In illumos, software implements a set of privileges that provide fine-grained
control over the actions of processes. The possession of a certain privilege
allows a process to perform a specific set of restricted operations.
The change to a primarily privilege-based security model in the
operating system gives developers an opportunity to restrict processes to
those privileged operations actually needed instead of all (super-user) or
no privileges (non-zero UIDs). Additionally, a set of previously
unrestricted operations now requires a privilege; these privileges are
dubbed the "basic" privileges and are by default given to all
processes.
Taken together, all defined privileges with the exception of the
"basic" privileges compose the set of privileges that are
traditionally associated with the root user. The "basic"
privileges are "privileges" unprivileged processes were accustomed
to having.
The defined privileges are:
PRIV_CONTRACT_EVENT
Allow a process to request reliable delivery of events to
an event endpoint.
Allow a process to include events in the critical event set term
of a template which could be generated in volume by the user.
PRIV_CONTRACT_IDENTITY
Allows a process to set the service FMRI value of a
process contract template.
PRIV_CONTRACT_OBSERVER
Allow a process to observe contract events generated by
contracts created and owned by users other than the process's effective user
ID.
Allow a process to open contract event endpoints belonging to
contracts created and owned by users other than the process's effective user
ID.
PRIV_CPC_CPU
Allow a process to access per-CPU hardware performance
counters.
PRIV_DTRACE_KERNEL
Allow DTrace kernel-level tracing.
PRIV_DTRACE_PROC
Allow DTrace process-level tracing. Allow process-level
tracing probes to be placed and enabled in processes to which the user has
permissions.
PRIV_DTRACE_USER
Allow DTrace user-level tracing. Allow use of the syscall
and profile DTrace providers to examine processes to which the user has
permissions.
PRIV_FILE_CHOWN
Allow a process to change a file's owner user ID. Allow a
process to change a file's group ID to one other than the process's effective
group ID or one of the process's supplemental group IDs.
PRIV_FILE_CHOWN_SELF
Allow a process to give away its files. A process with
this privilege runs as if {_POSIX_CHOWN_RESTRICTED} is not in
effect.
PRIV_FILE_DAC_EXECUTE
Allow a process to execute an executable file whose
permission bits or ACL would otherwise disallow the process execute
permission.
PRIV_FILE_DAC_READ
Allow a process to read a file or directory whose
permission bits or ACL would otherwise disallow the process read
permission.
PRIV_FILE_DAC_SEARCH
Allow a process to search a directory whose permission
bits or ACL would not otherwise allow the process search permission.
PRIV_FILE_DAC_WRITE
Allow a process to write a file or directory whose
permission bits or ACL do not allow the process write permission. All
privileges are required to write files owned by UID 0 in the absence of an
effective UID of 0.
PRIV_FILE_DOWNGRADE_SL
Allow a process to set the sensitivity label of a file or
directory to a sensitivity label that does not dominate the existing
sensitivity label.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_FILE_FLAG_SET
Allows a process to set immutable, nounlink or appendonly
file attributes.
PRIV_FILE_LINK_ANY
Allow a process to create hardlinks to files owned by a
UID different from the process's effective UID.
PRIV_FILE_OWNER
Allow a process that is not the owner of a file to modify
that file's access and modification times. Allow a process that is not the
owner of a directory to modify that directory's access and modification times.
Allow a process that is not the owner of a file or directory to remove or
rename a file or directory whose parent directory has the "save text
image after execution" (sticky) bit set. Allow a process that is not the
owner of a file to mount a namefs upon that file. Allow a process that
is not the owner of a file or directory to modify that file's or directory's
permission bits or ACL.
PRIV_FILE_READ
Allow a process to open objects in the filesystem for
reading. This privilege is not necessary to read from an already open file
which was opened before dropping the PRIV_FILE_READ privilege.
PRIV_FILE_SETID
Allow a process to change the ownership of a file or
write to a file without the set-user-ID and set-group-ID bits being cleared.
Allow a process to set the set-group-ID bit on a file or directory whose group
is not the process's effective group or one of the process's supplemental
groups. Allow a process to set the set-user-ID bit on a file with different
ownership in the presence of PRIV_FILE_OWNER. Additional restrictions
apply when creating or modifying a setuid 0 file.
