1 PRIVILEGES(5) Standards, Environments, and Macros PRIVILEGES(5)
2
3
4
5 NAME
6 privileges - process privilege model
7
8 DESCRIPTION
9 In illumos, software implements a set of privileges that provide fine-
10 grained control over the actions of processes. The possession of a
11 certain privilege allows a process to perform a specific set of
12 restricted operations.
13
14
15 The change to a primarily privilege-based security model in the
16 operating system gives developers an opportunity to restrict processes
17 to those privileged operations actually needed instead of all (super-
18 user) or no privileges (non-zero UIDs). Additionally, a set of
19 previously unrestricted operations now requires a privilege; these
20 privileges are dubbed the "basic" privileges and are by default given
21 to all processes.
22
23
24 Taken together, all defined privileges with the exception of the
25 "basic" privileges compose the set of privileges that are traditionally
26 associated with the root user. The "basic" privileges are "privileges"
27 unprivileged processes were accustomed to having.
28
29
30 The defined privileges are:
31
32 PRIV_CONTRACT_EVENT
33
34 Allow a process to request reliable delivery of events to an event
35 endpoint.
36
37 Allow a process to include events in the critical event set term of
38 a template which could be generated in volume by the user.
39
40
41 PRIV_CONTRACT_IDENTITY
42
43 Allows a process to set the service FMRI value of a process
44 contract template.
45
46
47 PRIV_CONTRACT_OBSERVER
48
49 Allow a process to observe contract events generated by contracts
50 created and owned by users other than the process's effective user
51 ID.
52
53 Allow a process to open contract event endpoints belonging to
54 contracts created and owned by users other than the process's
55 effective user ID.
56
57
58 PRIV_CPC_CPU
59
60 Allow a process to access per-CPU hardware performance counters.
61
62
63 PRIV_DTRACE_KERNEL
64
65 Allow DTrace kernel-level tracing.
66
67
68 PRIV_DTRACE_PROC
69
70 Allow DTrace process-level tracing. Allow process-level tracing
71 probes to be placed and enabled in processes to which the user has
72 permissions.
73
74
75 PRIV_DTRACE_USER
76
77 Allow DTrace user-level tracing. Allow use of the syscall and
78 profile DTrace providers to examine processes to which the user has
79 permissions.
80
81
82 PRIV_FILE_CHOWN
83
84 Allow a process to change a file's owner user ID. Allow a process
85 to change a file's group ID to one other than the process's
86 effective group ID or one of the process's supplemental group IDs.
87
88
89 PRIV_FILE_CHOWN_SELF
90
91 Allow a process to give away its files. A process with this
92 privilege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect.
93
94
95 PRIV_FILE_DAC_EXECUTE
96
97 Allow a process to execute an executable file whose permission bits
98 or ACL would otherwise disallow the process execute permission.
99
100
101 PRIV_FILE_DAC_READ
102
103 Allow a process to read a file or directory whose permission bits
104 or ACL would otherwise disallow the process read permission.
105
106
107 PRIV_FILE_DAC_SEARCH
108
109 Allow a process to search a directory whose permission bits or ACL
110 would not otherwise allow the process search permission.
111
112
113 PRIV_FILE_DAC_WRITE
114
115 Allow a process to write a file or directory whose permission bits
116 or ACL do not allow the process write permission. All privileges
117 are required to write files owned by UID 0 in the absence of an
118 effective UID of 0.
119
120
121 PRIV_FILE_DOWNGRADE_SL
122
123 Allow a process to set the sensitivity label of a file or directory
124 to a sensitivity label that does not dominate the existing
125 sensitivity label.
126
127 This privilege is interpreted only if the system is configured with
128 Trusted Extensions.
129
130
131 PRIV_FILE_FLAG_SET
132
133 Allows a process to set immutable, nounlink or appendonly file
134 attributes.
135
136
137 PRIV_FILE_LINK_ANY
138
139 Allow a process to create hardlinks to files owned by a UID
140 different from the process's effective UID.
