Print this page
11621 fmadm and fmstat document privileges incorrectly
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man5/privileges.5
+++ new/usr/src/man/man5/privileges.5
1 1 '\" te
2 2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" Copyright 2015, Joyent, Inc. All Rights Reserved.
4 +.\" Copyright 2019 Peter Tribble
4 5 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 6 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
6 7 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 -.TH PRIVILEGES 5 "Feb 28, 2018"
8 +.TH PRIVILEGES 5 "Aug 26, 2019"
8 9 .SH NAME
9 10 privileges \- process privilege model
10 11 .SH DESCRIPTION
11 -.LP
12 -Solaris software implements a set of privileges that provide fine-grained
12 +In illumos, software implements a set of privileges that provide fine-grained
13 13 control over the actions of processes. The possession of a certain privilege
14 14 allows a process to perform a specific set of restricted operations.
15 15 .sp
16 16 .LP
17 -The change to a primarily privilege-based security model in the Solaris
17 +The change to a primarily privilege-based security model in the
18 18 operating system gives developers an opportunity to restrict processes to those
19 19 privileged operations actually needed instead of all (super-user) or no
20 20 privileges (non-zero UIDs). Additionally, a set of previously unrestricted
21 21 operations now requires a privilege; these privileges are dubbed the "basic"
22 22 privileges and are by default given to all processes.
23 23 .sp
24 24 .LP
25 25 Taken together, all defined privileges with the exception of the "basic"
26 26 privileges compose the set of privileges that are traditionally associated with
27 27 the root user. The "basic" privileges are "privileges" unprivileged processes
28 28 were accustomed to having.
29 29 .sp
30 30 .LP
31 31 The defined privileges are:
32 32 .sp
33 33 .ne 2
34 34 .na
35 35 \fB\fBPRIV_CONTRACT_EVENT\fR\fR
36 36 .ad
37 37 .sp .6
38 38 .RS 4n
39 39 Allow a process to request reliable delivery of events to an event endpoint.
40 40 .sp
41 41 Allow a process to include events in the critical event set term of a template
42 42 which could be generated in volume by the user.
43 43 .RE
44 44
45 45 .sp
46 46 .ne 2
47 47 .na
48 48 \fB\fBPRIV_CONTRACT_IDENTITY\fR\fR
49 49 .ad
50 50 .sp .6
51 51 .RS 4n
52 52 Allows a process to set the service FMRI value of a process contract template.
53 53 .RE
54 54
55 55 .sp
56 56 .ne 2
57 57 .na
58 58 \fB\fBPRIV_CONTRACT_OBSERVER\fR\fR
59 59 .ad
60 60 .sp .6
61 61 .RS 4n
62 62 Allow a process to observe contract events generated by contracts created and
63 63 owned by users other than the process's effective user ID.
64 64 .sp
65 65 Allow a process to open contract event endpoints belonging to contracts created
66 66 and owned by users other than the process's effective user ID.
67 67 .RE
68 68
69 69 .sp
70 70 .ne 2
71 71 .na
72 72 \fB\fBPRIV_CPC_CPU\fR\fR
73 73 .ad
74 74 .sp .6
75 75 .RS 4n
76 76 Allow a process to access per-CPU hardware performance counters.
77 77 .RE
78 78
79 79 .sp
80 80 .ne 2
81 81 .na
82 82 \fB\fBPRIV_DTRACE_KERNEL\fR\fR
83 83 .ad
84 84 .sp .6
85 85 .RS 4n
86 86 Allow DTrace kernel-level tracing.
87 87 .RE
88 88
89 89 .sp
90 90 .ne 2
91 91 .na
92 92 \fB\fBPRIV_DTRACE_PROC\fR\fR
93 93 .ad
94 94 .sp .6
95 95 .RS 4n
96 96 Allow DTrace process-level tracing. Allow process-level tracing probes to be
97 97 placed and enabled in processes to which the user has permissions.
98 98 .RE
99 99
100 100 .sp
101 101 .ne 2
102 102 .na
103 103 \fB\fBPRIV_DTRACE_USER\fR\fR
104 104 .ad
105 105 .sp .6
106 106 .RS 4n
107 107 Allow DTrace user-level tracing. Allow use of the syscall and profile DTrace
108 108 providers to examine processes to which the user has permissions.
109 109 .RE
110 110
111 111 .sp
112 112 .ne 2
113 113 .na
114 114 \fB\fBPRIV_FILE_CHOWN\fR\fR
115 115 .ad
116 116 .sp .6
117 117 .RS 4n
118 118 Allow a process to change a file's owner user ID. Allow a process to change a
119 119 file's group ID to one other than the process's effective group ID or one of
120 120 the process's supplemental group IDs.
121 121 .RE
122 122
123 123 .sp
124 124 .ne 2
125 125 .na
126 126 \fB\fBPRIV_FILE_CHOWN_SELF\fR\fR
127 127 .ad
128 128 .sp .6
129 129 .RS 4n
130 130 Allow a process to give away its files. A process with this privilege runs as
131 131 if {\fB_POSIX_CHOWN_RESTRICTED\fR} is not in effect.
132 132 .RE
133 133
134 134 .sp
135 135 .ne 2
136 136 .na
137 137 \fB\fBPRIV_FILE_DAC_EXECUTE\fR\fR
138 138 .ad
139 139 .sp .6
140 140 .RS 4n
141 141 Allow a process to execute an executable file whose permission bits or ACL
142 142 would otherwise disallow the process execute permission.
143 143 .RE
144 144
145 145 .sp
146 146 .ne 2
147 147 .na
148 148 \fB\fBPRIV_FILE_DAC_READ\fR\fR
149 149 .ad
150 150 .sp .6
151 151 .RS 4n
152 152 Allow a process to read a file or directory whose permission bits or ACL would
153 153 otherwise disallow the process read permission.
154 154 .RE
155 155
156 156 .sp
157 157 .ne 2
158 158 .na
159 159 \fB\fBPRIV_FILE_DAC_SEARCH\fR\fR
160 160 .ad
161 161 .sp .6
162 162 .RS 4n
163 163 Allow a process to search a directory whose permission bits or ACL would not
164 164 otherwise allow the process search permission.
165 165 .RE
166 166
167 167 .sp
168 168 .ne 2
169 169 .na
170 170 \fB\fBPRIV_FILE_DAC_WRITE\fR\fR
171 171 .ad
172 172 .sp .6
173 173 .RS 4n
174 174 Allow a process to write a file or directory whose permission bits or ACL do
175 175 not allow the process write permission. All privileges are required to write
176 176 files owned by UID 0 in the absence of an effective UID of 0.
177 177 .RE
178 178
179 179 .sp
180 180 .ne 2
181 181 .na
182 182 \fB\fBPRIV_FILE_DOWNGRADE_SL\fR\fR
183 183 .ad
184 184 .sp .6
185 185 .RS 4n
186 186 Allow a process to set the sensitivity label of a file or directory to a
187 187 sensitivity label that does not dominate the existing sensitivity label.
