RE
449 449
450 450 .sp
451 451 .ne 2
452 452 .na
453 453 \fB\fBPRIV_PROC_AUDIT\fR\fR
454 454 .ad
455 455 .sp .6
456 456 .RS 4n
457 457 Allow a process to generate audit records. Allow a process to get its own audit
458 458 pre-selection information.
459 459 .RE
460 460
461 461 .sp
462 462 .ne 2
463 463 .na
464 464 \fB\fBPRIV_PROC_CHROOT\fR\fR
465 465 .ad
466 466 .sp .6
467 467 .RS 4n
468 468 Allow a process to change its root directory.
469 469 .RE
470 470
471 471 .sp
472 472 .ne 2
473 473 .na
474 474 \fB\fBPRIV_PROC_CLOCK_HIGHRES\fR\fR
475 475 .ad
476 476 .sp .6
477 477 .RS 4n
478 478 Allow a process to use high resolution timers.
479 479 .RE
480 480
481 481 .sp
482 482 .ne 2
483 483 .na
484 484 \fB\fBPRIV_PROC_EXEC\fR\fR
485 485 .ad
486 486 .sp .6
487 487 .RS 4n
488 488 Allow a process to call \fBexec\fR(2).
489 489 .RE
490 490
491 491 .sp
492 492 .ne 2
493 493 .na
494 494 \fB\fBPRIV_PROC_FORK\fR\fR
495 495 .ad
496 496 .sp .6
497 497 .RS 4n
498 498 Allow a process to call \fBfork\fR(2), \fBfork1\fR(2), or \fBvfork\fR(2).
499 499 .RE
500 500
501 501 .sp
502 502 .ne 2
503 503 .na
504 504 \fB\fBPRIV_PROC_INFO\fR\fR
505 505 .ad
506 506 .sp .6
507 507 .RS 4n
508 508 Allow a process to examine the status of processes other than those to which it
509 509 can send signals. Processes that cannot be examined cannot be seen in
510 510 \fB/proc\fR and appear not to exist.
511 511 .RE
512 512
513 513 .sp
514 514 .ne 2
515 515 .na
516 516 \fB\fBPRIV_PROC_LOCK_MEMORY\fR\fR
517 517 .ad
518 518 .sp .6
519 519 .RS 4n
520 520 Allow a process to lock pages in physical memory.
521 521 .RE
522 522
523 523 .sp
524 524 .ne 2
525 525 .na
526 526 \fB\fBPRIV_PROC_MEMINFO\fR\fR
527 527 .ad
528 528 .sp .6
529 529 .RS 4n
530 530 Allow a process to access physical memory information.
531 531 .RE
532 532
533 533 .sp
534 534 .ne 2
535 535 .na
536 536 \fB\fBPRIV_PROC_OWNER\fR\fR
537 537 .ad
538 538 .sp .6
539 539 .RS 4n
540 540 Allow a process to send signals to other processes and inspect and modify the
541 541 process state in other processes, regardless of ownership. When modifying
542 542 another process, additional restrictions apply: the effective privilege set of
543 543 the attaching process must be a superset of the target process's effective,
544 544 permitted, and inheritable sets; the limit set must be a superset of the
545 545 target's limit set; if the target process has any UID set to 0 all privilege
546 546 must be asserted unless the effective UID is 0. Allow a process to bind
547 547 arbitrary processes to CPUs.
548 548 .RE
549 549
550 550 .sp
551 551 .ne 2
552 552 .na
553 553 \fB\fBPRIV_PROC_PRIOUP\fR\fR
554 554 .ad
555 555 .sp .6
556 556 .RS 4n
557 557 Allow a process to elevate its priority above its current level.
558 558 .RE
559 559
560 560 .sp
561 561 .ne 2
562 562 .na
563 563 \fB\fBPRIV_PROC_PRIOCNTL\fR\fR
564 564 .ad
|
↓ open down ↓ |
547 lines elided |
↑ open up ↑ |
565 565 .sp .6
566 566 .RS 4n
567 567 Allows all that PRIV_PROC_PRIOUP allows.
568 568 Allow a process to change its scheduling class to any scheduling class,
569 569 including the RT class.
570 570 .RE
571 571
572 572 .sp
573 573 .ne 2
574 574 .na
575 +\fB\PRIV_PROC_SECFLAGS\fR
576 +.ad
577 +.sp .6
578 +.RS 4n
579 +Allow a process to manipulate the secflags of processes (subject to,
580 +additionally, the ability to signal that process).
581 +.RE
582 +
583 +.sp
584 +.ne 2
585 +.na
575 586 \fB\fBPRIV_PROC_SESSION\fR\fR
576 587 .ad
577 588 .sp .6
578 589 .RS 4n
579 590 Allow a process to send signals or trace processes outside its session.