141
142
143 PRIV_FILE_OWNER
144
145 Allow a process that is not the owner of a file to modify that
146 file's access and modification times. Allow a process that is not
147 the owner of a directory to modify that directory's access and
148 modification times. Allow a process that is not the owner of a file
149 or directory to remove or rename a file or directory whose parent
150 directory has the "save text image after execution" (sticky) bit
151 set. Allow a process that is not the owner of a file to mount a
152 namefs upon that file. Allow a process that is not the owner of a
153 file or directory to modify that file's or directory's permission
154 bits or ACL.
155
156
157 PRIV_FILE_READ
158
159 Allow a process to open objects in the filesystem for reading. This
160 privilege is not necessary to read from an already open file which
161 was opened before dropping the PRIV_FILE_READ privilege.
162
163
164 PRIV_FILE_SETID
165
166 Allow a process to change the ownership of a file or write to a
167 file without the set-user-ID and set-group-ID bits being cleared.
168 Allow a process to set the set-group-ID bit on a file or directory
169 whose group is not the process's effective group or one of the
170 process's supplemental groups. Allow a process to set the set-user-
171 ID bit on a file with different ownership in the presence of
172 PRIV_FILE_OWNER. Additional restrictions apply when creating or
173 modifying a setuid 0 file.
174
175
176 PRIV_FILE_UPGRADE_SL
177
178 Allow a process to set the sensitivity label of a file or directory
179 to a sensitivity label that dominates the existing sensitivity
180 label.
181
182 This privilege is interpreted only if the system is configured with
183 Trusted Extensions.
184
185
186 PRIV_FILE_WRITE
187
188 Allow a process to open objects in the filesystem for writing, or
189 otherwise modify them. This privilege is not necessary to write to
190 an already open file which was opened before dropping the
191 PRIV_FILE_WRITE privilege.
192
193
194 PRIV_GRAPHICS_ACCESS
195
196 Allow a process to make privileged ioctls to graphics devices.
197 Typically only an xserver process needs to have this privilege. A
198 process with this privilege is also allowed to perform privileged
199 graphics device mappings.
200
201
202 PRIV_GRAPHICS_MAP
203
204 Allow a process to perform privileged mappings through a graphics
205 device.
206
207
208 PRIV_IPC_DAC_READ
209
210 Allow a process to read a System V IPC Message Queue, Semaphore
211 Set, or Shared Memory Segment whose permission bits would not
212 otherwise allow the process read permission.
213
214
215 PRIV_IPC_DAC_WRITE
216
217 Allow a process to write a System V IPC Message Queue, Semaphore
218 Set, or Shared Memory Segment whose permission bits would not
219 otherwise allow the process write permission.
220
221
222 PRIV_IPC_OWNER
223
224 Allow a process that is not the owner of a System V IPC Message
225 Queue, Semaphore Set, or Shared Memory Segment to remove, change
226 ownership of, or change permission bits of the Message Queue,
227 Semaphore Set, or Shared Memory Segment.
228
229
230 PRIV_NET_ACCESS
231
232 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint.
233 This privilege is not necessary to communicate using an existing
234 endpoint already opened before dropping the PRIV_NET_ACCESS
235 privilege.
236
237
238 PRIV_NET_BINDMLP
239
240 Allow a process to bind to a port that is configured as a multi-
241 level port (MLP) for the process's zone. This privilege applies to
242 both shared address and zone-specific address MLPs. See
243 tnzonecfg(4) from the Trusted Extensions manual pages for
244 information on configuring MLP ports.
245
246 This privilege is interpreted only if the system is configured with
247 Trusted Extensions.
248
249
250 PRIV_NET_ICMPACCESS
251
252 Allow a process to send and receive ICMP packets.
253
254
255 PRIV_NET_MAC_AWARE
256
257 Allow a process to set the NET_MAC_AWARE process flag by using
258 setpflags(2). This privilege also allows a process to set the
259 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). The
260 NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both
261 allow a local process to communicate with an unlabeled peer if the
262 local process's label dominates the peer's default label, or if the
263 local process runs in the global zone.