PRIV_FILE_UPGRADE_SL
Allow a process to set the sensitivity label of a file or
directory to a sensitivity label that dominates the existing sensitivity
label.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_FILE_WRITE
Allow a process to open objects in the filesystem for
writing, or otherwise modify them. This privilege is not necessary to write to
an already open file which was opened before dropping the
PRIV_FILE_WRITE privilege.
PRIV_GRAPHICS_ACCESS
Allow a process to make privileged ioctls to graphics
devices. Typically only an xserver process needs to have this privilege. A
process with this privilege is also allowed to perform privileged graphics
device mappings.
PRIV_GRAPHICS_MAP
Allow a process to perform privileged mappings through a
graphics device.
PRIV_IPC_DAC_READ
Allow a process to read a System V IPC Message Queue,
Semaphore Set, or Shared Memory Segment whose permission bits would not
otherwise allow the process read permission.
PRIV_IPC_DAC_WRITE
Allow a process to write a System V IPC Message Queue,
Semaphore Set, or Shared Memory Segment whose permission bits would not
otherwise allow the process write permission.
PRIV_IPC_OWNER
Allow a process that is not the owner of a System V IPC
Message Queue, Semaphore Set, or Shared Memory Segment to remove, change
ownership of, or change permission bits of the Message Queue, Semaphore Set,
or Shared Memory Segment.
PRIV_NET_ACCESS
Allow a process to open a TCP, UDP, SDP, or SCTP network
endpoint. This privilege is not necessary to communicate using an existing
endpoint already opened before dropping the PRIV_NET_ACCESS
privilege.
PRIV_NET_BINDMLP
Allow a process to bind to a port that is configured as a
multi-level port (MLP) for the process's zone. This privilege applies to both
shared address and zone-specific address MLPs. See
tnzonecfg(
4)
from the Trusted Extensions manual pages for information on configuring MLP
ports.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_NET_ICMPACCESS
Allow a process to send and receive ICMP packets.
PRIV_NET_MAC_AWARE
Allow a process to set the
NET_MAC_AWARE process
flag by using
setpflags(2). This privilege also allows a process to set
the
SO_MAC_EXEMPT socket option by using
setsockopt(3SOCKET).
The
NET_MAC_AWARE process flag and the
SO_MAC_EXEMPT socket
option both allow a local process to communicate with an unlabeled peer if the
local process's label dominates the peer's default label, or if the local
process runs in the global zone.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_NET_MAC_IMPLICIT
Allow a process to set
SO_MAC_IMPLICIT option by
using
setsockopt(3SOCKET). This allows a privileged process to transmit
implicitly-labeled packets to a peer.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_NET_OBSERVABILITY
Allow a process to open a device for just receiving
network traffic, sending traffic is disallowed.
PRIV_NET_PRIVADDR
Allow a process to bind to a privileged port number. The
privilege port numbers are 1-1023 (the traditional UNIX privileged ports) as
well as those ports marked as "udp/tcp_extra_priv_ports" with
the exception of the ports reserved for use by NFS and SMB.
PRIV_NET_RAWACCESS
Allow a process to have direct access to the network
layer.
PRIV_PROC_AUDIT
Allow a process to generate audit records. Allow a
process to get its own audit pre-selection information.
PRIV_PROC_CHROOT
Allow a process to change its root directory.
PRIV_PROC_CLOCK_HIGHRES
Allow a process to use high resolution timers.
PRIV_PROC_EXEC
Allow a process to call exec(2).
PRIV_PROC_FORK
Allow a process to call fork(2), fork1(2),
or vfork(2).
PRIV_PROC_INFO
Allow a process to examine the status of processes other
than those to which it can send signals. Processes that cannot be examined
cannot be seen in /proc and appear not to exist.
PRIV_PROC_LOCK_MEMORY
Allow a process to lock pages in physical memory.
PRIV_PROC_MEMINFO
Allow a process to access physical memory
information.
PRIV_PROC_OWNER
Allow a process to send signals to other processes and
inspect and modify the process state in other processes, regardless of
ownership. When modifying another process, additional restrictions apply: the
effective privilege set of the attaching process must be a superset of the
target process's effective, permitted, and inheritable sets; the limit set
must be a superset of the target's limit set; if the target process has any
UID set to 0 all privilege must be asserted unless the effective UID is 0.
Allow a process to bind arbitrary processes to CPUs.
PRIV_PROC_PRIOUP
Allow a process to elevate its priority above its current
level.
PRIV_PROC_PRIOCNTL
Allows all that PRIV_PROC_PRIOUP allows. Allow a process
to change its scheduling class to any scheduling class, including the RT
class.
PRIV_PROC_SECFLAGS
Allow a process to manipulate the secflags of processes
(subject to, additionally, the ability to signal that process).
PRIV_PROC_SESSION
Allow a process to send signals or trace processes
outside its session.
PRIV_PROC_SETID
Allow a process to set its UIDs at will, assuming UID 0
requires all privileges to be asserted.
PRIV_PROC_TASKID
Allow a process to assign a new task ID to the calling
process.
PRIV_PROC_ZONE
Allow a process to trace or send signals to processes in
other zones. See zones(5).
PRIV_SYS_ACCT
Allow a process to enable and disable and manage
accounting through acct(2).
PRIV_SYS_ADMIN
Allow a process to perform system administration tasks
such as setting node and domain name and managing fmd(1M) and
nscd(1M).
PRIV_SYS_AUDIT
Allow a process to start the (kernel) audit daemon. Allow
a process to view and set audit state (audit user ID, audit terminal ID, audit
sessions ID, audit pre-selection mask). Allow a process to turn off and on
auditing. Allow a process to configure the audit parameters (cache and queue
sizes, event to class mappings, and policy options).
PRIV_SYS_CONFIG
Allow a process to perform various system configuration
tasks. Allow filesystem-specific administrative procedures, such as filesystem
configuration ioctls, quota calls, creation and deletion of snapshots, and
manipulating the PCFS bootsector.
PRIV_SYS_DEVICES
Allow a process to create device special files. Allow a
process to successfully call a kernel module that calls the kernel
drv_priv(9F) function to check for allowed access. Allow a process to
open the real console device directly. Allow a process to open devices that
have been exclusively opened.
PRIV_SYS_DL_CONFIG
Allow a process to configure a system's datalink
interfaces.
PRIV_SYS_IP_CONFIG
Allow a process to configure a system's IP interfaces and
routes. Allow a process to configure network parameters for TCP/IP
using ndd. Allow a process access to otherwise restricted TCP/IP
information using ndd. Allow a process to configure IPsec. Allow
a process to pop anchored STREAMs modules with matching
zoneid.
PRIV_SYS_IPC_CONFIG
Allow a process to increase the size of a System V IPC
Message Queue buffer.
PRIV_SYS_IPTUN_CONFIG
Allow a process to configure IP tunnel links.
PRIV_SYS_LINKDIR
Allow a process to unlink and link directories.
PRIV_SYS_MOUNT
Allow a process to mount and unmount filesystems that
would otherwise be restricted (that is, most filesystems except
namefs). Allow a process to add and remove swap devices.
PRIV_SYS_NET_CONFIG
Allow a process to do all that PRIV_SYS_IP_CONFIG,
PRIV_SYS_DL_CONFIG, and PRIV_SYS_PPP_CONFIG allow, plus the
following: use the rpcmod STREAMS module and insert/remove STREAMS
modules on locations other than the top of the module stack.
PRIV_SYS_NFS
Allow a process to provide NFS service: start NFS kernel
threads, perform NFS locking operations, bind to NFS reserved ports: ports
2049 (nfs) and port 4045 (lockd).
PRIV_SYS_PPP_CONFIG
Allow a process to create, configure, and destroy PPP
instances with pppd(1M) pppd(1M) and control PPPoE plumbing with
sppptun(1M)sppptun(1M). This privilege is granted by default to
exclusive IP stack instance zones.
PRIV_SYS_RES_BIND
Allows a process to bind processes to processor
sets.
PRIV_SYS_RES_CONFIG
Allows all that PRIV_SYS_RES_BIND allows. Allow a process
to create and delete processor sets, assign CPUs to processor sets and
override the PSET_NOESCAPE property. Allow a process to change the
operational status of CPUs in the system using p_online(2). Allow a
process to configure filesystem quotas. Allow a process to configure resource
pools and bind processes to pools.
PRIV_SYS_RESOURCE
Allow a process to exceed the resource limits imposed on
it by setrlimit(2) and setrctl(2).
PRIV_SYS_SMB
Allow a process to provide NetBIOS or SMB services: start
SMB kernel threads or bind to NetBIOS or SMB reserved ports: ports 137, 138,
139 (NetBIOS) and 445 (SMB).
PRIV_SYS_SUSER_COMPAT
Allow a process to successfully call a third party
loadable module that calls the kernel suser() function to check for
allowed access. This privilege exists only for third party loadable module
compatibility and is not used by illumos.
PRIV_SYS_TIME
Allow a process to manipulate system time using any of
the appropriate system calls: stime(2), adjtime(2), and
ntp_adjtime(2).
PRIV_SYS_TRANS_LABEL
Allow a process to translate labels that are not
dominated by the process's sensitivity label to and from an external string
form.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_VIRT_MANAGE
Allows a process to manage virtualized environments such
as xVM(5).
PRIV_WIN_COLORMAP
Allow a process to override colormap restrictions.
Allow a process to install or remove colormaps.
Allow a process to retrieve colormap cell entries allocated by
other processes.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_WIN_CONFIG
Allow a process to configure or destroy resources that
are permanently retained by the X server.
Allow a process to use SetScreenSaver to set the screen saver
timeout value
Allow a process to use ChangeHosts to modify the display access
control list.
Allow a process to use GrabServer.
Allow a process to use the SetCloseDownMode request that can
retain window, pixmap, colormap, property, cursor, font, or graphic context
resources.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_WIN_DAC_READ
Allow a process to read from a window resource that it
does not own (has a different user ID).
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_WIN_DAC_WRITE
Allow a process to write to or create a window resource
that it does not own (has a different user ID). A newly created window
property is created with the window's user ID.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_WIN_DEVICES
Allow a process to perform operations on window input
devices.
Allow a process to get and set keyboard and pointer controls.
Allow a process to modify pointer button and key mappings.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_WIN_DGA
Allow a process to use the direct graphics access (DGA) X
protocol extensions. Direct process access to the frame buffer is still
required. Thus the process must have MAC and DAC privileges that allow access
to the frame buffer, or the frame buffer must be allocated to the process.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_WIN_DOWNGRADE_SL
Allow a process to set the sensitivity label of a window
resource to a sensitivity label that does not dominate the existing
sensitivity label.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_WIN_FONTPATH
Allow a process to set a font path.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_WIN_MAC_READ
Allow a process to read from a window resource whose
sensitivity label is not equal to the process sensitivity label.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_WIN_MAC_WRITE
Allow a process to create a window resource whose
sensitivity label is not equal to the process sensitivity label. A newly
created window property is created with the window's sensitivity label.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_WIN_SELECTION
Allow a process to request inter-window data moves
without the intervention of the selection confirmer.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_WIN_UPGRADE_SL
Allow a process to set the sensitivity label of a window
resource to a sensitivity label that dominates the existing sensitivity label.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
PRIV_XVM_CONTROL
Allows a process access to the xVM(5) control
devices for managing guest domains and the hypervisor. This privilege is used
only if booted into xVM on x86 platforms.
Of the privileges listed above, the privileges
PRIV_FILE_LINK_ANY, PRIV_PROC_INFO, PRIV_PROC_SESSION,
PRIV_PROC_FORK, PRIV_FILE_READ, PRIV_FILE_WRITE,
PRIV_NET_ACCESS and PRIV_PROC_EXEC are considered
"basic" privileges. These are privileges that used to be always
available to unprivileged processes. By default, processes still have the
basic privileges.
The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT
must be present in the Limit set (see below) of a process in order for
set-uid root execs to be successful, that is, get an effective UID of
0 and additional privileges.
The privilege implementation in illumos extends the process
credential with four privilege sets:
I, the inheritable set
The privileges inherited on exec.
P, the permitted set
The maximum set of privileges for the process.
E, the effective set
The privileges currently in effect.
L, the limit set
The upper bound of the privileges a process and its
offspring can obtain. Changes to L take effect on the next exec.
The sets I, P and E are typically identical to the basic set of
privileges for unprivileged processes. The limit set is typically the full
set of privileges.
Each process has a Privilege Awareness State (PAS) that can take
the value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
mechanism that allows a choice between full compatibility with the old
superuser model and completely ignoring the effective UID.
To facilitate the discussion, we introduce the notion of
"observed effective set" (oE) and "observed permitted
set" (oP) and the implementation sets iE and iP.
A process becomes privilege-aware either by manipulating the
effective, permitted, or limit privilege sets through setppriv(2) or
by using setpflags(2). In all cases, oE and oP are invariant in the
process of becoming privilege-aware. In the process of becoming
privilege-aware, the following assignments take place:
iE = oE
iP = oP
When a process is privilege-aware, oE and oP are invariant under
UID changes. When a process is not privilege-aware, oE and oP are observed
as follows:
oE = euid == 0 ? L : iE
oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
When a non-privilege-aware process has an effective UID of 0, it
can exercise the privileges contained in its limit set, the upper bound of
its privileges. If a non-privilege-aware process has any of the UIDs 0, it
appears to be capable of potentially exercising all privileges in L.
It is possible for a process to return to the non-privilege aware
state using setpflags(). The kernel always attempts this on
exec(2). This operation is permitted only if the following conditions
are met:
- o
- If any of the UIDs is equal to 0, P must be equal to L.
- o
- If the effective UID is equal to 0, E must be equal to L.
When a process gives up privilege awareness, the following
assignments take place:
if (euid == 0) iE = L & I
if (any uid == 0) iP = L & I
The privileges obtained when not having a UID of 0 are the
inheritable set of the process restricted by the limit set.
Only privileges in the process's (observed) effective privilege
set allow the process to perform restricted operations. A process can use
any of the privilege manipulation functions to add or remove privileges from
the privilege sets. Privileges can be removed always. Only privileges found
in the permitted set can be added to the effective and inheritable set. The
limit set cannot grow. The inheritable set can be larger than the permitted
set.
When a process performs an exec(2), the kernel first tries
to relinquish privilege awareness before making the following privilege set
modifications:
E' = P' = I' = L & I
L is unchanged
If a process has not manipulated its privileges, the privilege
sets effectively remain the same, as E, P and I are already identical.
The limit set is enforced at exec time.
To run a non-privilege-aware application in a backward-compatible
manner, a privilege-aware application should start the non-privilege-aware
application with I=basic.
For most privileges, absence of the privilege simply results in a
failure. In some instances, the absence of a privilege can cause system
calls to behave differently. In other instances, the removal of a privilege
can force a set-uid application to seriously malfunction. Privileges of this
type are considered "unsafe". When a process is lacking any of the
unsafe privileges from its limit set, the system does not honor the set-uid
bit of set-uid root applications. The following unsafe privileges have been
identified: proc_setid, sys_resource and
proc_audit.
In certain circumstances, a single privilege could lead to a process gaining one
or more additional privileges that were not explicitly granted to that
process. To prevent such an escalation of privileges, the security policy
requires explicit permission for those additional privileges.
Common examples of escalation are those mechanisms that allow
modification of system resources through "raw" interfaces; for
example, changing kernel data structures through /dev/kmem or
changing files through /dev/dsk/*. Escalation also occurs when a
process controls processes with more privileges than the controlling
process. A special case of this is manipulating or creating objects owned by
UID 0 or trying to obtain UID 0 using setuid(2). The special
treatment of UID 0 is needed because the UID 0 owns all system configuration
files and ordinary file protection mechanisms allow processes with UID 0 to
modify the system configuration. With appropriate file modifications, a
given process running with an effective UID of 0 can gain all
privileges.
In situations where a process might obtain UID 0, the security
policy requires additional privileges, up to the full set of privileges.
Such restrictions could be relaxed or removed at such time as additional
mechanisms for protection of system files became available. There are no
such mechanisms in the current release.
The use of UID 0 processes should be limited as much as possible.
They should be replaced with programs running under a different UID but with
exactly the privileges they need.
Daemons that never need to exec subprocesses should remove
the PRIV_PROC_EXEC privilege from their permitted and limit sets.
When privileges are assigned to a user, the system administrator could give that
user more powers than intended. The administrator should consider whether
safeguards are needed. For example, if the PRIV_PROC_LOCK_MEMORY
privilege is given to a user, the administrator should consider setting the
project.max-locked-memory resource control as well, to prevent that
user from locking all memory.
When a system call fails with a permission error, it is not always immediately
obvious what caused the problem. To debug such a problem, you can use a tool
called privilege debugging. When privilege debugging is enabled for a
process, the kernel reports missing privileges on the controlling terminal of
the process. (Enable debugging for a process with the -D option of
ppriv(1).) Additionally, the administrator can enable system-wide
privilege debugging by setting the system(4) variable priv_debug
using:
set priv_debug = 1
On a running system, you can use mdb(1) to change this
variable.
Use usermod(1M) or rolemod(1M) to assign privileges to or modify
privileges for, respectively, a user or a role. Use ppriv(1) to
enumerate the privileges supported on a system and truss(1) to
determine which privileges a program requires.