580 591 .RE
581 592
582 593 .sp
583 594 .ne 2
584 595 .na
585 596 \fB\fBPRIV_PROC_SETID\fR\fR
586 597 .ad
587 598 .sp .6
588 599 .RS 4n
589 600 Allow a process to set its UIDs at will, assuming UID 0 requires all privileges
590 601 to be asserted.
591 602 .RE
592 603
593 604 .sp
594 605 .ne 2
595 606 .na
596 607 \fB\fBPRIV_PROC_TASKID\fR\fR
597 608 .ad
598 609 .sp .6
599 610 .RS 4n
600 611 Allow a process to assign a new task ID to the calling process.
601 612 .RE
602 613
603 614 .sp
604 615 .ne 2
605 616 .na
606 617 \fB\fBPRIV_PROC_ZONE\fR\fR
607 618 .ad
608 619 .sp .6
609 620 .RS 4n
610 621 Allow a process to trace or send signals to processes in other zones. See
611 622 \fBzones\fR(5).
612 623 .RE
613 624
614 625 .sp
615 626 .ne 2
616 627 .na
617 628 \fB\fBPRIV_SYS_ACCT\fR\fR
618 629 .ad
619 630 .sp .6
620 631 .RS 4n
621 632 Allow a process to enable and disable and manage accounting through
622 633 \fBacct\fR(2).
623 634 .RE
624 635
625 636 .sp
626 637 .ne 2
627 638 .na
628 639 \fB\fBPRIV_SYS_ADMIN\fR\fR
629 640 .ad
630 641 .sp .6
631 642 .RS 4n
632 643 Allow a process to perform system administration tasks such as setting node and
633 644 domain name and specifying \fBcoreadm\fR(1M) and \fBnscd\fR(1M) settings
634 645 .RE
635 646
636 647 .sp
637 648 .ne 2
638 649 .na
639 650 \fB\fBPRIV_SYS_AUDIT\fR\fR
640 651 .ad
641 652 .sp .6
642 653 .RS 4n
643 654 Allow a process to start the (kernel) audit daemon. Allow a process to view and
644 655 set audit state (audit user ID, audit terminal ID, audit sessions ID, audit
645 656 pre-selection mask). Allow a process to turn off and on auditing. Allow a
646 657 process to configure the audit parameters (cache and queue sizes, event to
647 658 class mappings, and policy options).
648 659 .RE
649 660
650 661 .sp
651 662 .ne 2
652 663 .na
653 664 \fB\fBPRIV_SYS_CONFIG\fR\fR
654 665 .ad
655 666 .sp .6
656 667 .RS 4n
657 668 Allow a process to perform various system configuration tasks. Allow
658 669 filesystem-specific administrative procedures, such as filesystem configuration
659 670 ioctls, quota calls, creation and deletion of snapshots, and manipulating the
660 671 PCFS bootsector.
661 672 .RE
662 673
663 674 .sp
664 675 .ne 2
665 676 .na
666 677 \fB\fBPRIV_SYS_DEVICES\fR\fR
667 678 .ad
668 679 .sp .6
669 680 .RS 4n
670 681 Allow a process to create device special files. Allow a process to successfully
671 682 call a kernel module that calls the kernel \fBdrv_priv\fR(9F) function to check
672 683 for allowed access. Allow a process to open the real console device directly.
673 684 Allow a process to open devices that have been exclusively opened.
674 685 .RE
675 686
676 687 .sp
677 688 .ne 2
678 689 .na
679 690 \fB\fBPRIV_SYS_DL_CONFIG\fR\fR
680 691 .ad
681 692 .sp .6
682 693 .RS 4n
683 694 Allow a process to configure a system's datalink interfaces.
684 695 .RE
685 696
686 697 .sp
687 698 .ne 2
688 699 .na
689 700 \fB\fBPRIV_SYS_IP_CONFIG\fR\fR
690 701 .ad
691 702 .sp .6
692 703 .RS 4n
693 704 Allow a process to configure a system's IP interfaces and routes. Allow a
694 705 process to configure network parameters for \fBTCP/IP\fR using \fBndd\fR. Allow
695 706 a process access to otherwise restricted \fBTCP/IP\fR information using
696 707 \fBndd\fR. Allow a process to configure \fBIPsec\fR. Allow a process to pop
697 708 anchored \fBSTREAM\fRs modules with matching \fBzoneid\fR.
698 709 .RE
699 710
700 711 .sp
701 712 .ne 2
702 713 .na
703 714 \fB\fBPRIV_SYS_IPC_CONFIG\fR\fR
704 715 .ad
705 716 .sp .6
706 717 .RS 4n
707 718 Allow a process to increase the size of a System V IPC Message Queue buffer.