264
265 This privilege is interpreted only if the system is configured with
266 Trusted Extensions.
267
268
269 PRIV_NET_MAC_IMPLICIT
270
271 Allow a process to set SO_MAC_IMPLICIT option by using
272 setsockopt(3SOCKET). This allows a privileged process to transmit
273 implicitly-labeled packets to a peer.
274
275 This privilege is interpreted only if the system is configured with
276 Trusted Extensions.
277
278
279 PRIV_NET_OBSERVABILITY
280
281 Allow a process to open a device for just receiving network
282 traffic, sending traffic is disallowed.
283
284
285 PRIV_NET_PRIVADDR
286
287 Allow a process to bind to a privileged port number. The privilege
288 port numbers are 1-1023 (the traditional UNIX privileged ports) as
289 well as those ports marked as "udp/tcp_extra_priv_ports" with the
290 exception of the ports reserved for use by NFS and SMB.
291
292
293 PRIV_NET_RAWACCESS
294
295 Allow a process to have direct access to the network layer.
296
297
298 PRIV_PROC_AUDIT
299
300 Allow a process to generate audit records. Allow a process to get
301 its own audit pre-selection information.
302
303
304 PRIV_PROC_CHROOT
305
306 Allow a process to change its root directory.
307
308
309 PRIV_PROC_CLOCK_HIGHRES
310
311 Allow a process to use high resolution timers.
312
313
314 PRIV_PROC_EXEC
315
316 Allow a process to call exec(2).
317
318
319 PRIV_PROC_FORK
320
321 Allow a process to call fork(2), fork1(2), or vfork(2).
322
323
324 PRIV_PROC_INFO
325
326 Allow a process to examine the status of processes other than those
327 to which it can send signals. Processes that cannot be examined
328 cannot be seen in /proc and appear not to exist.
329
330
331 PRIV_PROC_LOCK_MEMORY
332
333 Allow a process to lock pages in physical memory.
334
335
336 PRIV_PROC_MEMINFO
337
338 Allow a process to access physical memory information.
339
340
341 PRIV_PROC_OWNER
342
343 Allow a process to send signals to other processes and inspect and
344 modify the process state in other processes, regardless of
345 ownership. When modifying another process, additional restrictions
346 apply: the effective privilege set of the attaching process must be
347 a superset of the target process's effective, permitted, and
348 inheritable sets; the limit set must be a superset of the target's
349 limit set; if the target process has any UID set to 0 all privilege
350 must be asserted unless the effective UID is 0. Allow a process to
351 bind arbitrary processes to CPUs.
352
353
354 PRIV_PROC_PRIOUP
355
356 Allow a process to elevate its priority above its current level.
357
358
359 PRIV_PROC_PRIOCNTL
360
361 Allows all that PRIV_PROC_PRIOUP allows. Allow a process to change
362 its scheduling class to any scheduling class, including the RT
363 class.
364
365
366 PRIV_PROC_SECFLAGS
367
368 Allow a process to manipulate the secflags of processes (subject
369 to, additionally, the ability to signal that process).
370
371
372 PRIV_PROC_SESSION
373
374 Allow a process to send signals or trace processes outside its
375 session.
376
377
378 PRIV_PROC_SETID
379
380 Allow a process to set its UIDs at will, assuming UID 0 requires
381 all privileges to be asserted.
382
383
384 PRIV_PROC_TASKID
385
386 Allow a process to assign a new task ID to the calling process.
387
388
389 PRIV_PROC_ZONE
390
391 Allow a process to trace or send signals to processes in other
392 zones. See zones(5).
393
394
395 PRIV_SYS_ACCT
396
397 Allow a process to enable and disable and manage accounting through
398 acct(2).
399
400
401 PRIV_SYS_ADMIN
402
403 Allow a process to perform system administration tasks such as
404 setting node and domain name and managing fmd(1M) and nscd(1M).
405
406
407 PRIV_SYS_AUDIT
408
409 Allow a process to start the (kernel) audit daemon. Allow a process
410 to view and set audit state (audit user ID, audit terminal ID,
411 audit sessions ID, audit pre-selection mask). Allow a process to
412 turn off and on auditing. Allow a process to configure the audit
413 parameters (cache and queue sizes, event to class mappings, and
414 policy options).
415
416
417 PRIV_SYS_CONFIG
418
419 Allow a process to perform various system configuration tasks.
420 Allow filesystem-specific administrative procedures, such as
421 filesystem configuration ioctls, quota calls, creation and deletion
422 of snapshots, and manipulating the PCFS bootsector.
423
424
425 PRIV_SYS_DEVICES
426
427 Allow a process to create device special files. Allow a process to
428 successfully call a kernel module that calls the kernel
429 drv_priv(9F) function to check for allowed access. Allow a process
430 to open the real console device directly. Allow a process to open
431 devices that have been exclusively opened.
432
433
434 PRIV_SYS_DL_CONFIG
435
436 Allow a process to configure a system's datalink interfaces.
437
438
439 PRIV_SYS_IP_CONFIG
440
441 Allow a process to configure a system's IP interfaces and routes.
442 Allow a process to configure network parameters for TCP/IP using
443 ndd. Allow a process access to otherwise restricted TCP/IP
444 information using ndd. Allow a process to configure IPsec. Allow a
445 process to pop anchored STREAMs modules with matching zoneid.
446
447
448 PRIV_SYS_IPC_CONFIG
449
450 Allow a process to increase the size of a System V IPC Message
451 Queue buffer.
452
453
454 PRIV_SYS_IPTUN_CONFIG
455
456 Allow a process to configure IP tunnel links.
457
458
459 PRIV_SYS_LINKDIR
460
461 Allow a process to unlink and link directories.
462
463
464 PRIV_SYS_MOUNT
465
466 Allow a process to mount and unmount filesystems that would
467 otherwise be restricted (that is, most filesystems except namefs).
468 Allow a process to add and remove swap devices.
469
470
471 PRIV_SYS_NET_CONFIG
472
473 Allow a process to do all that PRIV_SYS_IP_CONFIG,
474 PRIV_SYS_DL_CONFIG, and PRIV_SYS_PPP_CONFIG allow, plus the
475 following: use the rpcmod STREAMS module and insert/remove STREAMS
476 modules on locations other than the top of the module stack.
477
478
479 PRIV_SYS_NFS
480
481 Allow a process to provide NFS service: start NFS kernel threads,
482 perform NFS locking operations, bind to NFS reserved ports: ports
483 2049 (nfs) and port 4045 (lockd).
484
485
486 PRIV_SYS_PPP_CONFIG
487
488 Allow a process to create, configure, and destroy PPP instances
489 with pppd(1M) pppd(1M) and control PPPoE plumbing with
490 sppptun(1M)sppptun(1M). This privilege is granted by default to
491 exclusive IP stack instance zones.
492
493
494 PRIV_SYS_RES_BIND
495
496 Allows a process to bind processes to processor sets.
497
498
499 PRIV_SYS_RES_CONFIG
500
501 Allows all that PRIV_SYS_RES_BIND allows. Allow a process to
502 create and delete processor sets, assign CPUs to processor sets and
503 override the PSET_NOESCAPE property. Allow a process to change the
504 operational status of CPUs in the system using p_online(2). Allow a
505 process to configure filesystem quotas. Allow a process to
506 configure resource pools and bind processes to pools.
507
508
509 PRIV_SYS_RESOURCE
510
511 Allow a process to exceed the resource limits imposed on it by
512 setrlimit(2) and setrctl(2).
513
514
515 PRIV_SYS_SMB
516
517 Allow a process to provide NetBIOS or SMB services: start SMB
518 kernel threads or bind to NetBIOS or SMB reserved ports: ports 137,
519 138, 139 (NetBIOS) and 445 (SMB).
520
521
522 PRIV_SYS_SUSER_COMPAT
523
524 Allow a process to successfully call a third party loadable module
525 that calls the kernel suser() function to check for allowed access.
526 This privilege exists only for third party loadable module
527 compatibility and is not used by illumos.
528
529
530 PRIV_SYS_TIME
531
532 Allow a process to manipulate system time using any of the
533 appropriate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
534
535
536 PRIV_SYS_TRANS_LABEL
537
538 Allow a process to translate labels that are not dominated by the
539 process's sensitivity label to and from an external string form.
540
541 This privilege is interpreted only if the system is configured with
542 Trusted Extensions.
543
544
545 PRIV_VIRT_MANAGE
546
547 Allows a process to manage virtualized environments such as xVM(5).
548
549
550 PRIV_WIN_COLORMAP
551
552 Allow a process to override colormap restrictions.
553
554 Allow a process to install or remove colormaps.
555
556 Allow a process to retrieve colormap cell entries allocated by
557 other processes.
558
559 This privilege is interpreted only if the system is configured with
560 Trusted Extensions.
561
562
563 PRIV_WIN_CONFIG
564
565 Allow a process to configure or destroy resources that are
566 permanently retained by the X server.
567
568 Allow a process to use SetScreenSaver to set the screen saver
569 timeout value
570
571 Allow a process to use ChangeHosts to modify the display access
572 control list.
573
574 Allow a process to use GrabServer.
575
576 Allow a process to use the SetCloseDownMode request that can retain
577 window, pixmap, colormap, property, cursor, font, or graphic
578 context resources.
579
580 This privilege is interpreted only if the system is configured with
581 Trusted Extensions.
582
583
584 PRIV_WIN_DAC_READ
585
586 Allow a process to read from a window resource that it does not own
587 (has a different user ID).
588
589 This privilege is interpreted only if the system is configured with
590 Trusted Extensions.
591
592
593 PRIV_WIN_DAC_WRITE
594
595 Allow a process to write to or create a window resource that it
596 does not own (has a different user ID). A newly created window
597 property is created with the window's user ID.
598
599 This privilege is interpreted only if the system is configured with
600 Trusted Extensions.
601
602
603 PRIV_WIN_DEVICES
604
605 Allow a process to perform operations on window input devices.
606
607 Allow a process to get and set keyboard and pointer controls.
608
609 Allow a process to modify pointer button and key mappings.
610
611 This privilege is interpreted only if the system is configured with
612 Trusted Extensions.
613
614
615 PRIV_WIN_DGA
616
617 Allow a process to use the direct graphics access (DGA) X protocol
618 extensions. Direct process access to the frame buffer is still
619 required. Thus the process must have MAC and DAC privileges that
620 allow access to the frame buffer, or the frame buffer must be
621 allocated to the process.
622
623 This privilege is interpreted only if the system is configured with
624 Trusted Extensions.
625
626
627 PRIV_WIN_DOWNGRADE_SL
628
629 Allow a process to set the sensitivity label of a window resource
630 to a sensitivity label that does not dominate the existing
631 sensitivity label.
632
633 This privilege is interpreted only if the system is configured with
634 Trusted Extensions.
635
636
637 PRIV_WIN_FONTPATH
638
639 Allow a process to set a font path.
640
641 This privilege is interpreted only if the system is configured with
642 Trusted Extensions.
643
644
645 PRIV_WIN_MAC_READ
646
647 Allow a process to read from a window resource whose sensitivity
648 label is not equal to the process sensitivity label.
649
650 This privilege is interpreted only if the system is configured with
651 Trusted Extensions.
652
653
654 PRIV_WIN_MAC_WRITE
655
656 Allow a process to create a window resource whose sensitivity label
657 is not equal to the process sensitivity label. A newly created
658 window property is created with the window's sensitivity label.
659
660 This privilege is interpreted only if the system is configured with
661 Trusted Extensions.
662
663
664 PRIV_WIN_SELECTION
665
666 Allow a process to request inter-window data moves without the
667 intervention of the selection confirmer.
668
669 This privilege is interpreted only if the system is configured with
670 Trusted Extensions.
671
672
673 PRIV_WIN_UPGRADE_SL
674
675 Allow a process to set the sensitivity label of a window resource
676 to a sensitivity label that dominates the existing sensitivity
677 label.
678
679 This privilege is interpreted only if the system is configured with
680 Trusted Extensions.
681
682
683 PRIV_XVM_CONTROL
684
685 Allows a process access to the xVM(5) control devices for managing
686 guest domains and the hypervisor. This privilege is used only if
687 booted into xVM on x86 platforms.
688
689
690
691 Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
692 PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK, PRIV_FILE_READ,
693 PRIV_FILE_WRITE, PRIV_NET_ACCESS and PRIV_PROC_EXEC are considered
694 "basic" privileges. These are privileges that used to be always
695 available to unprivileged processes. By default, processes still have
696 the basic privileges.
697
698
699 The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
700 the Limit set (see below) of a process in order for set-uid root execs
701 to be successful, that is, get an effective UID of 0 and additional
702 privileges.
703
704
705 The privilege implementation in illumos extends the process credential
706 with four privilege sets:
707
708 I, the inheritable set
709 The privileges inherited on exec.
710
711
712 P, the permitted set
713 The maximum set of privileges for the
714 process.
715
716
717 E, the effective set
718 The privileges currently in effect.
719
720
721 L, the limit set
722 The upper bound of the privileges a process
723 and its offspring can obtain. Changes to L
724 take effect on the next exec.
725
726
727
728 The sets I, P and E are typically identical to the basic set of
729 privileges for unprivileged processes. The limit set is typically the
730 full set of privileges.
731
732
733 Each process has a Privilege Awareness State (PAS) that can take the
734 value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
735 mechanism that allows a choice between full compatibility with the old
736 superuser model and completely ignoring the effective UID.
737
738
739 To facilitate the discussion, we introduce the notion of "observed
740 effective set" (oE) and "observed permitted set" (oP) and the
741 implementation sets iE and iP.
742
743
744 A process becomes privilege-aware either by manipulating the effective,
745 permitted, or limit privilege sets through setppriv(2) or by using
746 setpflags(2). In all cases, oE and oP are invariant in the process of
747 becoming privilege-aware. In the process of becoming privilege-aware,
748 the following assignments take place:
749
750 iE = oE
751 iP = oP
752
753
754
755 When a process is privilege-aware, oE and oP are invariant under UID
756 changes. When a process is not privilege-aware, oE and oP are observed
757 as follows:
758
759 oE = euid == 0 ? L : iE
760 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
761
762
763
764 When a non-privilege-aware process has an effective UID of 0, it can
765 exercise the privileges contained in its limit set, the upper bound of
766 its privileges. If a non-privilege-aware process has any of the UIDs
767 0, it appears to be capable of potentially exercising all privileges in
768 L.
769
770
771 It is possible for a process to return to the non-privilege aware state
772 using setpflags(). The kernel always attempts this on exec(2). This
773 operation is permitted only if the following conditions are met:
774
775 o If any of the UIDs is equal to 0, P must be equal to L.
776
777 o If the effective UID is equal to 0, E must be equal to L.
778
779
780 When a process gives up privilege awareness, the following assignments
781 take place:
782
783 if (euid == 0) iE = L & I
784 if (any uid == 0) iP = L & I
785
786
787
788 The privileges obtained when not having a UID of 0 are the inheritable
789 set of the process restricted by the limit set.
790
791
792 Only privileges in the process's (observed) effective privilege set
793 allow the process to perform restricted operations. A process can use
794 any of the privilege manipulation functions to add or remove privileges
795 from the privilege sets. Privileges can be removed always. Only
796 privileges found in the permitted set can be added to the effective and
797 inheritable set. The limit set cannot grow. The inheritable set can be
798 larger than the permitted set.
799
800
801 When a process performs an exec(2), the kernel first tries to
802 relinquish privilege awareness before making the following privilege
803 set modifications:
804
805 E' = P' = I' = L & I
806 L is unchanged
807
808
809
810 If a process has not manipulated its privileges, the privilege sets
811 effectively remain the same, as E, P and I are already identical.
812
813
814 The limit set is enforced at exec time.
815
816
817 To run a non-privilege-aware application in a backward-compatible
818 manner, a privilege-aware application should start the non-privilege-
819 aware application with I=basic.
820
821
822 For most privileges, absence of the privilege simply results in a
823 failure. In some instances, the absence of a privilege can cause system
824 calls to behave differently. In other instances, the removal of a
825 privilege can force a set-uid application to seriously malfunction.
826 Privileges of this type are considered "unsafe". When a process is
827 lacking any of the unsafe privileges from its limit set, the system
828 does not honor the set-uid bit of set-uid root applications. The
829 following unsafe privileges have been identified: proc_setid,
830 sys_resource and proc_audit.
831
832 Privilege Escalation
833 In certain circumstances, a single privilege could lead to a process
834 gaining one or more additional privileges that were not explicitly
835 granted to that process. To prevent such an escalation of privileges,
836 the security policy requires explicit permission for those additional
837 privileges.
838
839
840 Common examples of escalation are those mechanisms that allow
841 modification of system resources through "raw" interfaces; for example,
842 changing kernel data structures through /dev/kmem or changing files
843 through /dev/dsk/*. Escalation also occurs when a process controls
844 processes with more privileges than the controlling process. A special
845 case of this is manipulating or creating objects owned by UID 0 or
846 trying to obtain UID 0 using setuid(2). The special treatment of UID 0
847 is needed because the UID 0 owns all system configuration files and
848 ordinary file protection mechanisms allow processes with UID 0 to
849 modify the system configuration. With appropriate file modifications, a
850 given process running with an effective UID of 0 can gain all
851 privileges.
852
853
854 In situations where a process might obtain UID 0, the security policy
855 requires additional privileges, up to the full set of privileges. Such
856 restrictions could be relaxed or removed at such time as additional
857 mechanisms for protection of system files became available. There are
858 no such mechanisms in the current release.
859
860
861 The use of UID 0 processes should be limited as much as possible. They
862 should be replaced with programs running under a different UID but with
863 exactly the privileges they need.
864
865
866 Daemons that never need to exec subprocesses should remove the
867 PRIV_PROC_EXEC privilege from their permitted and limit sets.
868
869 Assigned Privileges and Safeguards
870 When privileges are assigned to a user, the system administrator could
871 give that user more powers than intended. The administrator should
872 consider whether safeguards are needed. For example, if the
873 PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
874 should consider setting the project.max-locked-memory resource control
875 as well, to prevent that user from locking all memory.
876
877 Privilege Debugging
878 When a system call fails with a permission error, it is not always
879 immediately obvious what caused the problem. To debug such a problem,
880 you can use a tool called privilege debugging. When privilege debugging
881 is enabled for a process, the kernel reports missing privileges on the
882 controlling terminal of the process. (Enable debugging for a process
883 with the -D option of ppriv(1).) Additionally, the administrator can
884 enable system-wide privilege debugging by setting the system(4)
885 variable priv_debug using:
886
887 set priv_debug = 1
888
889
890
891 On a running system, you can use mdb(1) to change this variable.
892
893 Privilege Administration
894 Use usermod(1M) or rolemod(1M) to assign privileges to or modify
895 privileges for, respectively, a user or a role. Use ppriv(1) to
896 enumerate the privileges supported on a system and truss(1) to
897 determine which privileges a program requires.
898
899 SEE ALSO
900 mdb(1), ppriv(1), add_drv(1M), ifconfig(1M), lockd(1M), nfsd(1M),
901 pppd(1M), rem_drv(1M), smbd(1M), sppptun(1M), update_drv(1M), Intro(2),
902 access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2),
903 chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2),
904 fpathconf(2), getacct(2), getpflags(2), getppriv(2), getsid(2),
905 kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2),
906 ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2),
907 processor_bind(2), pset_bind(2), pset_create(2), readlink(2),
908 resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2),
909 seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2),
910 setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2),
911 setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2),
912 statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2),
913 umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET),
914 door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C),
915 priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C),
916 socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C),
917 exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F),
918 drv_priv(9F), priv_getbyname(9F), priv_policy(9F),
919 priv_policy_choice(9F), priv_policy_only(9F)
920
921
922 System Administration Guide: Security Services
923
924
925
926 August 26, 2019 PRIVILEGES(5)