188 188 .sp
189 189 This privilege is interpreted only if the system is configured with Trusted
190 190 Extensions.
191 191 .RE
192 192
193 193 .sp
194 194 .ne 2
195 195 .na
196 196 \fB\fBPRIV_FILE_FLAG_SET\fR\fR
197 197 .ad
198 198 .sp .6
199 199 .RS 4n
200 200 Allows a process to set immutable, nounlink or appendonly file attributes.
201 201 .RE
202 202
203 203 .sp
204 204 .ne 2
205 205 .na
206 206 \fB\fBPRIV_FILE_LINK_ANY\fR\fR
207 207 .ad
208 208 .sp .6
209 209 .RS 4n
210 210 Allow a process to create hardlinks to files owned by a UID different from the
211 211 process's effective UID.
212 212 .RE
213 213
214 214 .sp
215 215 .ne 2
216 216 .na
217 217 \fB\fBPRIV_FILE_OWNER\fR\fR
218 218 .ad
219 219 .sp .6
220 220 .RS 4n
221 221 Allow a process that is not the owner of a file to modify that file's access
222 222 and modification times. Allow a process that is not the owner of a directory to
223 223 modify that directory's access and modification times. Allow a process that is
224 224 not the owner of a file or directory to remove or rename a file or directory
225 225 whose parent directory has the "save text image after execution" (sticky) bit
226 226 set. Allow a process that is not the owner of a file to mount a \fBnamefs\fR
227 227 upon that file. Allow a process that is not the owner of a file or directory to
228 228 modify that file's or directory's permission bits or ACL.
229 229 .RE
230 230
231 231 .sp
232 232 .ne 2
233 233 .na
234 234 \fB\fBPRIV_FILE_READ\fR\fR
235 235 .ad
236 236 .sp .6
237 237 .RS 4n
238 238 Allow a process to open objects in the filesystem for reading. This
239 239 privilege is not necessary to read from an already open file which was opened
240 240 before dropping the \fBPRIV_FILE_READ\fR privilege.
241 241 .RE
242 242
243 243 .sp
244 244 .ne 2
245 245 .na
246 246 \fB\fBPRIV_FILE_SETID\fR\fR
247 247 .ad
248 248 .sp .6
249 249 .RS 4n
250 250 Allow a process to change the ownership of a file or write to a file without
251 251 the set-user-ID and set-group-ID bits being cleared. Allow a process to set the
252 252 set-group-ID bit on a file or directory whose group is not the process's
253 253 effective group or one of the process's supplemental groups. Allow a process to
254 254 set the set-user-ID bit on a file with different ownership in the presence of
255 255 \fBPRIV_FILE_OWNER\fR. Additional restrictions apply when creating or modifying
256 256 a setuid 0 file.
257 257 .RE
258 258
259 259 .sp
260 260 .ne 2
261 261 .na
262 262 \fB\fBPRIV_FILE_UPGRADE_SL\fR\fR
263 263 .ad
264 264 .sp .6
265 265 .RS 4n
266 266 Allow a process to set the sensitivity label of a file or directory to a
267 267 sensitivity label that dominates the existing sensitivity label.
268 268 .sp
269 269 This privilege is interpreted only if the system is configured with Trusted
270 270 Extensions.
271 271 .RE
272 272
273 273 .sp
274 274 .ne 2
275 275 .na
276 276 \fB\fBPRIV_FILE_WRITE\fR\fR
277 277 .ad
278 278 .sp .6
279 279 .RS 4n
280 280 Allow a process to open objects in the filesystem for writing, or otherwise
281 281 modify them. This privilege is not necessary to write to an already open file
282 282 which was opened before dropping the \fBPRIV_FILE_WRITE\fR privilege.
283 283 .RE
284 284
285 285 .sp
286 286 .ne 2
287 287 .na
288 288 \fB\fBPRIV_GRAPHICS_ACCESS\fR\fR
289 289 .ad
290 290 .sp .6
291 291 .RS 4n
292 292 Allow a process to make privileged ioctls to graphics devices. Typically only
293 293 an xserver process needs to have this privilege. A process with this privilege
294 294 is also allowed to perform privileged graphics device mappings.
295 295 .RE
296 296
297 297 .sp
298 298 .ne 2
299 299 .na
300 300 \fB\fBPRIV_GRAPHICS_MAP\fR\fR
301 301 .ad
302 302 .sp .6
303 303 .RS 4n
304 304 Allow a process to perform privileged mappings through a graphics device.
305 305 .RE
306 306
307 307 .sp
308 308 .ne 2
309 309 .na
310 310 \fB\fBPRIV_IPC_DAC_READ\fR\fR
311 311 .ad
312 312 .sp .6
313 313 .RS 4n
314 314 Allow a process to read a System V IPC Message Queue, Semaphore Set, or Shared
315 315 Memory Segment whose permission bits would not otherwise allow the process read
316 316 permission.
317 317 .RE
318 318
319 319 .sp
320 320 .ne 2
321 321 .na
322 322 \fB\fBPRIV_IPC_DAC_WRITE\fR\fR
323 323 .ad
324 324 .sp .6
325 325 .RS 4n
326 326 Allow a process to write a System V IPC Message Queue, Semaphore Set, or Shared
327 327 Memory Segment whose permission bits would not otherwise allow the process
328 328 write permission.
329 329 .RE
330 330
331 331 .sp
332 332 .ne 2
333 333 .na
334 334 \fB\fBPRIV_IPC_OWNER\fR\fR
335 335 .ad
336 336 .sp .6
337 337 .RS 4n
338 338 Allow a process that is not the owner of a System V IPC Message Queue,
339 339 Semaphore Set, or Shared Memory Segment to remove, change ownership of, or
340 340 change permission bits of the Message Queue, Semaphore Set, or Shared Memory
341 341 Segment.
342 342 .RE
343 343
344 344 .sp
345 345 .ne 2
346 346 .na
347 347 \fB\fBPRIV_NET_ACCESS\fR\fR
348 348 .ad
349 349 .sp .6
350 350 .RS 4n
351 351 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint. This
352 352 privilege is not necessary to communicate using an existing endpoint already
353 353 opened before dropping the \fBPRIV_NET_ACCESS\fR privilege.
354 354 .RE
355 355
356 356 .sp
357 357 .ne 2
358 358 .na
359 359 \fB\fBPRIV_NET_BINDMLP\fR\fR
360 360 .ad
361 361 .sp .6
362 362 .RS 4n
363 363 Allow a process to bind to a port that is configured as a multi-level port
364 364 (MLP) for the process's zone. This privilege applies to both shared address and
365 365 zone-specific address MLPs. See \fBtnzonecfg\fR(\fB4\fR) from the Trusted
366 366 Extensions manual pages for information on configuring MLP ports.