708 719 .RE
709 720
710 721 .sp
711 722 .ne 2
712 723 .na
713 724 \fB\fBPRIV_SYS_IPTUN_CONFIG\fR\fR
714 725 .ad
715 726 .sp .6
716 727 .RS 4n
717 728 Allow a process to configure IP tunnel links.
718 729 .RE
719 730
720 731 .sp
721 732 .ne 2
722 733 .na
723 734 \fB\fBPRIV_SYS_LINKDIR\fR\fR
724 735 .ad
725 736 .sp .6
726 737 .RS 4n
727 738 Allow a process to unlink and link directories.
728 739 .RE
729 740
730 741 .sp
731 742 .ne 2
732 743 .na
733 744 \fB\fBPRIV_SYS_MOUNT\fR\fR
734 745 .ad
735 746 .sp .6
736 747 .RS 4n
737 748 Allow a process to mount and unmount filesystems that would otherwise be
738 749 restricted (that is, most filesystems except \fBnamefs\fR). Allow a process to
739 750 add and remove swap devices.
740 751 .RE
741 752
742 753 .sp
743 754 .ne 2
744 755 .na
745 756 \fB\fBPRIV_SYS_NET_CONFIG\fR\fR
746 757 .ad
747 758 .sp .6
748 759 .RS 4n
749 760 Allow a process to do all that \fBPRIV_SYS_IP_CONFIG\fR,
750 761 \fBPRIV_SYS_DL_CONFIG\fR, and \fBPRIV_SYS_PPP_CONFIG\fR allow, plus the
751 762 following: use the \fBrpcmod\fR STREAMS module and insert/remove STREAMS
752 763 modules on locations other than the top of the module stack.
753 764 .RE
754 765
755 766 .sp
756 767 .ne 2
757 768 .na
758 769 \fB\fBPRIV_SYS_NFS\fR\fR
759 770 .ad
760 771 .sp .6
761 772 .RS 4n
762 773 Allow a process to provide NFS service: start NFS kernel threads, perform NFS
763 774 locking operations, bind to NFS reserved ports: ports 2049 (\fBnfs\fR) and port
764 775 4045 (\fBlockd\fR).
765 776 .RE
766 777
767 778 .sp
768 779 .ne 2
769 780 .na
770 781 \fB\fBPRIV_SYS_PPP_CONFIG\fR\fR
771 782 .ad
772 783 .sp .6
773 784 .RS 4n
774 785 Allow a process to create, configure, and destroy PPP instances with pppd(1M)
775 786 \fBpppd\fR(1M) and control PPPoE plumbing with \fBsppptun\fR(1M)sppptun(1M).
776 787 This privilege is granted by default to exclusive IP stack instance zones.
777 788 .RE
778 789
779 790 .sp
780 791 .ne 2
781 792 .na
782 793 \fB\fBPRIV_SYS_RES_BIND\fR\fR
783 794 .ad
784 795 .sp .6
785 796 .RS 4n
786 797 Allows a process to bind processes to processor sets.
787 798 .RE
788 799
789 800 .sp
790 801 .ne 2
791 802 .na
792 803 \fB\fBPRIV_SYS_RES_CONFIG\fR\fR
793 804 .ad
794 805 .sp .6
795 806 .RS 4n
796 807 Allows all that PRIV_SYS_RES_BIND allows.
797 808 Allow a process to create and delete processor sets, assign CPUs to processor
798 809 sets and override the \fBPSET_NOESCAPE\fR property. Allow a process to change
799 810 the operational status of CPUs in the system using \fBp_online\fR(2). Allow a
800 811 process to configure filesystem quotas. Allow a process to configure resource
801 812 pools and bind processes to pools.
802 813 .RE
803 814
804 815 .sp
805 816 .ne 2
806 817 .na
807 818 \fB\fBPRIV_SYS_RESOURCE\fR\fR
808 819 .ad
809 820 .sp .6
810 821 .RS 4n
811 822 Allow a process to exceed the resource limits imposed on it by
812 823 \fBsetrlimit\fR(2) and \fBsetrctl\fR(2).
813 824 .RE
814 825
815 826 .sp
816 827 .ne 2
817 828 .na
818 829 \fB\fBPRIV_SYS_SMB\fR\fR
819 830 .ad
820 831 .sp .6
821 832 .RS 4n
822 833 Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or
823 834 bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445
824 835 (SMB).
825 836 .RE
826 837
827 838 .sp
828 839 .ne 2
829 840 .na
830 841 \fB\fBPRIV_SYS_SUSER_COMPAT\fR\fR
831 842 .ad
832 843 .sp .6
833 844 .RS 4n
834 845 Allow a process to successfully call a third party loadable module that calls
835 846 the kernel \fBsuser()\fR function to check for allowed access. This privilege
836 847 exists only for third party loadable module compatibility and is not used by
837 848 Solaris proper.
838 849 .RE
839 850
840 851 .sp
841 852 .ne 2
842 853 .na
843 854 \fB\fBPRIV_SYS_TIME\fR\fR
844 855 .ad
845 856 .sp .6
846 857 .RS 4n
847 858 Allow a process to manipulate system time using any of the appropriate system
848 859 calls: \fBstime\fR(2), \fBadjtime\fR(2), and \fBntp_adjtime\fR(2).
849 860 .RE
850 861
851 862 .sp
852 863 .ne 2
853 864 .na
854 865 \fB\fBPRIV_SYS_TRANS_LABEL\fR\fR
855 866 .ad
856 867 .sp .6
857 868 .RS 4n
858 869 Allow a process to translate labels that are not dominated by the process's
859 870 sensitivity label to and from an external string form.
860 871 .sp
861 872 This privilege is interpreted only if the system is configured with Trusted
862 873 Extensions.
863 874 .RE
864 875
865 876 .sp
866 877 .ne 2
867 878 .na
868 879 \fB\fBPRIV_VIRT_MANAGE\fR\fR
869 880 .ad
870 881 .sp .6
871 882 .RS 4n
872 883 Allows a process to manage virtualized environments such as \fBxVM\fR(5).
873 884 .RE
874 885
875 886 .sp
876 887 .ne 2
877 888 .na
878 889 \fB\fBPRIV_WIN_COLORMAP\fR\fR
879 890 .ad
880 891 .sp .6
881 892 .RS 4n
882 893 Allow a process to override colormap restrictions.
883 894 .sp
884 895 Allow a process to install or remove colormaps.
885 896 .sp
886 897 Allow a process to retrieve colormap cell entries allocated by other processes.
887 898 .sp
888 899 This privilege is interpreted only if the system is configured with Trusted
889 900 Extensions.
890 901 .RE
891 902
892 903 .sp
893 904 .ne 2
894 905 .na
895 906 \fB\fBPRIV_WIN_CONFIG\fR\fR
896 907 .ad
897 908 .sp .6
898 909 .RS 4n
899 910 Allow a process to configure or destroy resources that are permanently retained
900 911 by the X server.
901 912 .sp
902 913 Allow a process to use SetScreenSaver to set the screen saver timeout value
903 914 .sp
904 915 Allow a process to use ChangeHosts to modify the display access control list.
905 916 .sp
906 917 Allow a process to use GrabServer.
907 918 .sp
908 919 Allow a process to use the SetCloseDownMode request that can retain window,
909 920 pixmap, colormap, property, cursor, font, or graphic context resources.
910 921 .sp
911 922 This privilege is interpreted only if the system is configured with Trusted
912 923 Extensions.
913 924 .RE
914 925
915 926 .sp
916 927 .ne 2
917 928 .na
918 929 \fB\fBPRIV_WIN_DAC_READ\fR\fR
919 930 .ad
920 931 .sp .6
921 932 .RS 4n
922 933 Allow a process to read from a window resource that it does not own (has a
923 934 different user ID).
924 935 .sp
925 936 This privilege is interpreted only if the system is configured with Trusted
926 937 Extensions.
927 938 .RE
928 939
929 940 .sp
930 941 .ne 2
931 942 .na
932 943 \fB\fBPRIV_WIN_DAC_WRITE\fR\fR
933 944 .ad
934 945 .sp .6
935 946 .RS 4n
936 947 Allow a process to write to or create a window resource that it does not own
937 948 (has a different user ID). A newly created window property is created with the
938 949 window's user ID.
939 950 .sp
940 951 This privilege is interpreted only if the system is configured with Trusted
941 952 Extensions.
942 953 .RE
943 954
944 955 .sp
945 956 .ne 2
946 957 .na
947 958 \fB\fBPRIV_WIN_DEVICES\fR\fR
948 959 .ad
949 960 .sp .6
950 961 .RS 4n
951 962 Allow a process to perform operations on window input devices.
952 963 .sp
953 964 Allow a process to get and set keyboard and pointer controls.
954 965 .sp
955 966 Allow a process to modify pointer button and key mappings.
956 967 .sp
957 968 This privilege is interpreted only if the system is configured with Trusted
958 969 Extensions.
959 970 .RE
960 971
961 972 .sp
962 973 .ne 2
963 974 .na
964 975 \fB\fBPRIV_WIN_DGA\fR\fR
965 976 .ad
966 977 .sp .6
967 978 .RS 4n
968 979 Allow a process to use the direct graphics access (DGA) X protocol extensions.
969 980 Direct process access to the frame buffer is still required. Thus the process
970 981 must have MAC and DAC privileges that allow access to the frame buffer, or the
971 982 frame buffer must be allocated to the process.
972 983 .sp
973 984 This privilege is interpreted only if the system is configured with Trusted
974 985 Extensions.
975 986 .RE
976 987
977 988 .sp
978 989 .ne 2
979 990 .na
980 991 \fB\fBPRIV_WIN_DOWNGRADE_SL\fR\fR
981 992 .ad
982 993 .sp .6
983 994 .RS 4n
984 995 Allow a process to set the sensitivity label of a window resource to a
985 996 sensitivity label that does not dominate the existing sensitivity label.
986 997 .sp
987 998 This privilege is interpreted only if the system is configured with Trusted
988 999 Extensions.
989 1000 .RE
990 1001
991 1002 .sp
992 1003 .ne 2
993 1004 .na
994 1005 \fB\fBPRIV_WIN_FONTPATH\fR\fR
995 1006 .ad
996 1007 .sp .6
997 1008 .RS 4n
998 1009 Allow a process to set a font path.
999 1010 .sp
1000 1011 This privilege is interpreted only if the system is configured with Trusted
1001 1012 Extensions.
1002 1013 .RE
1003 1014
1004 1015 .sp
1005 1016 .ne 2
1006 1017 .na
1007 1018 \fB\fBPRIV_WIN_MAC_READ\fR\fR
1008 1019 .ad
1009 1020 .sp .6
1010 1021 .RS 4n
1011 1022 Allow a process to read from a window resource whose sensitivity label is not
1012 1023 equal to the process sensitivity label.
1013 1024 .sp
1014 1025 This privilege is interpreted only if the system is configured with Trusted
1015 1026 Extensions.
1016 1027 .RE
1017 1028
1018 1029 .sp
1019 1030 .ne 2
1020 1031 .na
1021 1032 \fB\fBPRIV_WIN_MAC_WRITE\fR\fR
1022 1033 .ad
1023 1034 .sp .6
1024 1035 .RS 4n
1025 1036 Allow a process to create a window resource whose sensitivity label is not
1026 1037 equal to the process sensitivity label. A newly created window property is
1027 1038 created with the window's sensitivity label.
1028 1039 .sp
1029 1040 This privilege is interpreted only if the system is configured with Trusted
1030 1041 Extensions.
1031 1042 .RE
1032 1043
1033 1044 .sp
1034 1045 .ne 2
1035 1046 .na
1036 1047 \fB\fBPRIV_WIN_SELECTION\fR\fR
1037 1048 .ad
1038 1049 .sp .6
1039 1050 .RS 4n
1040 1051 Allow a process to request inter-window data moves without the intervention of
1041 1052 the selection confirmer.
1042 1053 .sp
1043 1054 This privilege is interpreted only if the system is configured with Trusted
1044 1055 Extensions.
1045 1056 .RE
1046 1057
1047 1058 .sp
1048 1059 .ne 2
1049 1060 .na
1050 1061 \fB\fBPRIV_WIN_UPGRADE_SL\fR\fR
1051 1062 .ad
1052 1063 .sp .6
1053 1064 .RS 4n
1054 1065 Allow a process to set the sensitivity label of a window resource to a
1055 1066 sensitivity label that dominates the existing sensitivity label.
1056 1067 .sp
1057 1068 This privilege is interpreted only if the system is configured with Trusted
1058 1069 Extensions.
1059 1070 .RE
1060 1071
1061 1072 .sp
1062 1073 .ne 2
1063 1074 .na
1064 1075 \fB\fBPRIV_XVM_CONTROL\fR\fR
1065 1076 .ad
1066 1077 .sp .6
1067 1078 .RS 4n
1068 1079 Allows a process access to the \fBxVM\fR(5) control devices for managing guest
1069 1080 domains and the hypervisor. This privilege is used only if booted into xVM on
1070 1081 x86 platforms.
1071 1082 .RE
1072 1083
1073 1084 .sp
1074 1085 .LP
1075 1086 Of the privileges listed above, the privileges \fBPRIV_FILE_LINK_ANY\fR,
1076 1087 \fBPRIV_PROC_INFO\fR, \fBPRIV_PROC_SESSION\fR, \fBPRIV_PROC_FORK\fR,
1077 1088 \fBPRIV_FILE_READ\fR, \fBPRIV_FILE_WRITE\fR, \fBPRIV_NET_ACCESS\fR and
1078 1089 \fBPRIV_PROC_EXEC\fR are considered "basic" privileges. These are privileges
1079 1090 that used to be always available to unprivileged processes. By default,
1080 1091 processes still have the basic privileges.
1081 1092 .sp
1082 1093 .LP
1083 1094 The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present
1084 1095 in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
1085 1096 to be successful, that is, get an effective UID of 0 and additional privileges.
1086 1097 .sp
1087 1098 .LP
1088 1099 The privilege implementation in Solaris extends the process credential with
1089 1100 four privilege sets:
1090 1101 .sp
1091 1102 .ne 2
1092 1103 .na
1093 1104 \fBI, the inheritable set\fR
1094 1105 .ad
1095 1106 .RS 26n
1096 1107 The privileges inherited on \fBexec\fR.
1097 1108 .RE
1098 1109
1099 1110 .sp
1100 1111 .ne 2
1101 1112 .na
1102 1113 \fBP, the permitted set\fR
1103 1114 .ad
1104 1115 .RS 26n
1105 1116 The maximum set of privileges for the process.
1106 1117 .RE
1107 1118
1108 1119 .sp
1109 1120 .ne 2
1110 1121 .na
1111 1122 \fBE, the effective set\fR
1112 1123 .ad
1113 1124 .RS 26n
1114 1125 The privileges currently in effect.
1115 1126 .RE
1116 1127
1117 1128 .sp
1118 1129 .ne 2
1119 1130 .na
1120 1131 \fBL, the limit set\fR
1121 1132 .ad
1122 1133 .RS 26n
1123 1134 The upper bound of the privileges a process and its offspring can obtain.
1124 1135 Changes to L take effect on the next \fBexec\fR.
1125 1136 .RE
1126 1137
1127 1138 .sp
1128 1139 .LP
1129 1140 The sets I, P and E are typically identical to the basic set of privileges for
1130 1141 unprivileged processes. The limit set is typically the full set of privileges.
1131 1142 .sp
1132 1143 .LP
1133 1144 Each process has a Privilege Awareness State (PAS) that can take the value PA
1134 1145 (privilege-aware) and NPA (not-PA). PAS is a transitional mechanism that allows
1135 1146 a choice between full compatibility with the old superuser model and completely
1136 1147 ignoring the effective UID.
1137 1148 .sp
1138 1149 .LP
1139 1150 To facilitate the discussion, we introduce the notion of "observed effective
1140 1151 set" (oE) and "observed permitted set" (oP) and the implementation sets iE and
1141 1152 iP.
1142 1153 .sp
1143 1154 .LP
1144 1155 A process becomes privilege-aware either by manipulating the effective,
1145 1156 permitted, or limit privilege sets through \fBsetppriv\fR(2) or by using
1146 1157 \fBsetpflags\fR(2). In all cases, oE and oP are invariant in the process of
1147 1158 becoming privilege-aware. In the process of becoming privilege-aware, the
1148 1159 following assignments take place:
1149 1160 .sp
1150 1161 .in +2
1151 1162 .nf
1152 1163 iE = oE
1153 1164 iP = oP
1154 1165 .fi
1155 1166 .in -2
1156 1167
1157 1168 .sp
1158 1169 .LP
1159 1170 When a process is privilege-aware, oE and oP are invariant under UID changes.
1160 1171 When a process is not privilege-aware, oE and oP are observed as follows:
1161 1172 .sp
1162 1173 .in +2
1163 1174 .nf
1164 1175 oE = euid == 0 ? L : iE
1165 1176 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
1166 1177 .fi
1167 1178 .in -2
1168 1179
1169 1180 .sp
1170 1181 .LP
1171 1182 When a non-privilege-aware process has an effective UID of 0, it can exercise
1172 1183 the privileges contained in its limit set, the upper bound of its privileges.
1173 1184 If a non-privilege-aware process has any of the UIDs 0, it appears to be
1174 1185 capable of potentially exercising all privileges in L.
1175 1186 .sp
1176 1187 .LP
1177 1188 It is possible for a process to return to the non-privilege aware state using
1178 1189 \fBsetpflags()\fR. The kernel always attempts this on \fBexec\fR(2). This
1179 1190 operation is permitted only if the following conditions are met:
1180 1191 .RS +4
1181 1192 .TP
1182 1193 .ie t \(bu
1183 1194 .el o
1184 1195 If any of the UIDs is equal to 0, P must be equal to L.
1185 1196 .RE
1186 1197 .RS +4
1187 1198 .TP
1188 1199 .ie t \(bu
1189 1200 .el o
1190 1201 If the effective UID is equal to 0, E must be equal to L.
1191 1202 .RE
1192 1203 .sp
1193 1204 .LP
1194 1205 When a process gives up privilege awareness, the following assignments take
1195 1206 place:
1196 1207 .sp
1197 1208 .in +2
1198 1209 .nf
1199 1210 if (euid == 0) iE = L & I
1200 1211 if (any uid == 0) iP = L & I
1201 1212 .fi
1202 1213 .in -2
1203 1214
1204 1215 .sp
1205 1216 .LP
1206 1217 The privileges obtained when not having a UID of \fB0\fR are the inheritable
1207 1218 set of the process restricted by the limit set.
1208 1219 .sp
1209 1220 .LP
1210 1221 Only privileges in the process's (observed) effective privilege set allow the
1211 1222 process to perform restricted operations. A process can use any of the
1212 1223 privilege manipulation functions to add or remove privileges from the privilege
1213 1224 sets. Privileges can be removed always. Only privileges found in the permitted
1214 1225 set can be added to the effective and inheritable set. The limit set cannot
1215 1226 grow. The inheritable set can be larger than the permitted set.
1216 1227 .sp
1217 1228 .LP
1218 1229 When a process performs an \fBexec\fR(2), the kernel first tries to relinquish
1219 1230 privilege awareness before making the following privilege set modifications:
1220 1231 .sp
1221 1232 .in +2
1222 1233 .nf
1223 1234 E' = P' = I' = L & I
1224 1235 L is unchanged
1225 1236 .fi
1226 1237 .in -2
1227 1238
1228 1239 .sp
1229 1240 .LP
1230 1241 If a process has not manipulated its privileges, the privilege sets effectively
1231 1242 remain the same, as E, P and I are already identical.
1232 1243 .sp
1233 1244 .LP
1234 1245 The limit set is enforced at \fBexec\fR time.
1235 1246 .sp
1236 1247 .LP
1237 1248 To run a non-privilege-aware application in a backward-compatible manner, a
1238 1249 privilege-aware application should start the non-privilege-aware application
1239 1250 with I=basic.
1240 1251 .sp
1241 1252 .LP
1242 1253 For most privileges, absence of the privilege simply results in a failure. In
1243 1254 some instances, the absense of a privilege can cause system calls to behave
1244 1255 differently. In other instances, the removal of a privilege can force a set-uid
1245 1256 application to seriously malfunction. Privileges of this type are considered
1246 1257 "unsafe". When a process is lacking any of the unsafe privileges from its limit
1247 1258 set, the system does not honor the set-uid bit of set-uid root applications.
1248 1259 The following unsafe privileges have been identified: \fBproc_setid\fR,
1249 1260 \fBsys_resource\fR and \fBproc_audit\fR.
1250 1261 .SS "Privilege Escalation"
1251 1262 .LP
1252 1263 In certain circumstances, a single privilege could lead to a process gaining
1253 1264 one or more additional privileges that were not explicitly granted to that
1254 1265 process. To prevent such an escalation of privileges, the security policy
1255 1266 requires explicit permission for those additional privileges.
1256 1267 .sp
1257 1268 .LP
1258 1269 Common examples of escalation are those mechanisms that allow modification of
1259 1270 system resources through "raw'' interfaces; for example, changing kernel data
1260 1271 structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
1261 1272 Escalation also occurs when a process controls processes with more privileges
1262 1273 than the controlling process. A special case of this is manipulating or
1263 1274 creating objects owned by UID 0 or trying to obtain UID 0 using
1264 1275 \fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0
1265 1276 owns all system configuration files and ordinary file protection mechanisms
1266 1277 allow processes with UID 0 to modify the system configuration. With appropriate
1267 1278 file modifications, a given process running with an effective UID of 0 can gain
1268 1279 all privileges.
1269 1280 .sp
1270 1281 .LP
1271 1282 In situations where a process might obtain UID 0, the security policy requires
1272 1283 additional privileges, up to the full set of privileges. Such restrictions
1273 1284 could be relaxed or removed at such time as additional mechanisms for
1274 1285 protection of system files became available. There are no such mechanisms in
1275 1286 the current Solaris release.
1276 1287 .sp
1277 1288 .LP
1278 1289 The use of UID 0 processes should be limited as much as possible. They should
1279 1290 be replaced with programs running under a different UID but with exactly the
1280 1291 privileges they need.
1281 1292 .sp
1282 1293 .LP
1283 1294 Daemons that never need to \fBexec\fR subprocesses should remove the
1284 1295 \fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets.
1285 1296 .SS "Assigned Privileges and Safeguards"
1286 1297 .LP
1287 1298 When privileges are assigned to a user, the system administrator could give
1288 1299 that user more powers than intended. The administrator should consider whether
1289 1300 safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR
1290 1301 privilege is given to a user, the administrator should consider setting the
1291 1302 \fBproject.max-locked-memory\fR resource control as well, to prevent that user
1292 1303 from locking all memory.
1293 1304 .SS "Privilege Debugging"
1294 1305 .LP
1295 1306 When a system call fails with a permission error, it is not always immediately
1296 1307 obvious what caused the problem. To debug such a problem, you can use a tool
1297 1308 called \fBprivilege debugging\fR. When privilege debugging is enabled for a
1298 1309 process, the kernel reports missing privileges on the controlling terminal of
1299 1310 the process. (Enable debugging for a process with the \fB-D\fR option of
1300 1311 \fBppriv\fR(1).) Additionally, the administrator can enable system-wide
1301 1312 privilege debugging by setting the \fBsystem\fR(4) variable \fBpriv_debug\fR
1302 1313 using:
1303 1314 .sp
1304 1315 .in +2
1305 1316 .nf
1306 1317 set priv_debug = 1
1307 1318 .fi
1308 1319 .in -2
1309 1320
1310 1321 .sp
1311 1322 .LP
1312 1323 On a running system, you can use \fBmdb\fR(1) to change this variable.
1313 1324 .SS "Privilege Administration"
1314 1325 .LP
1315 1326 The Solaris Management Console (see \fBsmc\fR(1M)) is the preferred method of
1316 1327 modifying privileges for a command. Use \fBusermod\fR(1M) or \fBsmrole\fR(1M)
1317 1328 to assign privileges to or modify privileges for, respectively, a user or a
1318 1329 role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
1319 1330 \fBtruss\fR(1) to determine which privileges a program requires.
1320 1331 .SH SEE ALSO
1321 1332 .LP
1322 1333 \fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M),
1323 1334 \fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M),
1324 1335 \fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2),
1325 1336 \fBaccess\fR(2), \fBacct\fR(2), \fBacl\fR(2), \fBadjtime\fR(2), \fBaudit\fR(2),
1326 1337 \fBauditon\fR(2), \fBchmod\fR(2), \fBchown\fR(2), \fBchroot\fR(2),
1327 1338 \fBcreat\fR(2), \fBexec\fR(2), \fBfcntl\fR(2), \fBfork\fR(2),
1328 1339 \fBfpathconf\fR(2), \fBgetacct\fR(2), \fBgetpflags\fR(2), \fBgetppriv\fR(2),
1329 1340 \fBgetsid\fR(2), \fBkill\fR(2), \fBlink\fR(2), \fBmemcntl\fR(2),
1330 1341 \fBmknod\fR(2), \fBmount\fR(2), \fBmsgctl\fR(2), \fBnice\fR(2),
1331 1342 \fBntp_adjtime\fR(2), \fBopen\fR(2), \fBp_online\fR(2), \fBpriocntl\fR(2),
1332 1343 \fBpriocntlset\fR(2), \fBprocessor_bind\fR(2), \fBpset_bind\fR(2),
1333 1344 \fBpset_create\fR(2), \fBreadlink\fR(2), \fBresolvepath\fR(2), \fBrmdir\fR(2),
1334 1345 \fBsemctl\fR(2), \fBsetauid\fR(2), \fBsetegid\fR(2), \fBseteuid\fR(2),
1335 1346 \fBsetgid\fR(2), \fBsetgroups\fR(2), \fBsetpflags\fR(2), \fBsetppriv\fR(2),
1336 1347 \fBsetrctl\fR(2), \fBsetregid\fR(2), \fBsetreuid\fR(2), \fBsetrlimit\fR(2),
1337 1348 \fBsettaskid\fR(2), \fBsetuid\fR(2), \fBshmctl\fR(2), \fBshmget\fR(2),
1338 1349 \fBshmop\fR(2), \fBsigsend\fR(2), \fBstat\fR(2), \fBstatvfs\fR(2),
1339 1350 \fBstime\fR(2), \fBswapctl\fR(2), \fBsysinfo\fR(2), \fBuadmin\fR(2),
1340 1351 \fBulimit\fR(2), \fBumount\fR(2), \fBunlink\fR(2), \fButime\fR(2),
1341 1352 \fButimes\fR(2), \fBbind\fR(3SOCKET), \fBdoor_ucred\fR(3C),
1342 1353 \fBpriv_addset\fR(3C), \fBpriv_set\fR(3C), \fBpriv_getbyname\fR(3C),
1343 1354 \fBpriv_getbynum\fR(3C), \fBpriv_set_to_str\fR(3C), \fBpriv_str_to_set\fR(3C),
1344 1355 \fBsocket\fR(3SOCKET), \fBt_bind\fR(3NSL), \fBtimer_create\fR(3C),
1345 1356 \fBucred_get\fR(3C), \fBexec_attr\fR(4), \fBproc\fR(4), \fBsystem\fR(4),
1346 1357 \fBuser_attr\fR(4), \fBxVM\fR(5), \fBddi_cred\fR(9F), \fBdrv_priv\fR(9F),
1347 1358 \fBpriv_getbyname\fR(9F), \fBpriv_policy\fR(9F), \fBpriv_policy_choice\fR(9F),
1348 1359 \fBpriv_policy_only\fR(9F)
1349 1360 .sp
1350 1361 .LP
1351 1362 \fISystem Administration Guide: Security Services\fR
|
↓ open down ↓ |
767 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX