1 PRIVILEGES(5) Standards, Environments, and Macros PRIVILEGES(5)
2
3
4
5 NAME
6 privileges - process privilege model
7
8 DESCRIPTION
9 Solaris software implements a set of privileges that provide fine-
10 grained control over the actions of processes. The possession of a
11 certain privilege allows a process to perform a specific set of
12 restricted operations.
13
14
15 The change to a primarily privilege-based security model in the Solaris
16 operating system gives developers an opportunity to restrict processes
17 to those privileged operations actually needed instead of all (super-
18 user) or no privileges (non-zero UIDs). Additionally, a set of
19 previously unrestricted operations now requires a privilege; these
20 privileges are dubbed the "basic" privileges and are by default given
21 to all processes.
22
23
24 Taken together, all defined privileges with the exception of the
25 "basic" privileges compose the set of privileges that are traditionally
26 associated with the root user. The "basic" privileges are "privileges"
27 unprivileged processes were accustomed to having.
28
29
30 The defined privileges are:
31
32 PRIV_CONTRACT_EVENT
33
34 Allow a process to request reliable delivery of events to an event
35 endpoint.
384 PRIV_PROC_TASKID
385
386 Allow a process to assign a new task ID to the calling process.
387
388
389 PRIV_PROC_ZONE
390
391 Allow a process to trace or send signals to processes in other
392 zones. See zones(5).
393
394
395 PRIV_SYS_ACCT
396
397 Allow a process to enable and disable and manage accounting through
398 acct(2).
399
400
401 PRIV_SYS_ADMIN
402
403 Allow a process to perform system administration tasks such as
404 setting node and domain name and specifying coreadm(1M) and
405 nscd(1M) settings
406
407
408 PRIV_SYS_AUDIT
409
410 Allow a process to start the (kernel) audit daemon. Allow a process
411 to view and set audit state (audit user ID, audit terminal ID,
412 audit sessions ID, audit pre-selection mask). Allow a process to
413 turn off and on auditing. Allow a process to configure the audit
414 parameters (cache and queue sizes, event to class mappings, and
415 policy options).
416
417
418 PRIV_SYS_CONFIG
419
420 Allow a process to perform various system configuration tasks.
421 Allow filesystem-specific administrative procedures, such as
422 filesystem configuration ioctls, quota calls, creation and deletion
423 of snapshots, and manipulating the PCFS bootsector.
424
425
508
509
510 PRIV_SYS_RESOURCE
511
512 Allow a process to exceed the resource limits imposed on it by
513 setrlimit(2) and setrctl(2).
514
515
516 PRIV_SYS_SMB
517
518 Allow a process to provide NetBIOS or SMB services: start SMB
519 kernel threads or bind to NetBIOS or SMB reserved ports: ports 137,
520 138, 139 (NetBIOS) and 445 (SMB).
521
522
523 PRIV_SYS_SUSER_COMPAT
524
525 Allow a process to successfully call a third party loadable module
526 that calls the kernel suser() function to check for allowed access.
527 This privilege exists only for third party loadable module
528 compatibility and is not used by Solaris proper.
529
530
531 PRIV_SYS_TIME
532
533 Allow a process to manipulate system time using any of the
534 appropriate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
535
536
537 PRIV_SYS_TRANS_LABEL
538
539 Allow a process to translate labels that are not dominated by the
540 process's sensitivity label to and from an external string form.
541
542 This privilege is interpreted only if the system is configured with
543 Trusted Extensions.
544
545
546 PRIV_VIRT_MANAGE
547
548 Allows a process to manage virtualized environments such as xVM(5).
686 Allows a process access to the xVM(5) control devices for managing
687 guest domains and the hypervisor. This privilege is used only if
688 booted into xVM on x86 platforms.
689
690
691
692 Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
693 PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK, PRIV_FILE_READ,
694 PRIV_FILE_WRITE, PRIV_NET_ACCESS and PRIV_PROC_EXEC are considered
695 "basic" privileges. These are privileges that used to be always
696 available to unprivileged processes. By default, processes still have
697 the basic privileges.
698
699
700 The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
701 the Limit set (see below) of a process in order for set-uid root execs
702 to be successful, that is, get an effective UID of 0 and additional
703 privileges.
704
705
706 The privilege implementation in Solaris extends the process credential
707 with four privilege sets:
708
709 I, the inheritable set
710 The privileges inherited on exec.
711
712
713 P, the permitted set
714 The maximum set of privileges for the
715 process.
716
717
718 E, the effective set
719 The privileges currently in effect.
720
721
722 L, the limit set
723 The upper bound of the privileges a process
724 and its offspring can obtain. Changes to L
725 take effect on the next exec.
726
822
823 For most privileges, absence of the privilege simply results in a
824 failure. In some instances, the absence of a privilege can cause system
825 calls to behave differently. In other instances, the removal of a
826 privilege can force a set-uid application to seriously malfunction.
827 Privileges of this type are considered "unsafe". When a process is
828 lacking any of the unsafe privileges from its limit set, the system
829 does not honor the set-uid bit of set-uid root applications. The
830 following unsafe privileges have been identified: proc_setid,
831 sys_resource and proc_audit.
832
833 Privilege Escalation
834 In certain circumstances, a single privilege could lead to a process
835 gaining one or more additional privileges that were not explicitly
836 granted to that process. To prevent such an escalation of privileges,
837 the security policy requires explicit permission for those additional
838 privileges.
839
840
841 Common examples of escalation are those mechanisms that allow
842 modification of system resources through "raw'' interfaces; for
843 example, changing kernel data structures through /dev/kmem or changing
844 files through /dev/dsk/*. Escalation also occurs when a process
845 controls processes with more privileges than the controlling process. A
846 special case of this is manipulating or creating objects owned by UID 0
847 or trying to obtain UID 0 using setuid(2). The special treatment of UID
848 0 is needed because the UID 0 owns all system configuration files and
849 ordinary file protection mechanisms allow processes with UID 0 to
850 modify the system configuration. With appropriate file modifications, a
851 given process running with an effective UID of 0 can gain all
852 privileges.
853
854
855 In situations where a process might obtain UID 0, the security policy
856 requires additional privileges, up to the full set of privileges. Such
857 restrictions could be relaxed or removed at such time as additional
858 mechanisms for protection of system files became available. There are
859 no such mechanisms in the current Solaris release.
860
861
862 The use of UID 0 processes should be limited as much as possible. They
863 should be replaced with programs running under a different UID but with
864 exactly the privileges they need.
865
866
867 Daemons that never need to exec subprocesses should remove the
868 PRIV_PROC_EXEC privilege from their permitted and limit sets.
869
870 Assigned Privileges and Safeguards
871 When privileges are assigned to a user, the system administrator could
872 give that user more powers than intended. The administrator should
873 consider whether safeguards are needed. For example, if the
874 PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
875 should consider setting the project.max-locked-memory resource control
876 as well, to prevent that user from locking all memory.
877
878 Privilege Debugging
879 When a system call fails with a permission error, it is not always
907 ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2),
908 processor_bind(2), pset_bind(2), pset_create(2), readlink(2),
909 resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2),
910 seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2),
911 setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2),
912 setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2),
913 statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2),
914 umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET),
915 door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C),
916 priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C),
917 socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C),
918 exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F),
919 drv_priv(9F), priv_getbyname(9F), priv_policy(9F),
920 priv_policy_choice(9F), priv_policy_only(9F)
921
922
923 System Administration Guide: Security Services
924
925
926
927 February 28, 2018 PRIVILEGES(5)
|
1 PRIVILEGES(5) Standards, Environments, and Macros PRIVILEGES(5)
2
3
4
5 NAME
6 privileges - process privilege model
7
8 DESCRIPTION
9 In illumos, software implements a set of privileges that provide fine-
10 grained control over the actions of processes. The possession of a
11 certain privilege allows a process to perform a specific set of
12 restricted operations.
13
14
15 The change to a primarily privilege-based security model in the
16 operating system gives developers an opportunity to restrict processes
17 to those privileged operations actually needed instead of all (super-
18 user) or no privileges (non-zero UIDs). Additionally, a set of
19 previously unrestricted operations now requires a privilege; these
20 privileges are dubbed the "basic" privileges and are by default given
21 to all processes.
22
23
24 Taken together, all defined privileges with the exception of the
25 "basic" privileges compose the set of privileges that are traditionally
26 associated with the root user. The "basic" privileges are "privileges"
27 unprivileged processes were accustomed to having.
28
29
30 The defined privileges are:
31
32 PRIV_CONTRACT_EVENT
33
34 Allow a process to request reliable delivery of events to an event
35 endpoint.
384 PRIV_PROC_TASKID
385
386 Allow a process to assign a new task ID to the calling process.
387
388
389 PRIV_PROC_ZONE
390
391 Allow a process to trace or send signals to processes in other
392 zones. See zones(5).
393
394
395 PRIV_SYS_ACCT
396
397 Allow a process to enable and disable and manage accounting through
398 acct(2).
399
400
401 PRIV_SYS_ADMIN
402
403 Allow a process to perform system administration tasks such as
404 setting node and domain name and managing fmd(1M) and nscd(1M).
405
406
407 PRIV_SYS_AUDIT
408
409 Allow a process to start the (kernel) audit daemon. Allow a process
410 to view and set audit state (audit user ID, audit terminal ID,
411 audit sessions ID, audit pre-selection mask). Allow a process to
412 turn off and on auditing. Allow a process to configure the audit
413 parameters (cache and queue sizes, event to class mappings, and
414 policy options).
415
416
417 PRIV_SYS_CONFIG
418
419 Allow a process to perform various system configuration tasks.
420 Allow filesystem-specific administrative procedures, such as
421 filesystem configuration ioctls, quota calls, creation and deletion
422 of snapshots, and manipulating the PCFS bootsector.
423
424
507
508
509 PRIV_SYS_RESOURCE
510
511 Allow a process to exceed the resource limits imposed on it by
512 setrlimit(2) and setrctl(2).
513
514
515 PRIV_SYS_SMB
516
517 Allow a process to provide NetBIOS or SMB services: start SMB
518 kernel threads or bind to NetBIOS or SMB reserved ports: ports 137,
519 138, 139 (NetBIOS) and 445 (SMB).
520
521
522 PRIV_SYS_SUSER_COMPAT
523
524 Allow a process to successfully call a third party loadable module
525 that calls the kernel suser() function to check for allowed access.
526 This privilege exists only for third party loadable module
527 compatibility and is not used by illumos.
528
529
530 PRIV_SYS_TIME
531
532 Allow a process to manipulate system time using any of the
533 appropriate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
534
535
536 PRIV_SYS_TRANS_LABEL
537
538 Allow a process to translate labels that are not dominated by the
539 process's sensitivity label to and from an external string form.
540
541 This privilege is interpreted only if the system is configured with
542 Trusted Extensions.
543
544
545 PRIV_VIRT_MANAGE
546
547 Allows a process to manage virtualized environments such as xVM(5).
685 Allows a process access to the xVM(5) control devices for managing
686 guest domains and the hypervisor. This privilege is used only if
687 booted into xVM on x86 platforms.
688
689
690
691 Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
692 PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK, PRIV_FILE_READ,
693 PRIV_FILE_WRITE, PRIV_NET_ACCESS and PRIV_PROC_EXEC are considered
694 "basic" privileges. These are privileges that used to be always
695 available to unprivileged processes. By default, processes still have
696 the basic privileges.
697
698
699 The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
700 the Limit set (see below) of a process in order for set-uid root execs
701 to be successful, that is, get an effective UID of 0 and additional
702 privileges.
703
704
705 The privilege implementation in illumos extends the process credential
706 with four privilege sets:
707
708 I, the inheritable set
709 The privileges inherited on exec.
710
711
712 P, the permitted set
713 The maximum set of privileges for the
714 process.
715
716
717 E, the effective set
718 The privileges currently in effect.
719
720
721 L, the limit set
722 The upper bound of the privileges a process
723 and its offspring can obtain. Changes to L
724 take effect on the next exec.
725
821
822 For most privileges, absence of the privilege simply results in a
823 failure. In some instances, the absence of a privilege can cause system
824 calls to behave differently. In other instances, the removal of a
825 privilege can force a set-uid application to seriously malfunction.
826 Privileges of this type are considered "unsafe". When a process is
827 lacking any of the unsafe privileges from its limit set, the system
828 does not honor the set-uid bit of set-uid root applications. The
829 following unsafe privileges have been identified: proc_setid,
830 sys_resource and proc_audit.
831
832 Privilege Escalation
833 In certain circumstances, a single privilege could lead to a process
834 gaining one or more additional privileges that were not explicitly
835 granted to that process. To prevent such an escalation of privileges,
836 the security policy requires explicit permission for those additional
837 privileges.
838
839
840 Common examples of escalation are those mechanisms that allow
841 modification of system resources through "raw" interfaces; for example,
842 changing kernel data structures through /dev/kmem or changing files
843 through /dev/dsk/*. Escalation also occurs when a process controls
844 processes with more privileges than the controlling process. A special
845 case of this is manipulating or creating objects owned by UID 0 or
846 trying to obtain UID 0 using setuid(2). The special treatment of UID 0
847 is needed because the UID 0 owns all system configuration files and
848 ordinary file protection mechanisms allow processes with UID 0 to
849 modify the system configuration. With appropriate file modifications, a
850 given process running with an effective UID of 0 can gain all
851 privileges.
852
853
854 In situations where a process might obtain UID 0, the security policy
855 requires additional privileges, up to the full set of privileges. Such
856 restrictions could be relaxed or removed at such time as additional
857 mechanisms for protection of system files became available. There are
858 no such mechanisms in the current release.
859
860
861 The use of UID 0 processes should be limited as much as possible. They
862 should be replaced with programs running under a different UID but with
863 exactly the privileges they need.
864
865
866 Daemons that never need to exec subprocesses should remove the
867 PRIV_PROC_EXEC privilege from their permitted and limit sets.
868
869 Assigned Privileges and Safeguards
870 When privileges are assigned to a user, the system administrator could
871 give that user more powers than intended. The administrator should
872 consider whether safeguards are needed. For example, if the
873 PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
874 should consider setting the project.max-locked-memory resource control
875 as well, to prevent that user from locking all memory.
876
877 Privilege Debugging
878 When a system call fails with a permission error, it is not always
906 ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2),
907 processor_bind(2), pset_bind(2), pset_create(2), readlink(2),
908 resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2),
909 seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2),
910 setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2),
911 setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2),
912 statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2),
913 umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET),
914 door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C),
915 priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C),
916 socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C),
917 exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F),
918 drv_priv(9F), priv_getbyname(9F), priv_policy(9F),
919 priv_policy_choice(9F), priv_policy_only(9F)
920
921
922 System Administration Guide: Security Services
923
924
925
926 August 26, 2019 PRIVILEGES(5)
|