367 367 .sp
368 368 This privilege is interpreted only if the system is configured with Trusted
369 369 Extensions.
370 370 .RE
371 371
372 372 .sp
373 373 .ne 2
374 374 .na
375 375 \fB\fBPRIV_NET_ICMPACCESS\fR\fR
376 376 .ad
377 377 .sp .6
378 378 .RS 4n
379 379 Allow a process to send and receive ICMP packets.
380 380 .RE
381 381
382 382 .sp
383 383 .ne 2
384 384 .na
385 385 \fB\fBPRIV_NET_MAC_AWARE\fR\fR
386 386 .ad
387 387 .sp .6
388 388 .RS 4n
389 389 Allow a process to set the \fBNET_MAC_AWARE\fR process flag by using
390 390 \fBsetpflags\fR(2). This privilege also allows a process to set the
391 391 \fBSO_MAC_EXEMPT\fR socket option by using \fBsetsockopt\fR(3SOCKET). The
392 392 \fBNET_MAC_AWARE\fR process flag and the \fBSO_MAC_EXEMPT\fR socket option both
393 393 allow a local process to communicate with an unlabeled peer if the local
394 394 process's label dominates the peer's default label, or if the local process
395 395 runs in the global zone.
396 396 .sp
397 397 This privilege is interpreted only if the system is configured with Trusted
398 398 Extensions.
399 399 .RE
400 400
401 401 .sp
402 402 .ne 2
403 403 .na
404 404 \fB\fBPRIV_NET_MAC_IMPLICIT\fR\fR
405 405 .ad
406 406 .sp .6
407 407 .RS 4n
408 408 Allow a process to set \fBSO_MAC_IMPLICIT\fR option by using
409 409 \fBsetsockopt\fR(3SOCKET). This allows a privileged process to transmit
410 410 implicitly-labeled packets to a peer.
411 411 .sp
412 412 This privilege is interpreted only if the system is configured with
413 413 Trusted Extensions.
414 414 .RE
415 415
416 416 .sp
417 417 .ne 2
418 418 .na
419 419 \fB\fBPRIV_NET_OBSERVABILITY\fR\fR
420 420 .ad
421 421 .sp .6
422 422 .RS 4n
423 423 Allow a process to open a device for just receiving network traffic, sending
424 424 traffic is disallowed.
425 425 .RE
426 426
427 427 .sp
428 428 .ne 2
429 429 .na
430 430 \fB\fBPRIV_NET_PRIVADDR\fR\fR
431 431 .ad
432 432 .sp .6
433 433 .RS 4n
434 434 Allow a process to bind to a privileged port number. The privilege port numbers
435 435 are 1-1023 (the traditional UNIX privileged ports) as well as those ports
436 436 marked as "\fBudp/tcp_extra_priv_ports\fR" with the exception of the ports
437 437 reserved for use by NFS and SMB.
438 438 .RE
439 439
440 440 .sp
441 441 .ne 2
442 442 .na
443 443 \fB\fBPRIV_NET_RAWACCESS\fR\fR
444 444 .ad
445 445 .sp .6
446 446 .RS 4n
447 447 Allow a process to have direct access to the network layer.
448 448 .RE
449 449
450 450 .sp
451 451 .ne 2
452 452 .na
453 453 \fB\fBPRIV_PROC_AUDIT\fR\fR
454 454 .ad
455 455 .sp .6
456 456 .RS 4n
457 457 Allow a process to generate audit records. Allow a process to get its own audit
458 458 pre-selection information.
459 459 .RE
460 460
461 461 .sp
462 462 .ne 2
463 463 .na
464 464 \fB\fBPRIV_PROC_CHROOT\fR\fR
465 465 .ad
466 466 .sp .6
467 467 .RS 4n
468 468 Allow a process to change its root directory.
469 469 .RE
470 470
471 471 .sp
472 472 .ne 2
473 473 .na
474 474 \fB\fBPRIV_PROC_CLOCK_HIGHRES\fR\fR
475 475 .ad
476 476 .sp .6
477 477 .RS 4n
478 478 Allow a process to use high resolution timers.
479 479 .RE
480 480
481 481 .sp
482 482 .ne 2
483 483 .na
484 484 \fB\fBPRIV_PROC_EXEC\fR\fR
485 485 .ad
486 486 .sp .6
487 487 .RS 4n
488 488 Allow a process to call \fBexec\fR(2).
489 489 .RE
490 490
491 491 .sp
492 492 .ne 2
493 493 .na
494 494 \fB\fBPRIV_PROC_FORK\fR\fR
495 495 .ad
496 496 .sp .6
497 497 .RS 4n
498 498 Allow a process to call \fBfork\fR(2), \fBfork1\fR(2), or \fBvfork\fR(2).
499 499 .RE
500 500
501 501 .sp
502 502 .ne 2
503 503 .na
504 504 \fB\fBPRIV_PROC_INFO\fR\fR
505 505 .ad
506 506 .sp .6
507 507 .RS 4n
508 508 Allow a process to examine the status of processes other than those to which it
509 509 can send signals. Processes that cannot be examined cannot be seen in
510 510 \fB/proc\fR and appear not to exist.
511 511 .RE
512 512
513 513 .sp
514 514 .ne 2
515 515 .na
516 516 \fB\fBPRIV_PROC_LOCK_MEMORY\fR\fR
517 517 .ad
518 518 .sp .6
519 519 .RS 4n
520 520 Allow a process to lock pages in physical memory.
521 521 .RE
522 522
523 523 .sp
524 524 .ne 2
525 525 .na
526 526 \fB\fBPRIV_PROC_MEMINFO\fR\fR
527 527 .ad
528 528 .sp .6
529 529 .RS 4n
530 530 Allow a process to access physical memory information.
531 531 .RE
532 532
533 533 .sp
534 534 .ne 2
535 535 .na
536 536 \fB\fBPRIV_PROC_OWNER\fR\fR
537 537 .ad
538 538 .sp .6
539 539 .RS 4n
540 540 Allow a process to send signals to other processes and inspect and modify the
541 541 process state in other processes, regardless of ownership. When modifying
542 542 another process, additional restrictions apply: the effective privilege set of
543 543 the attaching process must be a superset of the target process's effective,
544 544 permitted, and inheritable sets; the limit set must be a superset of the
545 545 target's limit set; if the target process has any UID set to 0 all privilege
546 546 must be asserted unless the effective UID is 0. Allow a process to bind
547 547 arbitrary processes to CPUs.
548 548 .RE
549 549
550 550 .sp
551 551 .ne 2
552 552 .na
553 553 \fB\fBPRIV_PROC_PRIOUP\fR\fR
554 554 .ad
555 555 .sp .6
556 556 .RS 4n
557 557 Allow a process to elevate its priority above its current level.
558 558 .RE
559 559
560 560 .sp
561 561 .ne 2
562 562 .na
563 563 \fB\fBPRIV_PROC_PRIOCNTL\fR\fR
564 564 .ad
565 565 .sp .6
566 566 .RS 4n
567 567 Allows all that PRIV_PROC_PRIOUP allows.
568 568 Allow a process to change its scheduling class to any scheduling class,
569 569 including the RT class.
570 570 .RE
571 571
572 572 .sp
573 573 .ne 2
574 574 .na
575 575 \fBPRIV_PROC_SECFLAGS\fR
576 576 .ad
577 577 .sp .6
578 578 .RS 4n
579 579 Allow a process to manipulate the secflags of processes (subject to,
580 580 additionally, the ability to signal that process).
581 581 .RE
582 582
583 583 .sp
584 584 .ne 2
585 585 .na
586 586 \fB\fBPRIV_PROC_SESSION\fR\fR
587 587 .ad
588 588 .sp .6
589 589 .RS 4n
590 590 Allow a process to send signals or trace processes outside its session.
591 591 .RE
592 592
593 593 .sp
594 594 .ne 2
595 595 .na
596 596 \fB\fBPRIV_PROC_SETID\fR\fR
597 597 .ad
598 598 .sp .6
599 599 .RS 4n
600 600 Allow a process to set its UIDs at will, assuming UID 0 requires all privileges
601 601 to be asserted.
602 602 .RE
603 603
604 604 .sp
605 605 .ne 2
606 606 .na
607 607 \fB\fBPRIV_PROC_TASKID\fR\fR
608 608 .ad
609 609 .sp .6
610 610 .RS 4n
611 611 Allow a process to assign a new task ID to the calling process.
612 612 .RE
613 613
614 614 .sp
615 615 .ne 2
616 616 .na
617 617 \fB\fBPRIV_PROC_ZONE\fR\fR
618 618 .ad
619 619 .sp .6
620 620 .RS 4n
621 621 Allow a process to trace or send signals to processes in other zones. See
622 622 \fBzones\fR(5).
623 623 .RE
624 624
625 625 .sp
626 626 .ne 2
627 627 .na
628 628 \fB\fBPRIV_SYS_ACCT\fR\fR
629 629 .ad
630 630 .sp .6
631 631 .RS 4n
632 632 Allow a process to enable and disable and manage accounting through
633 633 \fBacct\fR(2).
|
↓ open down ↓ |
606 lines elided |
↑ open up ↑ |
634 634 .RE
635 635
636 636 .sp
637 637 .ne 2
638 638 .na
639 639 \fB\fBPRIV_SYS_ADMIN\fR\fR
640 640 .ad
641 641 .sp .6
642 642 .RS 4n
643 643 Allow a process to perform system administration tasks such as setting node and
644 -domain name and specifying \fBcoreadm\fR(1M) and \fBnscd\fR(1M) settings
644 +domain name and managing \fBfmd\fR(1M) and \fBnscd\fR(1M).
645 645 .RE
646 646
647 647 .sp
648 648 .ne 2
649 649 .na
650 650 \fB\fBPRIV_SYS_AUDIT\fR\fR
651 651 .ad
652 652 .sp .6
653 653 .RS 4n
654 654 Allow a process to start the (kernel) audit daemon. Allow a process to view and
655 655 set audit state (audit user ID, audit terminal ID, audit sessions ID, audit
656 656 pre-selection mask). Allow a process to turn off and on auditing. Allow a
657 657 process to configure the audit parameters (cache and queue sizes, event to
658 658 class mappings, and policy options).
659 659 .RE
660 660
661 661 .sp
662 662 .ne 2
663 663 .na
664 664 \fB\fBPRIV_SYS_CONFIG\fR\fR
665 665 .ad
666 666 .sp .6
667 667 .RS 4n
668 668 Allow a process to perform various system configuration tasks. Allow
669 669 filesystem-specific administrative procedures, such as filesystem configuration
670 670 ioctls, quota calls, creation and deletion of snapshots, and manipulating the
671 671 PCFS bootsector.
672 672 .RE
673 673
674 674 .sp
675 675 .ne 2
676 676 .na
677 677 \fB\fBPRIV_SYS_DEVICES\fR\fR
678 678 .ad
679 679 .sp .6
680 680 .RS 4n
681 681 Allow a process to create device special files. Allow a process to successfully
682 682 call a kernel module that calls the kernel \fBdrv_priv\fR(9F) function to check
683 683 for allowed access. Allow a process to open the real console device directly.
684 684 Allow a process to open devices that have been exclusively opened.
685 685 .RE
686 686
687 687 .sp
688 688 .ne 2
689 689 .na
690 690 \fB\fBPRIV_SYS_DL_CONFIG\fR\fR
691 691 .ad
692 692 .sp .6
693 693 .RS 4n
694 694 Allow a process to configure a system's datalink interfaces.
695 695 .RE
696 696
697 697 .sp
698 698 .ne 2
699 699 .na
700 700 \fB\fBPRIV_SYS_IP_CONFIG\fR\fR
701 701 .ad
702 702 .sp .6
703 703 .RS 4n
704 704 Allow a process to configure a system's IP interfaces and routes. Allow a
705 705 process to configure network parameters for \fBTCP/IP\fR using \fBndd\fR. Allow
706 706 a process access to otherwise restricted \fBTCP/IP\fR information using
707 707 \fBndd\fR. Allow a process to configure \fBIPsec\fR. Allow a process to pop
708 708 anchored \fBSTREAM\fRs modules with matching \fBzoneid\fR.
709 709 .RE
710 710
711 711 .sp
712 712 .ne 2
713 713 .na
714 714 \fB\fBPRIV_SYS_IPC_CONFIG\fR\fR
715 715 .ad
716 716 .sp .6
717 717 .RS 4n
718 718 Allow a process to increase the size of a System V IPC Message Queue buffer.
719 719 .RE
720 720
721 721 .sp
722 722 .ne 2
723 723 .na
724 724 \fB\fBPRIV_SYS_IPTUN_CONFIG\fR\fR
725 725 .ad
726 726 .sp .6
727 727 .RS 4n
728 728 Allow a process to configure IP tunnel links.
729 729 .RE
730 730
731 731 .sp
732 732 .ne 2
733 733 .na
734 734 \fB\fBPRIV_SYS_LINKDIR\fR\fR
735 735 .ad
736 736 .sp .6
737 737 .RS 4n
738 738 Allow a process to unlink and link directories.
739 739 .RE
740 740
741 741 .sp
742 742 .ne 2
743 743 .na
744 744 \fB\fBPRIV_SYS_MOUNT\fR\fR
745 745 .ad
746 746 .sp .6
747 747 .RS 4n
748 748 Allow a process to mount and unmount filesystems that would otherwise be
749 749 restricted (that is, most filesystems except \fBnamefs\fR). Allow a process to
750 750 add and remove swap devices.
751 751 .RE
752 752
753 753 .sp
754 754 .ne 2
755 755 .na
756 756 \fB\fBPRIV_SYS_NET_CONFIG\fR\fR
757 757 .ad
758 758 .sp .6
759 759 .RS 4n
760 760 Allow a process to do all that \fBPRIV_SYS_IP_CONFIG\fR,
761 761 \fBPRIV_SYS_DL_CONFIG\fR, and \fBPRIV_SYS_PPP_CONFIG\fR allow, plus the
762 762 following: use the \fBrpcmod\fR STREAMS module and insert/remove STREAMS
763 763 modules on locations other than the top of the module stack.
764 764 .RE
765 765
766 766 .sp
767 767 .ne 2
768 768 .na
769 769 \fB\fBPRIV_SYS_NFS\fR\fR
770 770 .ad
771 771 .sp .6
772 772 .RS 4n
773 773 Allow a process to provide NFS service: start NFS kernel threads, perform NFS
774 774 locking operations, bind to NFS reserved ports: ports 2049 (\fBnfs\fR) and port
775 775 4045 (\fBlockd\fR).
776 776 .RE
777 777
778 778 .sp
779 779 .ne 2
780 780 .na
781 781 \fB\fBPRIV_SYS_PPP_CONFIG\fR\fR
782 782 .ad
783 783 .sp .6
784 784 .RS 4n
785 785 Allow a process to create, configure, and destroy PPP instances with pppd(1M)
786 786 \fBpppd\fR(1M) and control PPPoE plumbing with \fBsppptun\fR(1M)sppptun(1M).
787 787 This privilege is granted by default to exclusive IP stack instance zones.
788 788 .RE
789 789
790 790 .sp
791 791 .ne 2
792 792 .na
793 793 \fB\fBPRIV_SYS_RES_BIND\fR\fR
794 794 .ad
795 795 .sp .6
796 796 .RS 4n
797 797 Allows a process to bind processes to processor sets.
798 798 .RE
799 799
800 800 .sp
801 801 .ne 2
802 802 .na
803 803 \fB\fBPRIV_SYS_RES_CONFIG\fR\fR
804 804 .ad
805 805 .sp .6
806 806 .RS 4n
807 807 Allows all that PRIV_SYS_RES_BIND allows.
808 808 Allow a process to create and delete processor sets, assign CPUs to processor
809 809 sets and override the \fBPSET_NOESCAPE\fR property. Allow a process to change
810 810 the operational status of CPUs in the system using \fBp_online\fR(2). Allow a
811 811 process to configure filesystem quotas. Allow a process to configure resource
812 812 pools and bind processes to pools.
813 813 .RE
814 814
815 815 .sp
816 816 .ne 2
817 817 .na
818 818 \fB\fBPRIV_SYS_RESOURCE\fR\fR
819 819 .ad
820 820 .sp .6
821 821 .RS 4n
822 822 Allow a process to exceed the resource limits imposed on it by
823 823 \fBsetrlimit\fR(2) and \fBsetrctl\fR(2).
824 824 .RE
825 825
826 826 .sp
827 827 .ne 2
828 828 .na
829 829 \fB\fBPRIV_SYS_SMB\fR\fR
830 830 .ad
831 831 .sp .6
832 832 .RS 4n
833 833 Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or
834 834 bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445
835 835 (SMB).
836 836 .RE
837 837
|
↓ open down ↓ |
183 lines elided |
↑ open up ↑ |
838 838 .sp
839 839 .ne 2
840 840 .na
841 841 \fB\fBPRIV_SYS_SUSER_COMPAT\fR\fR
842 842 .ad
843 843 .sp .6
844 844 .RS 4n
845 845 Allow a process to successfully call a third party loadable module that calls
846 846 the kernel \fBsuser()\fR function to check for allowed access. This privilege
847 847 exists only for third party loadable module compatibility and is not used by
848 -Solaris proper.
848 +illumos.
849 849 .RE
850 850
851 851 .sp
852 852 .ne 2
853 853 .na
854 854 \fB\fBPRIV_SYS_TIME\fR\fR
855 855 .ad
856 856 .sp .6
857 857 .RS 4n
858 858 Allow a process to manipulate system time using any of the appropriate system
859 859 calls: \fBstime\fR(2), \fBadjtime\fR(2), and \fBntp_adjtime\fR(2).
860 860 .RE
861 861
862 862 .sp
863 863 .ne 2
864 864 .na
865 865 \fB\fBPRIV_SYS_TRANS_LABEL\fR\fR
866 866 .ad
867 867 .sp .6
868 868 .RS 4n
869 869 Allow a process to translate labels that are not dominated by the process's
870 870 sensitivity label to and from an external string form.
871 871 .sp
872 872 This privilege is interpreted only if the system is configured with Trusted
873 873 Extensions.
874 874 .RE
875 875
876 876 .sp
877 877 .ne 2
878 878 .na
879 879 \fB\fBPRIV_VIRT_MANAGE\fR\fR
880 880 .ad
881 881 .sp .6
882 882 .RS 4n
883 883 Allows a process to manage virtualized environments such as \fBxVM\fR(5).
884 884 .RE
885 885
886 886 .sp
887 887 .ne 2
888 888 .na
889 889 \fB\fBPRIV_WIN_COLORMAP\fR\fR
890 890 .ad
891 891 .sp .6
892 892 .RS 4n
893 893 Allow a process to override colormap restrictions.
894 894 .sp
895 895 Allow a process to install or remove colormaps.
896 896 .sp
897 897 Allow a process to retrieve colormap cell entries allocated by other processes.
898 898 .sp
899 899 This privilege is interpreted only if the system is configured with Trusted
900 900 Extensions.
901 901 .RE
902 902
903 903 .sp
904 904 .ne 2
905 905 .na
906 906 \fB\fBPRIV_WIN_CONFIG\fR\fR
907 907 .ad
908 908 .sp .6
909 909 .RS 4n
910 910 Allow a process to configure or destroy resources that are permanently retained
911 911 by the X server.
912 912 .sp
913 913 Allow a process to use SetScreenSaver to set the screen saver timeout value
914 914 .sp
915 915 Allow a process to use ChangeHosts to modify the display access control list.
916 916 .sp
917 917 Allow a process to use GrabServer.
918 918 .sp
919 919 Allow a process to use the SetCloseDownMode request that can retain window,
920 920 pixmap, colormap, property, cursor, font, or graphic context resources.
921 921 .sp
922 922 This privilege is interpreted only if the system is configured with Trusted
923 923 Extensions.
924 924 .RE
925 925
926 926 .sp
927 927 .ne 2
928 928 .na
929 929 \fB\fBPRIV_WIN_DAC_READ\fR\fR
930 930 .ad
931 931 .sp .6
932 932 .RS 4n
933 933 Allow a process to read from a window resource that it does not own (has a
934 934 different user ID).
935 935 .sp
936 936 This privilege is interpreted only if the system is configured with Trusted
937 937 Extensions.
938 938 .RE
939 939
940 940 .sp
941 941 .ne 2
942 942 .na
943 943 \fB\fBPRIV_WIN_DAC_WRITE\fR\fR
944 944 .ad
945 945 .sp .6
946 946 .RS 4n
947 947 Allow a process to write to or create a window resource that it does not own
948 948 (has a different user ID). A newly created window property is created with the
949 949 window's user ID.
950 950 .sp
951 951 This privilege is interpreted only if the system is configured with Trusted
952 952 Extensions.
953 953 .RE
954 954
955 955 .sp
956 956 .ne 2
957 957 .na
958 958 \fB\fBPRIV_WIN_DEVICES\fR\fR
959 959 .ad
960 960 .sp .6
961 961 .RS 4n
962 962 Allow a process to perform operations on window input devices.
963 963 .sp
964 964 Allow a process to get and set keyboard and pointer controls.
965 965 .sp
966 966 Allow a process to modify pointer button and key mappings.
967 967 .sp
968 968 This privilege is interpreted only if the system is configured with Trusted
969 969 Extensions.
970 970 .RE
971 971
972 972 .sp
973 973 .ne 2
974 974 .na
975 975 \fB\fBPRIV_WIN_DGA\fR\fR
976 976 .ad
977 977 .sp .6
978 978 .RS 4n
979 979 Allow a process to use the direct graphics access (DGA) X protocol extensions.
980 980 Direct process access to the frame buffer is still required. Thus the process
981 981 must have MAC and DAC privileges that allow access to the frame buffer, or the
982 982 frame buffer must be allocated to the process.
983 983 .sp
984 984 This privilege is interpreted only if the system is configured with Trusted
985 985 Extensions.
986 986 .RE
987 987
988 988 .sp
989 989 .ne 2
990 990 .na
991 991 \fB\fBPRIV_WIN_DOWNGRADE_SL\fR\fR
992 992 .ad
993 993 .sp .6
994 994 .RS 4n
995 995 Allow a process to set the sensitivity label of a window resource to a
996 996 sensitivity label that does not dominate the existing sensitivity label.
997 997 .sp
998 998 This privilege is interpreted only if the system is configured with Trusted
999 999 Extensions.
1000 1000 .RE
1001 1001
1002 1002 .sp
1003 1003 .ne 2
1004 1004 .na
1005 1005 \fB\fBPRIV_WIN_FONTPATH\fR\fR
1006 1006 .ad
1007 1007 .sp .6
1008 1008 .RS 4n
1009 1009 Allow a process to set a font path.
1010 1010 .sp
1011 1011 This privilege is interpreted only if the system is configured with Trusted
1012 1012 Extensions.
1013 1013 .RE
1014 1014
1015 1015 .sp
1016 1016 .ne 2
1017 1017 .na
1018 1018 \fB\fBPRIV_WIN_MAC_READ\fR\fR
1019 1019 .ad
1020 1020 .sp .6
1021 1021 .RS 4n
1022 1022 Allow a process to read from a window resource whose sensitivity label is not
1023 1023 equal to the process sensitivity label.
1024 1024 .sp
1025 1025 This privilege is interpreted only if the system is configured with Trusted
1026 1026 Extensions.
1027 1027 .RE
1028 1028
1029 1029 .sp
1030 1030 .ne 2
1031 1031 .na
1032 1032 \fB\fBPRIV_WIN_MAC_WRITE\fR\fR
1033 1033 .ad
1034 1034 .sp .6
1035 1035 .RS 4n
1036 1036 Allow a process to create a window resource whose sensitivity label is not
1037 1037 equal to the process sensitivity label. A newly created window property is
1038 1038 created with the window's sensitivity label.
1039 1039 .sp
1040 1040 This privilege is interpreted only if the system is configured with Trusted
1041 1041 Extensions.
1042 1042 .RE
1043 1043
1044 1044 .sp
1045 1045 .ne 2
1046 1046 .na
1047 1047 \fB\fBPRIV_WIN_SELECTION\fR\fR
1048 1048 .ad
1049 1049 .sp .6
1050 1050 .RS 4n
1051 1051 Allow a process to request inter-window data moves without the intervention of
1052 1052 the selection confirmer.
1053 1053 .sp
1054 1054 This privilege is interpreted only if the system is configured with Trusted
1055 1055 Extensions.
1056 1056 .RE
1057 1057
1058 1058 .sp
1059 1059 .ne 2
1060 1060 .na
1061 1061 \fB\fBPRIV_WIN_UPGRADE_SL\fR\fR
1062 1062 .ad
1063 1063 .sp .6
1064 1064 .RS 4n
1065 1065 Allow a process to set the sensitivity label of a window resource to a
1066 1066 sensitivity label that dominates the existing sensitivity label.
1067 1067 .sp
1068 1068 This privilege is interpreted only if the system is configured with Trusted
1069 1069 Extensions.
1070 1070 .RE
1071 1071
1072 1072 .sp
1073 1073 .ne 2
1074 1074 .na
1075 1075 \fB\fBPRIV_XVM_CONTROL\fR\fR
1076 1076 .ad
1077 1077 .sp .6
1078 1078 .RS 4n
1079 1079 Allows a process access to the \fBxVM\fR(5) control devices for managing guest
1080 1080 domains and the hypervisor. This privilege is used only if booted into xVM on
1081 1081 x86 platforms.
1082 1082 .RE
1083 1083
1084 1084 .sp
1085 1085 .LP
1086 1086 Of the privileges listed above, the privileges \fBPRIV_FILE_LINK_ANY\fR,
1087 1087 \fBPRIV_PROC_INFO\fR, \fBPRIV_PROC_SESSION\fR, \fBPRIV_PROC_FORK\fR,
1088 1088 \fBPRIV_FILE_READ\fR, \fBPRIV_FILE_WRITE\fR, \fBPRIV_NET_ACCESS\fR and
|
↓ open down ↓ |
230 lines elided |
↑ open up ↑ |
1089 1089 \fBPRIV_PROC_EXEC\fR are considered "basic" privileges. These are privileges
1090 1090 that used to be always available to unprivileged processes. By default,
1091 1091 processes still have the basic privileges.
1092 1092 .sp
1093 1093 .LP
1094 1094 The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present
1095 1095 in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
1096 1096 to be successful, that is, get an effective UID of 0 and additional privileges.
1097 1097 .sp
1098 1098 .LP
1099 -The privilege implementation in Solaris extends the process credential with
1099 +The privilege implementation in illumos extends the process credential with
1100 1100 four privilege sets:
1101 1101 .sp
1102 1102 .ne 2
1103 1103 .na
1104 1104 \fBI, the inheritable set\fR
1105 1105 .ad
1106 1106 .RS 26n
1107 1107 The privileges inherited on \fBexec\fR.
1108 1108 .RE
1109 1109
1110 1110 .sp
1111 1111 .ne 2
1112 1112 .na
1113 1113 \fBP, the permitted set\fR
1114 1114 .ad
1115 1115 .RS 26n
1116 1116 The maximum set of privileges for the process.
1117 1117 .RE
1118 1118
1119 1119 .sp
1120 1120 .ne 2
1121 1121 .na
1122 1122 \fBE, the effective set\fR
1123 1123 .ad
1124 1124 .RS 26n
1125 1125 The privileges currently in effect.
1126 1126 .RE
1127 1127
1128 1128 .sp
1129 1129 .ne 2
1130 1130 .na
1131 1131 \fBL, the limit set\fR
1132 1132 .ad
1133 1133 .RS 26n
1134 1134 The upper bound of the privileges a process and its offspring can obtain.
1135 1135 Changes to L take effect on the next \fBexec\fR.
1136 1136 .RE
1137 1137
1138 1138 .sp
1139 1139 .LP
1140 1140 The sets I, P and E are typically identical to the basic set of privileges for
1141 1141 unprivileged processes. The limit set is typically the full set of privileges.
1142 1142 .sp
1143 1143 .LP
1144 1144 Each process has a Privilege Awareness State (PAS) that can take the value PA
1145 1145 (privilege-aware) and NPA (not-PA). PAS is a transitional mechanism that allows
1146 1146 a choice between full compatibility with the old superuser model and completely
1147 1147 ignoring the effective UID.
1148 1148 .sp
1149 1149 .LP
1150 1150 To facilitate the discussion, we introduce the notion of "observed effective
1151 1151 set" (oE) and "observed permitted set" (oP) and the implementation sets iE and
1152 1152 iP.
1153 1153 .sp
1154 1154 .LP
1155 1155 A process becomes privilege-aware either by manipulating the effective,
1156 1156 permitted, or limit privilege sets through \fBsetppriv\fR(2) or by using
1157 1157 \fBsetpflags\fR(2). In all cases, oE and oP are invariant in the process of
1158 1158 becoming privilege-aware. In the process of becoming privilege-aware, the
1159 1159 following assignments take place:
1160 1160 .sp
1161 1161 .in +2
1162 1162 .nf
1163 1163 iE = oE
1164 1164 iP = oP
1165 1165 .fi
1166 1166 .in -2
1167 1167
1168 1168 .sp
1169 1169 .LP
1170 1170 When a process is privilege-aware, oE and oP are invariant under UID changes.
1171 1171 When a process is not privilege-aware, oE and oP are observed as follows:
1172 1172 .sp
1173 1173 .in +2
1174 1174 .nf
1175 1175 oE = euid == 0 ? L : iE
1176 1176 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
1177 1177 .fi
1178 1178 .in -2
1179 1179
1180 1180 .sp
1181 1181 .LP
1182 1182 When a non-privilege-aware process has an effective UID of 0, it can exercise
1183 1183 the privileges contained in its limit set, the upper bound of its privileges.
1184 1184 If a non-privilege-aware process has any of the UIDs 0, it appears to be
1185 1185 capable of potentially exercising all privileges in L.
1186 1186 .sp
1187 1187 .LP
1188 1188 It is possible for a process to return to the non-privilege aware state using
1189 1189 \fBsetpflags()\fR. The kernel always attempts this on \fBexec\fR(2). This
1190 1190 operation is permitted only if the following conditions are met:
1191 1191 .RS +4
1192 1192 .TP
1193 1193 .ie t \(bu
1194 1194 .el o
1195 1195 If any of the UIDs is equal to 0, P must be equal to L.
1196 1196 .RE
1197 1197 .RS +4
1198 1198 .TP
1199 1199 .ie t \(bu
1200 1200 .el o
1201 1201 If the effective UID is equal to 0, E must be equal to L.
1202 1202 .RE
1203 1203 .sp
1204 1204 .LP
1205 1205 When a process gives up privilege awareness, the following assignments take
1206 1206 place:
1207 1207 .sp
1208 1208 .in +2
1209 1209 .nf
1210 1210 if (euid == 0) iE = L & I
1211 1211 if (any uid == 0) iP = L & I
1212 1212 .fi
1213 1213 .in -2
1214 1214
1215 1215 .sp
1216 1216 .LP
1217 1217 The privileges obtained when not having a UID of \fB0\fR are the inheritable
1218 1218 set of the process restricted by the limit set.
1219 1219 .sp
1220 1220 .LP
1221 1221 Only privileges in the process's (observed) effective privilege set allow the
1222 1222 process to perform restricted operations. A process can use any of the
1223 1223 privilege manipulation functions to add or remove privileges from the privilege
1224 1224 sets. Privileges can be removed always. Only privileges found in the permitted
1225 1225 set can be added to the effective and inheritable set. The limit set cannot
1226 1226 grow. The inheritable set can be larger than the permitted set.
1227 1227 .sp
1228 1228 .LP
1229 1229 When a process performs an \fBexec\fR(2), the kernel first tries to relinquish
1230 1230 privilege awareness before making the following privilege set modifications:
1231 1231 .sp
1232 1232 .in +2
1233 1233 .nf
1234 1234 E' = P' = I' = L & I
1235 1235 L is unchanged
1236 1236 .fi
1237 1237 .in -2
1238 1238
1239 1239 .sp
1240 1240 .LP
1241 1241 If a process has not manipulated its privileges, the privilege sets effectively
1242 1242 remain the same, as E, P and I are already identical.
1243 1243 .sp
1244 1244 .LP
1245 1245 The limit set is enforced at \fBexec\fR time.
1246 1246 .sp
1247 1247 .LP
1248 1248 To run a non-privilege-aware application in a backward-compatible manner, a
1249 1249 privilege-aware application should start the non-privilege-aware application
1250 1250 with I=basic.
1251 1251 .sp
|
↓ open down ↓ |
142 lines elided |
↑ open up ↑ |
1252 1252 .LP
1253 1253 For most privileges, absence of the privilege simply results in a failure. In
1254 1254 some instances, the absence of a privilege can cause system calls to behave
1255 1255 differently. In other instances, the removal of a privilege can force a set-uid
1256 1256 application to seriously malfunction. Privileges of this type are considered
1257 1257 "unsafe". When a process is lacking any of the unsafe privileges from its limit
1258 1258 set, the system does not honor the set-uid bit of set-uid root applications.
1259 1259 The following unsafe privileges have been identified: \fBproc_setid\fR,
1260 1260 \fBsys_resource\fR and \fBproc_audit\fR.
1261 1261 .SS "Privilege Escalation"
1262 -.LP
1263 1262 In certain circumstances, a single privilege could lead to a process gaining
1264 1263 one or more additional privileges that were not explicitly granted to that
1265 1264 process. To prevent such an escalation of privileges, the security policy
1266 1265 requires explicit permission for those additional privileges.
1267 1266 .sp
1268 1267 .LP
1269 1268 Common examples of escalation are those mechanisms that allow modification of
1270 -system resources through "raw'' interfaces; for example, changing kernel data
1269 +system resources through "raw" interfaces; for example, changing kernel data
1271 1270 structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
1272 1271 Escalation also occurs when a process controls processes with more privileges
1273 1272 than the controlling process. A special case of this is manipulating or
1274 1273 creating objects owned by UID 0 or trying to obtain UID 0 using
1275 1274 \fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0
1276 1275 owns all system configuration files and ordinary file protection mechanisms
1277 1276 allow processes with UID 0 to modify the system configuration. With appropriate
1278 1277 file modifications, a given process running with an effective UID of 0 can gain
1279 1278 all privileges.
1280 1279 .sp
1281 1280 .LP
1282 1281 In situations where a process might obtain UID 0, the security policy requires
1283 1282 additional privileges, up to the full set of privileges. Such restrictions
1284 1283 could be relaxed or removed at such time as additional mechanisms for
1285 1284 protection of system files became available. There are no such mechanisms in
1286 -the current Solaris release.
1285 +the current release.
1287 1286 .sp
1288 1287 .LP
1289 1288 The use of UID 0 processes should be limited as much as possible. They should
1290 1289 be replaced with programs running under a different UID but with exactly the
1291 1290 privileges they need.
1292 1291 .sp
1293 1292 .LP
1294 1293 Daemons that never need to \fBexec\fR subprocesses should remove the
1295 1294 \fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets.
1296 1295 .SS "Assigned Privileges and Safeguards"
1297 -.LP
1298 1296 When privileges are assigned to a user, the system administrator could give
1299 1297 that user more powers than intended. The administrator should consider whether
1300 1298 safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR
1301 1299 privilege is given to a user, the administrator should consider setting the
1302 1300 \fBproject.max-locked-memory\fR resource control as well, to prevent that user
1303 1301 from locking all memory.
1304 1302 .SS "Privilege Debugging"
1305 -.LP
1306 1303 When a system call fails with a permission error, it is not always immediately
1307 1304 obvious what caused the problem. To debug such a problem, you can use a tool
1308 1305 called \fBprivilege debugging\fR. When privilege debugging is enabled for a
1309 1306 process, the kernel reports missing privileges on the controlling terminal of
1310 1307 the process. (Enable debugging for a process with the \fB-D\fR option of
1311 1308 \fBppriv\fR(1).) Additionally, the administrator can enable system-wide
1312 1309 privilege debugging by setting the \fBsystem\fR(4) variable \fBpriv_debug\fR
1313 1310 using:
1314 1311 .sp
1315 1312 .in +2
1316 1313 .nf
1317 1314 set priv_debug = 1
1318 1315 .fi
1319 1316 .in -2
1320 1317
1321 1318 .sp
1322 1319 .LP
1323 1320 On a running system, you can use \fBmdb\fR(1) to change this variable.
1324 1321 .SS "Privilege Administration"
1325 -.LP
1326 1322 Use \fBusermod\fR(1M) or \fBrolemod\fR(1M)
1327 1323 to assign privileges to or modify privileges for, respectively, a user or a
1328 1324 role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
1329 1325 \fBtruss\fR(1) to determine which privileges a program requires.
1330 1326 .SH SEE ALSO
1331 -.LP
1332 1327 \fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M),
1333 1328 \fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M),
1334 1329 \fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2),
1335 1330 \fBaccess\fR(2), \fBacct\fR(2), \fBacl\fR(2), \fBadjtime\fR(2), \fBaudit\fR(2),
1336 1331 \fBauditon\fR(2), \fBchmod\fR(2), \fBchown\fR(2), \fBchroot\fR(2),
1337 1332 \fBcreat\fR(2), \fBexec\fR(2), \fBfcntl\fR(2), \fBfork\fR(2),
1338 1333 \fBfpathconf\fR(2), \fBgetacct\fR(2), \fBgetpflags\fR(2), \fBgetppriv\fR(2),
1339 1334 \fBgetsid\fR(2), \fBkill\fR(2), \fBlink\fR(2), \fBmemcntl\fR(2),
1340 1335 \fBmknod\fR(2), \fBmount\fR(2), \fBmsgctl\fR(2), \fBnice\fR(2),
1341 1336 \fBntp_adjtime\fR(2), \fBopen\fR(2), \fBp_online\fR(2), \fBpriocntl\fR(2),
1342 1337 \fBpriocntlset\fR(2), \fBprocessor_bind\fR(2), \fBpset_bind\fR(2),
1343 1338 \fBpset_create\fR(2), \fBreadlink\fR(2), \fBresolvepath\fR(2), \fBrmdir\fR(2),
1344 1339 \fBsemctl\fR(2), \fBsetauid\fR(2), \fBsetegid\fR(2), \fBseteuid\fR(2),
1345 1340 \fBsetgid\fR(2), \fBsetgroups\fR(2), \fBsetpflags\fR(2), \fBsetppriv\fR(2),
1346 1341 \fBsetrctl\fR(2), \fBsetregid\fR(2), \fBsetreuid\fR(2), \fBsetrlimit\fR(2),
1347 1342 \fBsettaskid\fR(2), \fBsetuid\fR(2), \fBshmctl\fR(2), \fBshmget\fR(2),
1348 1343 \fBshmop\fR(2), \fBsigsend\fR(2), \fBstat\fR(2), \fBstatvfs\fR(2),
1349 1344 \fBstime\fR(2), \fBswapctl\fR(2), \fBsysinfo\fR(2), \fBuadmin\fR(2),
1350 1345 \fBulimit\fR(2), \fBumount\fR(2), \fBunlink\fR(2), \fButime\fR(2),
1351 1346 \fButimes\fR(2), \fBbind\fR(3SOCKET), \fBdoor_ucred\fR(3C),
1352 1347 \fBpriv_addset\fR(3C), \fBpriv_set\fR(3C), \fBpriv_getbyname\fR(3C),
1353 1348 \fBpriv_getbynum\fR(3C), \fBpriv_set_to_str\fR(3C), \fBpriv_str_to_set\fR(3C),
1354 1349 \fBsocket\fR(3SOCKET), \fBt_bind\fR(3NSL), \fBtimer_create\fR(3C),
1355 1350 \fBucred_get\fR(3C), \fBexec_attr\fR(4), \fBproc\fR(4), \fBsystem\fR(4),
1356 1351 \fBuser_attr\fR(4), \fBxVM\fR(5), \fBddi_cred\fR(9F), \fBdrv_priv\fR(9F),
1357 1352 \fBpriv_getbyname\fR(9F), \fBpriv_policy\fR(9F), \fBpriv_policy_choice\fR(9F),
1358 1353 \fBpriv_policy_only\fR(9F)
1359 1354 .sp
1360 1355 .LP
1361 1356 \fISystem Administration Guide: Security Services\fR
|
↓ open down ↓ |
20 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX